Deploying a GWLB Security VPC for Transit Gateway

This section details the steps to deploy a CloudGuard Network Security VPC with Gateway Load Balancer for Transit Gateway.

Steps 1-8 describe how to configure a GWLB Security VPC for TGW east-west and outbound traffic inspection. To add inbound inspection to your Spoke VPCs with GWLB, see (Optional) Configure Inbound Traffic to Spoke VPCs.

The Security VPC CloudFormation Template for Transit Gateway deploys a CloudGuard Network Auto Scaling Group, a Gateway Load Balancer, Gateway Load Balancer Endpoints, NAT Gateways for each AZ, and an optional Security Management Server into a new VPC.

Step 1: Prepare your AWS Account

Before you begin, make sure to do these steps.

To prepare your AWS account:

If you do not already have an AWS account, create one in AWS.
Use the region selector in the navigation bar to select the AWS region where you want to deploy Check Point CloudGuard Network Auto Scaling on AWS.
Create a key pair in your preferred region.
If necessary, request a service limit increase for the AWS resources that you plan to use.

By default, this Deployment guide uses:
- c5.xlarge for the Security Gateways
- m5.xlarge for the Security Management Server.

Step 2: Subscribe to Check Point CloudGuard Network Security

To deploy the Check Point GWLB solution:

If you want to deploy a Check Point CloudGuard Security Management Server, then subscribe to Check Point CloudGuard Network Security with these steps:

Log in to AWS Marketplace.
Select one of these licensing options for the CloudGuard Network Security for Gateway Load Balancer:
- For R81.20 and higher:
- For R80.40:
Select Continue to subscribe.
To confirm that you accept the AWS Marketplace license agreement, select Accept Terms.

If you want to deploy a Check Point CloudGuard Network Security Management Server, then subscribe to:

Step 3: Deploy the Check Point Security Management Server (SMS)

Use one of these options to deploy the Check Point SMS:

Deploying a New SMS with a Management CloudFormation Template

Using the Existing On-Premises SMS or the SMS in AWS

Deploying a Dedicated SMS as Part of the Security VPC

Deploying a New Security Management Server with a Management CloudFormation Template

Deploy the SMS separately as described in sk130372, and continue to "Using the Existing On Premises Security Management Server or the Security Management Server in AWS".

Using the Existing On-Premises Security Management Server or the Security Management Server in AWS

You can use an existing on premises or AWS Security Management Server instance.

In AWS VPC Console, configure the required permissions for the Security Management Server:

Copy

Required Permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "autoscaling:DescribeAutoScalingGroups",
        "ec2:DescribeInstances",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeSubnets",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeTags",
        "elasticloadbalancing:DescribeListeners",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticloadbalancing:DescribeRules",
        "elasticloadbalancing:DescribeTargetHealth"
      ],
      "Resource": "*",
      "Effect": "Allow"
       }
  ]
}

Deploying a Dedicated Security Management Server as Part of the Security VPC

The Solution CloudFormation Template has the option to create a dedicated Security Management Server as part of the deployment.

Step 4: Deploy the GWLB Security VPC for Transit Gateway

This step details the necessary procedure for deploying the Check Point CloudGuard Security Gateway Auto Scaling Group configured for Gateway Load Balancer in a Centralized Security VPC for Transit Gateway.

To deploy the Auto Scaling group configured for GWLB, select a CloudFormation template for a new or existing VPC. Then, follow the instructions in this section on how to deploy the solution. Finally, examine and test the deployment.

CloudFormation (CFT) Template	Description
Auto Scaling group for Gateway Load Balancer with a new VPC	Creates a new VPC and deploys a GWLB, Check Point CloudGuard Security Gateway Auto Scaling Group, Gateway Load Balancer Endpoints, NAT Gateways for each AZ and optionally a Security Management Server.
Auto Scaling group for Gateway Load Balancer into existing VPC	Deploys a GWLB, Check Point CloudGuard Security Gateway Auto Scaling Group, Gateway Load Balancer Endpoints, NAT Gateways for each AZ and optionally a Security Management Server into an existing VPC.

