CloudGuard Network High Availability for Azure

Check Point and Microsoft have partnered to deliver a best-in-class experience for customers looking to extend advanced security protections to their Azure public and hybrid environments. Seamlessly integrating with the Azure and Azure Stack cloud infrastructures, CloudGuard Network for Microsoft Azure provides reliable and secure connectivity to public cloud assets while protecting applications and data with industry-leading threat prevention. Additionally, CloudGuard Network helps organizations by dramatically simplifying security management and policy enforcement across private, hybrid, and public cloud networks.

IT organizations can now achieve an advanced security posture that moves with Virtual Applications as they migrate from data centers to Azure hybrid cloud environment. As an Azure certified technology solution, CloudGuard Network compliments Azure cloud security controls to enable you to easily and seamlessly secure your assets in the cloud with elastic scalability and high availability using a cloud security solution integrated with both Azure and Azure Stack.

Prerequisites

To set up your system most efficiently, you must be familiar with these topics:

Vendor	Topics
Microsoft Azure	Virtual Networks Virtual Machines Load Balancers High Availability ports Public IP addresses User Defined Rules (UDR) Role Based Access Control (RBAC)
Check Point	Check Point with Microsoft Azure

Setting Up Check Point Clusters in Azure

A Cluster is a group of Virtual Machines that work together in High Availability Mode. One Cluster Member is the Active, and the second Cluster Member is the Standby. The cluster fails over from the Active Cluster Member to the Standby Cluster Member when necessary.

Cluster Members communicate to each other with unicast IP addresses.
For inbound, outbound, and East-West traffic, Cluster Members rely on Azure Load Balancers to represent their external and internal Virtual IP addresses. Load Balancers only forward traffic to the Active Cluster Member.
For VPN traffic, Load Balancers use API calls to Azure to communicate the failover from the Active Cluster Member. The Standby Cluster Member then promotes itself to Active.

During cluster failover, the Standby Cluster Member associates the private and public cluster IP addresses of the Active Cluster Member with its external interface.

Azure API authentication

To make API calls to Azure automatically, Cluster Members need Azure Active Directory credentials. Use the Role-Based Access Control (RBAC) to enable Active Directory.

The Check Point Security Management Server in the Azure Cloud, or on-premises, manages the Check Point Cluster Members

Azure Internal Load Balancer

The Internal Load Balancer deploys by default as part of the solution template. It is automatically configured to listen and forward any TCP or UDP traffic on its High Availability ports. The Internal Load Balancer gets an automatically assigned name:

backend-lb.

Azure sends probes from the source IP address 168.63.129.16 to TCP port 8117 to monitor the health of the Check Point CloudGuard Network Security Gateways.