Deploying a GWLB Security VPC for Transit Gateway

This section details the steps to deploy a CloudGuard Network Security VPC with Gateway Load Balancer for Transit Gateway.

Steps 1-8 describe how to configure a GWLB Security VPC for TGW east-west and outbound traffic inspection. To add inbound inspection to your Spoke VPCs with GWLB, see (Optional) Configure Inbound Traffic to Spoke VPCs.

The Security VPC CloudFormation Template for Transit Gateway deploys a CloudGuard Network Auto Scaling Group, a Gateway Load Balancer, Gateway Load Balancer Endpoints, NAT Gateways for each AZ, and an optional Security Management Server into a new VPC.

Step 1: Prepare your AWS Account

Before you begin, make sure to do these steps.

To prepare your AWS account:

  1. If you do not already have an AWS account, create one in AWS.

  2. Use the region selector in the navigation bar to select the AWS region where you want to deploy Check Point CloudGuard Network Auto Scaling on AWS.

  3. Create a key pair in your preferred region.

  4. If necessary, request a service limit increase for the AWS resources that you plan to use.

    By default, this Deployment guide uses:

    • c5.xlarge for the Security Gateways

    • m5.xlarge for the Security Management Server.

Step 2: Subscribe to Check Point CloudGuard Network Security

To deploy the Check Point GWLB solution:

If you want to deploy a Check Point CloudGuard Security Management Server, then subscribe to Check Point CloudGuard Network Security with these steps:

  1. Log in to AWS Marketplace.

  2. Select one of these licensing options for the CloudGuard Network Security for Gateway Load Balancer:

  3. Select Continue to subscribe.

  4. To confirm that you accept the AWS Marketplace license agreement, select Accept Terms.

If you want to deploy a Check Point CloudGuard Network Security Management Server, then subscribe to:

Step 3: Deploy the Check Point Security Management Server (SMS)

Use one of these options to deploy the Check Point SMS:

  • Deploying a New SMS with a Management CloudFormation Template

  • Using the Existing On-Premises SMS or the SMS in AWS

  • Deploying a Dedicated SMS as Part of the Security VPC

Deploying a New Security Management Server with a Management CloudFormation Template

Deploy the SMS separately as described in sk130372, and continue to "Using the Existing On Premises Security Management Server or the Security Management Server in AWS".

Using the Existing On-Premises Security Management Server or the Security Management Server in AWS

You can use an existing on premises or AWS Security Management Server instance.

In AWS VPC Console, configure the required permissions for the Security Management Server:

Copy
Required Permissions:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "autoscaling:DescribeAutoScalingGroups",
        "ec2:DescribeInstances",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeSubnets",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeTags",
        "elasticloadbalancing:DescribeListeners",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticloadbalancing:DescribeRules",
        "elasticloadbalancing:DescribeTargetHealth"
      ],
      "Resource": "*",
      "Effect": "Allow"
       }
  ]
}

Deploying a Dedicated Security Management Server as Part of the Security VPC

The Solution CloudFormation Template has the option to create a dedicated Security Management Server as part of the deployment.

Step 4: Deploy the GWLB Security VPC for Transit Gateway

This section explains how to deploy a GWLB with a Check Point Auto Scaling Group and an optional Management Server in a new Security VPC.

CloudFormation (CFT) Template

Description

Gateway Load Balancer (GWLB) Auto Scaling Group for Transit Gateway

Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Transit Gateway environment.

Creates a new VPC and deploys a GWLB, an Auto Scaling Group, an optional Security Management Server, GWLB Endpoints, and NAT Gateways into the VPC.

Parameters for Deploying an Auto Scaling Group with a GWLB into a New VPC for Transit Gateway

Parameter Name

Default Value

Description

Availability Zones

Requires input

List of Availability Zones (AZs) to use for the subnets in the VPC, select a minimum of two.

Number of AZs

2

Number of AZs to use in the VPC. This must match your selections from the list of AZs parameter.