Parameters for Deploying an Auto Scaling Group with a GWLB into a New VPC for Transit Gateway

Parameter Name	Default Value	Description
`Availability Zones`	Requires input	List of Availability Zones (AZs) to use for the subnets in the VPC, select a minimum of two.
`Number of AZs`	2	Number of AZs to use in the VPC. This must match your selections from the list of AZs parameter.
`VPC CIDR`	10.0.0.0/16	CIDR block for the VPC
`Public Subnet 1 CIDR`	10.0.10.0/24	CIDR block parameter must be in the form x.x.x.x/16-28
`Public Subnet 2 CIDR`	10.0.20.0/24	CIDR block parameter must be in the form x.x.x.x/16-28
`Public Subnet 3 CIDR`	10.0.30.0/24	CIDR block parameter must be in the form x.x.x.x/16-28
`Public Subnet 4 CIDR`	10.0.40.0/24	CIDR block parameter must be in the form x.x.x.x/16-28
`TGW Subnet 1 CIDR`	10.0.12.0/24	CIDR block parameter must be in the form x.x.x.x/16-28
`TGW Subnet 2 CIDR`	10.0.22.0/24	CIDR block parameter must be in the form x.x.x.x/16-28
`TGW Subnet 3 CIDR`	10.0.32.0/24	CIDR block parameter must be in the form x.x.x.x/16-28
`TGW Subnet 4 CIDR`	10.0.42.0/24	CIDR block parameter must be in the form x.x.x.x/16-28
`NAT Subnet 1 CIDR`	10.0.13.0/24	CIDR block parameter must be in the form x.x.x.x/16-28
`NAT Subnet 2 CIDR`	10.0.23.0/24	CIDR block parameter must be in the form x.x.x.x/16-28
`NAT Subnet 3 CIDR`	10.0.33.0/24	CIDR block parameter must be in the form x.x.x.x/16-28
`NAT Subnet 4 CIDR`	10.0.43.0/24	CIDR block parameter must be in the form x.x.x.x/16-28
`Gateway Load Balancer Endpoint subnet 1 CIDR`	10.0.14.0/24	CIDR block parameter must be in the form x.x.x.x/16-28
`Gateway Load Balancer Endpoint subnet 2 CIDR`	10.0.24.0/24	CIDR block parameter must be in the form x.x.x.x/16-28
`Gateway Load Balancer Endpoint subnet 3 CIDR`	10.0.34.0/24	CIDR block parameter must be in the form x.x.x.x/16-28
`Gateway Load Balancer Endpoint subnet 4 CIDR`	10.0.44.0/24	CIDR block parameter must be in the form x.x.x.x/16-28

General Settings:

Parameter Name	Default Value	Description
`Key name`	Requires input	The EC2 key pair to allow SSH access to the instances created by this stack.
`Enable Environment Volume Encryption`	True	Encrypted Environment instances volume with default AWS Key Management Service (KMS) key.
`Enable AWS Instance Connect`	False	Enable SSH connection over AWS web console.
`Allow Upload & Download`	True	Automatically download Software Blade Contracts and other important data, and improves product experience by sending data to Check Point.
`Management Server`	gwlb-management server	The name that represents the Security Management Server in the automatic provisioning configuration.
`Configuration template`	gwlb-ASG-configuration	A name of a gateway configuration template in the automatic provisioning configuration.
`Email Address`	Optional	(Optional) Notifications about scaling events are sent to this email address.
`Admin Shell`	/etc/cli.sh	Changes the admin shell to enable advanced command line configuration. Applies for Security Gateways and Security Management Server (if deployed).

Gateway Load Balancer Configuration:

Parameter Name	Default Value	Description
Gateway Load Balancer `Name`	gwlb1	Gateway Load Balancer's name. This name must be unique in your AWS account. The name can have a maximum of 32 alphanumeric characters and hyphens. Important - A name cannot begin or end with a hyphen.
`Target Group Name`	tg1	Target group name. This name must be unique in your AWS account. The name can have a maximum of 32 alphanumeric characters and hyphens. Important - A name cannot begin or end with a hyphen.
`Enable Cross Zone Load Balancing`	True	To enable Cross-AZ Load Balancing, select true. Important - This can cause an increase in Cross-AZ charges.

Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration:

Parameter Name	Default Value	Description
`Gateways Instance Name`	Check Point Gateway	The name tag of the Security Gateways instances (optional)
`Gateways Instance Type`	c5.xlarge	The EC2 instance type for the Security Gateways.
`Minimum Group Size`	2	The minimal number of Security Gateways.
`Maximum Group Size`	10	The maximal number of Security Gateways.
`Gateways Version & License`	R80.40-BYOL	The version and license to install on the Security Gateways.
`Gateways Password Hash`	Optional	(Optional) Admin user's password hash (use the command "`openssl passwd -6 PASSWORD`" to get the password's hash).
`Gateways SIC Key`	Requires input	The SIC key creates trusted connections between Check Point components. Select a random string that consists of a minimum of 8 alphanumeric characters.
`Gateways addresses`	Private	Determines if the provisioned gateways use their private or public address.
`CloudWatch Metrics`	False	Reports Check Point specific CloudWatch metrics.

