CloudGuard Network High Availability for Azure

Check Point and Microsoft have partnered to deliver a best-in-class experience for customers looking to extend advanced security protections to their Azure public and hybrid environments. Seamlessly integrating with the Azure and Azure Stack cloud infrastructures, CloudGuard Network for Microsoft AzureClosed Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. provides reliable and secure connectivity to public cloud assets while protecting applications and data with industry-leading threat prevention. Additionally, CloudGuard Network helps organizations by dramatically simplifying security management and policy enforcement across private, hybrid, and public cloud networks.

IT organizations can now achieve an advanced security posture that moves with Virtual Applications as they migrate from data centers to Azure hybrid cloud environment. As an Azure certified technology solution, CloudGuard Network compliments Azure cloud security controls to enable you to easily and seamlessly secure your assets in the cloud with elastic scalability and high availability using a cloud security solution integrated with both Azure and Azure Stack.

Prerequisites

Setting Up Check Point Clusters in Azure

A ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. is a group of Virtual Machines that work together in High Availability Mode. One Cluster MemberClosed Security Gateway that is part of a cluster. is the Active, and the second Cluster Member is the Standby. The cluster fails over from the Active Cluster Member to the Standby Cluster Member when necessary.

  • Cluster Members communicate to each other with unicast IP addresses.

  • For inbound, outbound, and East-West traffic, Cluster Members rely on Azure Load Balancers to represent their external and internal Virtual IP addresses. Load Balancers only forward traffic to the Active Cluster Member.

  • For VPN traffic, Load Balancers use API calls to Azure to communicate the failover from the Active Cluster Member. The Standby Cluster Member then promotes itself to Active.

    During cluster failover, the Standby Cluster Member associates the private and public cluster IP addresses of the Active Cluster Member with its external interface.

Azure API authentication

To make API calls to Azure automatically, Cluster Members need Azure Active Directory credentials. Use the Role-Based Access Control (RBAC) to enable Active Directory.

The Check Point Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. in the Azure Cloud, or on-premises, manages the Check Point Cluster Members

Azure Internal Load Balancer

The Internal Load Balancer deploys by default as part of the solution template. It is automatically configured to listen and forward any TCP or UDP traffic on its High Availability ports. The Internal Load Balancer gets an automatically assigned name:

backend-lb.

Azure sends probes from the source IP address 168.63.129.16 to TCP port 8117 to monitor the health of the Check Point CloudGuard Network Security Gateways.