VPC CIDR

10.0.0.0/16

CIDR block for the VPC

Public Subnet 1 CIDR

10.0.10.0/24

CIDR block parameter must be in the form x.x.x.x/16-28

Public Subnet 2 CIDR

10.0.20.0/24

CIDR block parameter must be in the form x.x.x.x/16-28

Public Subnet 3 CIDR

10.0.30.0/24

CIDR block parameter must be in the form x.x.x.x/16-28

Public Subnet 4 CIDR

10.0.40.0/24

CIDR block parameter must be in the form x.x.x.x/16-28

TGW Subnet 1 CIDR

10.0.12.0/24

CIDR block parameter must be in the form x.x.x.x/16-28

TGW Subnet 2 CIDR

10.0.22.0/24

CIDR block parameter must be in the form x.x.x.x/16-28

TGW Subnet 3 CIDR

10.0.32.0/24

CIDR block parameter must be in the form x.x.x.x/16-28

TGW Subnet 4 CIDR

10.0.42.0/24

CIDR block parameter must be in the form x.x.x.x/16-28

NAT Subnet 1 CIDR

10.0.13.0/24

CIDR block parameter must be in the form x.x.x.x/16-28

NAT Subnet 2 CIDR

10.0.23.0/24

CIDR block parameter must be in the form x.x.x.x/16-28

NAT Subnet 3 CIDR

10.0.33.0/24

CIDR block parameter must be in the form x.x.x.x/16-28

NAT Subnet 4 CIDR

10.0.43.0/24

CIDR block parameter must be in the form x.x.x.x/16-28

Gateway Load Balancer Endpoint subnet 1 CIDR

10.0.14.0/24

CIDR block parameter must be in the form x.x.x.x/16-28

Gateway Load Balancer Endpoint subnet 2 CIDR

10.0.24.0/24

CIDR block parameter must be in the form x.x.x.x/16-28

Gateway Load Balancer Endpoint subnet 3 CIDR

10.0.34.0/24

CIDR block parameter must be in the form x.x.x.x/16-28

Gateway Load Balancer Endpoint subnet 4 CIDR

10.0.44.0/24

CIDR block parameter must be in the form x.x.x.x/16-28

General Settings:

Parameter Name

Default Value

Description

Key name

Requires input

The EC2 key pair to allow SSH access to the instances created by this stack.

Enable Environment Volume Encryption

True

Encrypted Environment instances volume with default AWS Key Management Service (KMS) key.

Enable AWS Instance Connect

False

Enable SSH connection over AWS web console.

Allow Upload & Download

True

Automatically download Software Blade Contracts and other important data, and improves product experience by sending data to Check Point.

Management Server

gwlb-management server

The name that represents the Security Management Server in the automatic provisioning configuration.

Configuration template

gwlb-ASG-configuration

A name of a gateway configuration template in the automatic provisioning configuration.

Email Address

Optional

(Optional) Notifications about scaling events are sent to this email address.

Admin Shell

/etc/cli.sh

Changes the admin shell to enable advanced command line configuration. Applies for Security Gateways and Security Management Server (if deployed).

Gateway Load Balancer Configuration:

Parameter Name

Default Value

Description

Gateway Load Balancer Name

gwlb1

Gateway Load Balancer's name. This name must be unique in your AWS account. The name can have a maximum of 32 alphanumeric characters and hyphens. Important - A name cannot begin or end with a hyphen.

Target Group Name

tg1

Target group name. This name must be unique in your AWS account. The name can have a maximum of 32 alphanumeric characters and hyphens. Important - A name cannot begin or end with a hyphen.

Enable Cross Zone Load Balancing

True

To enable Cross-AZ Load Balancing, select true. Important - This can cause an increase in Cross-AZ charges.

Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration:

Parameter Name

Default Value

Description

Gateways Instance Name

Check Point Gateway

The name tag of the Security Gateways instances (optional)

Gateways Instance Type

c5.xlarge

The EC2 instance type for the Security Gateways.

Minimum Group Size

2

The minimal number of Security Gateways.

Maximum Group Size

10

The maximal number of Security Gateways.

Gateways Version & License

R80.40-BYOL

The version and license to install on the Security Gateways.

Gateways Password Hash

Optional

(Optional) Admin user's password hash (use the command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash).

Gateways SIC Key

Requires input

The SIC key creates trusted connections between Check Point components. Select a random string that consists of a minimum of 8 alphanumeric characters.

Gateways addresses

Private

Determines if the provisioned gateways use their private or public address.

CloudWatch Metrics

False

Reports Check Point specific CloudWatch metrics.