Note -To learn more about How to use custom Check Point metrics to trigger AWS Auto-Scaling events, refer to sk162592

Check Point CloudGuard Network Security Management Server Configuration:

Parameter Name	Default Value	Description
`Deploy Management Server`	True	Select false to use an existing Security Management Server, or to deploy one later and to ignore the other parameters of this section.
`Management Instance Type`	m5.xlarge	The EC2 instance type of the Security Management Server.
`Management Version & License`	R80.40-BYOL	The license to install on the Security Management Server.
`Management Password Hash`	Optional	(Optional) Admin user's password hash (use the command "`openssl passwd -6 PASSWORD`" to get the password's hash).
Security Policy	Standard	The name of the Security Policy package to be installed on the gateways in the Security Auto Scaling Group.
`Administrator Addresses`	Requires input	Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server.
`Manage Gateways`	Locally managed	If any of the gateways, that you want to manage, are not directly accessed through their private IP address, then select Over the internet.
`Gateways Addresses`	Requires input	Allows gateways only from this network to communicate with the Security Management Server.

Important - As the External Load Balancer sends health probes to TCP port 8117 to determine the health of the CloudGuard Network Security Gateways, port 8117 must be open on the Gateways.

Step 5: Configure the Check Point Security Management Server

Install and Configure CME

Important - If you have an existing configuration for a different Check Point CloudGuard Network solution, make sure not to initialize your configuration. Instead, add the Controller or Template for the GWLB solution with the applicable configuration.

This utility configures the Check Point Security Management Server with all the settings needed for GWLB:

To configure the autoprov_cfg Utility:

Connect to the command line on the Check Point Security Management Server.
Log in to the Expert mode.

Run all the commands below

Commands and their options:

Initialize the autoprov_cfg configuration with IAM credentials:

autoprov_cfg init AWS -mn "<MANAGEMENT-NAME>" -tn "<TEMPLATE-NAME>" -otp "<SIC-KEY>" -ver R80.40 -po "<POLICY-NAME>" -cn "<CONTROLLER-NAME>" -r "<REGIONS>" -iam

Initialization Options:
- -mn - Specifies the name of the Security Management Server
- -tn - Specifies the template name
- -otp - Specifies the one-time SIC password
- -ver - Specifies the Gateway version
- -po - Specifies the name of the policy package
- -cn - Specifies the name of the Controller
- -r - Specifies the list of regions, separated by commas
- -iam - Specifies to use IAM to connect to AWS

Show the autoprov_cfg configuration:

To make sure all the configurations are correct, run:

autoprov_cfg show all

To make the configuration is correct, run:

service cme test

Important - Make sure there are no errors.

Step 6: Post Deployment - Attach the Security VPC to the Transit Gateway

Create a Security Gateway VPC Attachment with the Security VPC:

In the AWS Web Console, open the VPC service and navigate to Transit Gateway Attachments.
Create a new VPC attachment with your Transit Gateway and the Security VPC.

Important – After the setup is complete, right-click on the attachment to modify and set the attachment subnets for all relevant Availability Zones to the ‘TGW Subnets, which were created by the CFT in the Security VPC.

For more information, see Amazon documentation.

Create and configure the Transit Gateway Route Table:

In the AWS Web Console, open the VPC service and navigate to Transit Gateway Route Tables.
Create a new route table for the Transit Gateway to handle traffic from the Security VPC, use: Check-Point-rtb.
On the Check-Point-rtb, create a route table association to the Security-VPC-attachment.
In the Check-Point-rtb, create a route table propagation to all your Spoke VPC-attachments.
Use an existing, or create a new route table for the Transit Gateway to handle traffic from the Spoke VPCs, use Spoke-rtb.
On the Spoke-rtb, create a route table association to the Spoke VPCs.
On the Spoke-rtb, create a static route 0.0.0.0/0 > Security VPC attachment to direct all traffic through the Security VPC for inspection.

