Network

Follow this network diagram to configure your system. Make sure to replace the IP addresses in the sample environment with the IP addresses in your environment.

Network Diagram

Routing Table for Web and App - User Defined Routes (UDR)

Web and App routing tables have the same Virtual Network address, but different subnet addresses.

Diagram Components

The diagram shows:

Check Point High Availability contains two ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members, Member 1 and Member 2. Each Cluster MemberClosed Security Gateway that is part of a cluster. has two interfaces.

When the Cluster Members are in the same Availability Set, it guarantees that the two Cluster Members are in separate fault domains. For more information, see Manage the availability of Windows virtual machines in Azure.

In the diagram:

  • The cluster protects two web applications.

  • There is Site-to-Site VPN connectivity between the Cluster Members and on-premises Security Gateways.

Each web application has:

  • Public IP address

  • Web server

  • Application server

You must manually configure these components:

  • Backend hosts

  • Subnets

  • Routing tables for Web and App servers

Failover

Traffic Flows

If the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. is in the Virtual Network, make sure to have specific routes to allow traffic between the Management Server Virtual Machine and the Cluster Members.

Note - It is not possible to deploy other Virtual Machines in the Check Point solution subnets.

Inbound Traffic

Consider a case when client traffic from the Internet wants to get to a resource behind the Azure High Availability Cluster:

  1. The traffic reaches the Web Public IP on port 80 that is associated on the External Load Balancer.

  2. The External Load Balancer translates the port from 80 to 8083 and forwards the traffic to the active Security Gateway.

  3. The active Security Gateway translates the traffic:

    • Source - Original

    • Destination - Internal Load Balancer IP address or Web server IP address

    • Destination port - 80

Note - Traffic leaving eth1 to the backend does not pass through the Internal Load Balancer. A special IP address is used to forward this traffic to the Azure Fabric for handling.

Intra-Subnet Traffic

Traffic travels freely in the subnet without inspection.