Note -To learn more about How to use custom Check Point metrics to trigger AWS AutoScaling events, refer to sk162592

Check Point CloudGuard Network Security Management Server Configuration:

Parameter Name

Default Value

Description

Deploy Management Server

True

Select false to use an existing Security Management Server, or to deploy one later and to ignore the other parameters of this section.

Management Instance Type

m5.xlarge

The EC2 instance type of the Security Management Server.

Management Version & License

R80.40-BYOL

The license to install on the Security Management Server.

Management Password Hash

Optional

(Optional) Admin user's password hash (use the command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash).

Security Policy

Standard

The name of the Security Policy package to be installed on the gateways in the Security Auto Scaling group.

Administrator Addresses

Requires input

Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server.

Manage Gateways

Locally managed

If any of the gateways, that you want to manage, are not directly accessed through their private IP address, then select Over the internet.

Gateways Addresses

Requires input

Allows gateways only from this network to communicate with the Security Management Server.

Important - As the External Load Balancer sends health probes to TCP port 8117 to determine the health of the CloudGuard Network Security Gateways, port 8117 must be open on the Gateways.

Step 5: Configure the Check Point Security Management Server

Install and Configure CME

Important - If you have an existing configuration for a different Check Point CloudGuard Network solution, make sure not to initialize your configuration. Instead, add the Controller or Template for the GWLB solution with the applicable configuration.

This utility configures the Check Point Security Management Server with all the settings needed for GWLB:

To configure the autoprov_cfg Utility:

  1. Connect to the command line on the Check Point Security Management Server.

  2. Log in to the Expert mode.

  3. Run all the commands below

    Commands and their options:

    • Initialize the autoprov_cfg configuration with IAM credentials:

      autoprov_cfg init AWS -mn "<MANAGEMENT-NAME>" -tn "<TEMPLATE-NAME>" -otp "<SIC-KEY>" -ver R80.40 -po "<POLICY-NAME>" -cn "<CONTROLLER-NAME>" -r "<REGIONS>" -iam

    • Initialization Options:

      • -mn - Specifies the name of the Security Management Server

      • -tn - Specifies the template name

      • -otp - Specifies the one-time SIC password

      • -ver - Specifies the Gateway version

      • -po - Specifies the name of the policy package

      • -cn - Specifies the name of the Controller

      • -r - Specifies the list of regions, separated by commas

      • -iam - Specifies to use IAM to connect to AWS

    • Show the autoprov_cfg configuration:

      • To make sure all the configurations are correct, run:

        autoprov_cfg show all

      • To make the configuration is correct, run:

        service cme test

        Important - Make sure there are no errors.

Step 6: Post Deployment - Attach the Security VPC to the Transit Gateway

Create a Security Gateway VPC Attachment with the Security VPC:

  1. In the AWS Web Console, open the VPC service and navigate to Transit Gateway Attachments.

  2. Create a new VPC attachment with your Transit Gateway and the Security VPC.

    Important – After the setup is complete, right-click on the attachment to modify and set the attachment subnets for all relevant Availability Zones to the ‘TGW Subnets, which were created by the CFT in the Security VPC.

    For more information, see Amazon documentation.

Create and configure the Transit Gateway Route Table:

  1. In the AWS Web Console, open the VPC service and navigate to Transit Gateway Route Tables.

  2. Create a new route table for the Transit Gateway to handle traffic from the Security VPC, use: Check-Point-rtb.

  3. On the Check-Point-rtb, create a route table association to the Security-VPC-attachment.

  4. In the Check-Point-rtb, create a route table propagation to all your Spoke VPC-attachments.

  5. Use an existing, or create a new route table for the Transit Gateway to handle traffic from the Spoke VPCs, use Spoke-rtb.

  6. On the Spoke-rtb, create a route table association to the Spoke VPCs.

  7. On the Spoke-rtb, create a static route 0.0.0.0/0 > Security VPC attachment to direct all traffic through the Security VPC for inspection.

Step 7: Post Deployment- Add Routes to Spoke VPCs CIDRs

The CFTs manage default routing and Security-VPC specific routing, but not Consumer-specific environment (Spoke) routing. As each consumer environment is unique, consumers must add their own routing information into the Security VPC route tables in two specific locations. It is necessary to do this to allow TGW VPC to VPC inspection, VPC to ground inspection, or any other Inter-VPC inspection.

