Overview of CloudGuard Network for AWS Gateway Load Balancer Security VPC for Transit Gateway

The AWS Gateway Load Balancer (GWLB) is a managed service that allows AWS user to easily deploy, scale, and manage virtual appliances, such as firewalls, intrusion detection and prevention systems, and deep packet inspection systems. AWS customers can deploy virtual appliances with high availability, scaling, and load balancing.

One example of such a virtual appliance is a CloudGuard Security Gateway.

Cloud Network Security is one of the CloudGuard capabilities and provides advanced Threat Prevention and automated network security through a virtual Security Gateway, with unified security management across all your cloud and on-premises deployments. AWS customers use CloudGuard to securely migrate on-premises workloads to AWS and protect these assets with advanced security technologies that include Firewall, IPS, Application Control, DLP, Anti-Virus, and Anti-Bot. Threat Extraction and Threat Emulation provide industry-leading protection from zero-day attacks.

For more about the AWS Gateway Load Balancers, click here.

This guide explains how to deploy and configure Check Point's CloudGuard Network Gateway Load Balancer security protection.

How GWLB Works

A Gateway Load Balancer operates at Layer 3 of the OSI model: the network layer. It listens for all IP packets across all ports and forwards traffic to the target group that is specified in its listener rule. The GWLB and its registered virtual appliance instances exchange application traffic through the GENEVE protocol on port 6081.

For more information, see the AWS Gateway Load Balancer documentation, and review AWS's detailed blog posts on GWLB.

Architecture Patterns

Solution 1 – A Centralized GWLB Security VPC

The diagram shows the GWLB architecture for Check Point CloudGuard AWS an end-to-end solution that includes:

  • Security VPC:

    • Gateway Load Balancer (GWLB)

    • Auto Scaling Group of Security Gateways

    • Security Management Server (Optional)

  • Consumer VPC

    • Gateway Load Balancer Endpoint (GWLBe)

    • Application Servers

The GWLBe is the Consumer VPC Internet Gateway's (IGW's) next hop for ingress traffic, and the servers' next hop for ingress and egress traffic, respectively. All traffic that reaches the GWLBe is automatically directed to the GWLB in the Security VPC. The GWLB forwards the packet to one of the Auto Scaling Group's (ASG) healthy instances over GENEVE protocol. The packet is then analyzed and processed according to the Security Gateway's policy. If the packet is accepted, it returns to the GWLB, and then to the corresponding GWLBe which redirects the packet to its original destination.

The creation of a GWLBe in each consumer VPC allows the user to protect multiple consumer VPCs. All GWLBe(s) created must point to the centralized GWLB and be inspected by the same centralized Security VPC, such as the same Firewall appliances.

Solution 2 - A GWLB Security VPC for Transit Gateway (TGW)

The diagram shows the TGW GWLB architecture for Check Point CloudGuard's AWS end-to-end solution that includes:

  • Security VPC:

    • Gateway Load Balancer (GWLB)

    • Auto Scaling Group of Security Gateways

    • Security Management Server (Optional)

    • GWLBe (for each Availability Zone)

    • Transit Gateway attachment subnets (for each Availability Zone)

    • NAT Gateways (for each Availability Zone)

  • Transit Gateway

  • Spoke VPCs

The TGW Solution Security VPC has 4 subnets for each AZ:

  1. TGW attachment subnet

  2. GWLBe subnet

  3. Check Point's Firewall subnet

  4. NAT Gateway subnet

This architecture allows the required management connectivity to the Check Point's EC2 instances.

For more architecture examples and traffic flows, refer to: Check Point CloudGuard Network Security - Integration with AWS Gateway Load Balancer workshop.

Benefits

GWLB provides a simple native AWS solution to deploy and manage network appliances in a horizontally scalable and fault-tolerant manner.

In addition, GWLB operates in a transparent manner. It is not necessary for the traffic source and destination software stacks to change, because GWLB does not change packet headers or payloads) which eliminates the necessity to make changes to users and applications.

GWLB integration with CloudGuard Network allows IT teams to keep consistent security practices on both cloud and on premise deployments, to leverage existing security skill-sets, and to build on existing investments and relationships with Check Point Security Solutions.

GWLB provides:

  • Elastic scalability of managed Check Point CloudGuard Gateway fleets functionality as traffic volumes change.

  • Resiliency for Check Point CloudGuard Network gateway by automatically rerouting traffic to healthy gateways.

    Graceful failover among Auto Scaling Group Gateways for patching/maintenance (traffic is always directed to one of the health appliances).

  • Reduced network complexity

    • No traffic translation, or source NAT (original source and destination are kept inside the packet).

    • Traffic inspection is transparent – bump-in-the-wire.

    • A single security VPC with GWLB and Check Point CloudGuard Auto Scaling Group can connect to multiple GWLB Endpoints across multiple VPCs and/or AWS accounts.

  • Ease of use

    • Full deployment automation – uses CFT to deploy a security VPC to connect to multiple Endpoints (Endpoints deployment is manual).

    • Flexibility in the inspection enforcement with the use of subnets tags.

  • Support for multiple networking architectures

    • Current architecture supports traffic inspection in a centralized security VPC for simple (single VPCs with GWLBe in each) and complex (TGW) use case scenarios.

Use Case

A typical use case features customer AWS deployments, with one or more VPCs, with a requirement to protect and inspect network traffic with Check Point's CloudGuard Network Security Gateways.

Check Point's CloudGuard Network Security integrated with GWLB to provide traffic inspection in a centralized security VPC.

  • Solution 1: Deploying a Centralized GWLB Security VPC

    Ingress and Egress traffic inspection in unconnected VPCs.

  • Solution 2: Deploying a GWLB Security VPC for Transit Gateway

    Intra-VPC and Egress traffic inspection for VPCs connected with AWS Transit Gateway.

Prerequisites

Before you use this solution, you must be familiar with these AWS terms and services:

  • VPC

  • EC2

  • Elastic Load Balancers (ELB)

  • Ingress Routing

  • VPC Endpoints Gateway Load Balancer (Endpoint)

  • Transit Gateway

  • NAT Gateway (see Deploying Solution 2 - A Check Point Gateway Load Balancer Transit Gateway Environment with CloudFormation Template)

If you are new to AWS, see Getting Started with AWS.