Step 7: Post Deployment- Add Routes to Spoke VPCs CIDRs

The CFTs manage default routing and Security-VPC specific routing, but not Consumer-specific environment (Spoke) routing. As each consumer environment is unique, consumers must add their own routing information into the Security VPC route tables in two specific locations. It is necessary to do this to allow TGW VPC to VPC inspection, VPC to ground inspection, or any other Inter-VPC inspection.

The consumer must add consumer specific routes to:

GWLBe subnet's route tables
NAT Gateways subnet's route tables

Consumer specific routes must be added for any Inter-VPC routing, or VPC-ground routing done by DirectConnect or other VPN connectivity.

For each Spoke VPC CIDR, add these routes to all GWLBe Subnets Route Tables:

Destination	Next Hop
Spoke VPC-1 CIDR	Transit Gateway
Spoke VPC-2 CIDR	Transit Gateway
...	...
Spoke VPC-N CIDR	Transit Gateway

For each Spoke VPC CIDR, add the route(s) that follow to all NAT Gateway Subnets Route Tables that directs to the GWLBe (vpc-id) in the corresponding Availability Zone:

To NAT Gateway 1 in AZ-A Route Table, add:

Destination	Next Hop
Spoke VPC-1 CIDR	GWLBe-AZ-A
Spoke VPC-2 CIDR	GWLBe-AZ-A
...	...
Spoke VPC-N CIDR	GWLBe-AZ-A

To NAT Gateway 2 in AZ-B Route Table, add: GWLBe-AZ-B

Destination	Next Hop
Spoke VPC-1 CIDR	GWLBe-AZ-B
Spoke VPC-2 CIDR	GWLBe-AZ-B
...	...
Spoke VPC-N CIDR	GWLBe-AZ-B

Best Practice - Care must be taken to manage these route tables, and we recommend to group together similar subnets into supernet routes whenever possible.

Example: Subnets 10.1.1.0/24, 10.1.2.0/24, …10.1.255.0/24 can be grouped as a single supernet: 10.1.0.0/16

Step 8: Enable Transit Gateway Appliance Mode

The TGW Appliance Mode allows traffic inspection to happen on different AZ's than the traffic is sourced from or destined to.

With the AWS Transit Gateway Appliance Mode, you have the ability to specify attachments that should forward network flows out of the same AZ regardless of the flow's direction and from what availability zone it originated. The AWS Transit Gateway Appliance Mode ensures that network flows are symmetrically routed to the same AZ and network appliance. For more information AWS Transit Gateway Appliance Mode, go to this link.

To set Gateway Appliance Mode on the Security VPC attachment, use this AWS CLI command with the latest version of AWS CLI v2:

aws ec2 modify-transit-gateway-vpc-attachment --transit-gateway-attachment-id <tgw-attach-xyx> --options ApplianceModeSupport="enable"

(Optional) Configure Inbound Traffic to Spoke VPCs

The architecture as described in the Introduction "Solution 2 – A GWLB Security VPC for Transit Gateway", handles outbound and east-west (Spoke-to-Spoke) traffic only.

Prerequisites:

The Application instances in the Spoke VPC must be targets of an External Load Balancer.
Place the Load Balancer in separate subnets than the Application instances subnets.

To allow your environment's inbound traffic inspection to pass through the GWLB as described in this diagram, do these steps:

Create a separate subnet dedicated for the GWLBe in the Spoke VPC with a default route through the AWS Internet Gateway (IGW).

Create the Gateway Load Balancer Endpoint (GWLBe) in the subnet you created in the previous step. To do this with the AWS CLI, run:

AWS CLI Command:

aws ec2 create-vpc-endpoint --vpc-endpoint-type GatewayLoadBalancer --service-name com.amazonaws.vpce.us-east-2.vpce-svc-12345678901234567 --vpc-id spoke-vpc-id --subnet-ids gwlbe-subnet-id

Note - Find the Service Name in the CloudFormation outputs ‘GWLBServiceName' parameter.

For more information about Gateway Load Balancer Endpoints, see the AWS VPC Gateway Load Balancer documentation.

Configure Ingress Routing through the GWLBe on the Load Balancer subnets' Route Table and the Internet Gateway Route Table.

For more information about ingress routing and edge routing tables, see New VPC Ingress Routing Simplifying Integration of Third-Party Appliances.

Note - The Load Balancer subnets' Route Table must be a separate Route Table than the Application instances' Route Table.

Termination

To terminate the environment, do these steps:

Delete the TGW VPC association from each place that it is used.
Delete the Security VPC CFT Stack.