The consumer must add consumer specific routes to:

  1. GWLBe subnet's route tables

  2. NAT Gateways subnet's route tables

Consumer specific routes must be added for any Inter-VPC routing, or VPC-ground routing done by DirectConnect or other VPN connectivity.

  1. For each Spoke VPC CIDR, add these routes to all GWLBe Subnets Route Tables:

    Destination

    Next Hop

    Spoke VPC-1 CIDR

    Transit Gateway

    Spoke VPC-2 CIDR

    Transit Gateway

    ...

    ...

    Spoke VPC-N CIDR

    Transit Gateway

  2. For each Spoke VPC CIDR, add the route(s) that follow to all NAT Gateway Subnets Route Tables that directs to the GWLBe (vpc-id) in the corresponding Availability Zone:

    • To NAT Gateway 1 in AZ-A Route Table, add:

      Destination

      Next Hop

      Spoke VPC-1 CIDR

      GWLBe-AZ-A

      Spoke VPC-2 CIDR

      GWLBe-AZ-A

      ...

      ...

      Spoke VPC-N CIDR

      GWLBe-AZ-A

    • To NAT Gateway 2 in AZ-B Route Table, add: GWLBe-AZ-B

      Destination

      Next Hop

      Spoke VPC-1 CIDR

      GWLBe-AZ-B

      Spoke VPC-2 CIDR

      GWLBe-AZ-B

      ...

      ...

      Spoke VPC-N CIDR

      GWLBe-AZ-B

Best Practice - Care must be taken to manage these route tables, and we recommend to group together similar subnets into supernet routes whenever possible.

Example: Subnets 10.1.1.0/24, 10.1.2.0/24, …10.1.255.0/24 can be grouped as a single supernet: 10.1.0.0/16

Step 8: Enable Transit Gateway Appliance Mode

The TGW Appliance Mode allows traffic inspection to happen on different AZ's than the traffic is sourced from or destined to.

With the AWS Transit Gateway Appliance Mode, you have the ability to specify attachments that should forward network flows out of the same AZ regardless of the flow's direction and from what availability zone it originated. The AWS Transit Gateway Appliance Mode ensures that network flows are symmetrically routed to the same AZ and network appliance. For more information AWS Transit Gateway Appliance Mode, go to this link.

To set Gateway Appliance Mode on the Security VPC attachment, use this AWS CLI command with the latest version of AWS CLI v2:

aws ec2 modify-transit-gateway-vpc-attachment --transit-gateway-attachment-id <tgw-attach-xyx> --options ApplianceModeSupport="enable"

(Optional) Configure Inbound Traffic to Spoke VPCs

The architecture as described in the Introduction "Solution 2 – A GWLB Security VPC for Transit Gateway", handles outbound and east-west (Spoke-to-Spoke) traffic only.

Prerequisites:

  • The Application instances in the Spoke VPC must be targets of an External Load Balancer.

  • Place the Load Balancer in separate subnets than the Application instances subnets.

To allow your environment's inbound traffic inspection to pass through the GWLB as described in this diagram, do these steps:

  1. Create a separate subnet dedicated for the GWLBe in the Spoke VPC with a default route through the AWS Internet Gateway (IGW).

  2. Create the Gateway Load Balancer Endpoint (GWLBe) in the subnet you created in the previous step. To do this with the AWS CLI, run:

    AWS CLI Command:

    aws ec2 create-vpc-endpoint --vpc-endpoint-type GatewayLoadBalancer --service-name com.amazonaws.vpce.us-east-2.vpce-svc-12345678901234567 --vpc-id spoke-vpc-id --subnet-ids gwlbe-subnet-id

    Note - Find the Service Name in the CloudFormation outputs ‘GWLBServiceName' parameter.

    For more information about Gateway Load Balancer Endpoints, see the AWS VPC Gateway Load Balancer documentation.

  3. Configure Ingress Routing through the GWLBe on the Load Balancer subnets' Route Table and the Internet Gateway Route Table.

    For more information about ingress routing and edge routing tables, see New VPC Ingress Routing Simplifying Integration of Third-Party Appliances.

    Note - The Load Balancer subnets' Route Table must be a separate Route Table than the Application instances' Route Table.

Termination

To terminate the environment, do these steps:

  1. Delete the TGW VPC association from each place that it is used.

  2. Delete the Security VPC CFT Stack.