Network

Follow this network diagram to configure your system. Make sure to replace the IP addresses in the sample environment with the IP addresses in your environment.

Network Diagram

See the routing tables below the diagram.

1

Example 1

Frontend

Web:443

Backend port

8081

2

Example 2

Frontend

App:80

Backend port

8083

3

Destination

Nexthop

 

10.0.0.0/16

None (Drop)

 

10.0.1.0/24

Virtual NetworkClosed Environment of logically connected Virtual Machines.

4

Destination

Nexthop

 

0.0.0.0/0

None (Drop)

Routing Table for Web and App - User Defined Routes (UDR)

Web and App routing tables have the same Virtual Network address, but different subnet addresses.

5

Frontend

Nexthop

 

10.0.0.0/16 - Virtual Network address

10.0.2.4 -IP of the Internal Load Balancer

 

0.0.0.0/0

10.0.2.4 -IP of the Internal Load Balancer

 

10.0.3.0/24 (Web) - Subnet address

Virtual Network

6

Frontend

Nexthop

 

10.0.0.0/16 -Virtual Network address

10.0.2.4 -IP of the Internal Load Balancer

 

0.0.0.0/0

10.0.2.4 -IP of the Internal Load Balancer

 

10.0.4.0/24 (App) - Subnet address

Virtual Network

Diagram Components

The diagram shows:

Check Point High Availability contains two ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members, Member 1 and Member 2. Each Cluster MemberClosed Security Gateway that is part of a cluster. has two interfaces.

When the Cluster Members are in the same Availability Set, it guarantees that the two Cluster Members are in separate fault domains. For more information, see Manage the availability of Windows virtual machines in Azure.

In the diagram:

  • The cluster protects two web applications.

  • There is Site-to-Site VPN connectivity between the Cluster Members and on-premises Security Gateways.

Each web application has:

  • Public IP address

  • Web server

  • Application server

You must manually configure these components:

  • Backend hosts

  • Subnets

  • Routing tables for Web and App servers

Name

Attached to

Use

Cluster public address

The external interface of the Active Cluster Member.

VPN

Cluster private address

The external interface of the Active Cluster Member.

VPN

Member 1 public address

The external interface of Member 1.

  • External management of Member 1

  • Internet and Azure API access

Do not disable or delete this resource.

Member 2 public address

The external interface of Member 2.

  • External management of Member 2

  • Internet and Azure API access

Do not disable or delete this resource.

Web

Azure Load Balancer

Public service Web

App

Azure Load Balancer

Public service App

You cannot use these ports:

  • 80

  • 443

  • 444

  • 8082

  • 8880

  • 8117

Frontend IP address

Frontend TCP ports

Destination IP address

Destination port

Web

HTTPS

Active Cluster Member

8081

App

HTTP

Active Cluster Member

8083

Failover

  1. The Cluster Member that fails, immediately stops responding to the Load Balancer health probes.

  2. The Cluster Member that gets promoted to Active, starts responding to the Load Balancer health probes.

  3. The Azure External Load Balancer and Internal Load Balancer detect the new health status of each Cluster Member and forward traffic to the healthy Cluster Member. For more information, see Azure Load Balancer health probes.

    This usually happens in less than 15 seconds based on the health probe Load Balancer configuration. This affects inbound and East-West traffic inspection.

  4. The Cluster Member that gets promoted to Active uses the Azure API to associate itself with the cluster's private and public IP addresses.

    This usually happens in less than 2 minutes. This affects VPN tunnel failover.

Use Case

Expected Failover Time

Comments

Site-to-Site VPN

Less than 2 minutes

Depends on the Azure API.

Inbound inspection through the External Load Balancer

Less than 15 seconds

Depends on the Load Balancer health probe.

Outbound inspection through the Internal Load Balancer

Less than 2 minutes

Depends on the Load Balancer health probe and Azure API.

East-West inspection through the Internal Load Balancer

Less than 15 seconds

Depends on the Load Balancer health probe.

Traffic Flows

If the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. is in the Virtual Network, make sure to have specific routes to allow traffic between the Management Server Virtual Machine and the Cluster Members.

Note - It is not possible to deploy other Virtual Machines in the Check Point solution subnets.

Inbound Traffic

Consider a case when client traffic from the Internet wants to get to a resource behind the Azure High Availability Cluster:

  1. The traffic reaches the Web Public IP on port 80 that is associated on the External Load Balancer.

  2. The External Load Balancer translates the port from 80 to 8083 and forwards the traffic to the active Security Gateway.

  3. The active Security Gateway translates the traffic:

    • Source - Original

    • Destination - Internal Load Balancer IP address or Web server IP address

    • Destination port - 80

Note - Traffic leaving eth1 to the backend does not pass through the Internal Load Balancer. A special IP address is used to forward this traffic to the Azure Fabric for handling.

  1. The reply travels from the Web server to the Internal Load Balancer.

  2. The Internal Load Balancer forwards the traffic to the active Security Gateway.

  3. The active Security Gateway inspects the traffic, performs NAT on the reply, and forwards it to the destination.

Notes:

  1. The traffic reaches the Web Public IP on port 80 that is associated on the External Load Balancer.

  2. The External Load Balancer translates the port from 80 to 8083 and forwards the traffic to the active Security Gateway.

  3. The active Security Gateway translates the traffic:

    • Source - Original

    • Destination - When you enable Floating IP address, Azure changes the IP address mapping to the Frontend IP address of the Load Balancer frontend instead of backend instance's IP address.

    • Destination port - 80

Note - You can enable Floating IP address in the relevant load balancing rules.

  1. The reply travels from the Web server to the Internal Load Balancer.

  2. The Internal Load Balancer forwards the traffic to the active Security Gateway.

  3. The active Security Gateway inspects the traffic and performs NAT on the reply.

  4. The Azure fabric reverses the NATed port and forwards the reply to the destination.

Note - LocalGatewayExternal is not used in this mode. Instead, you input the destination public IP address. See sk172625 for more information.

Consider a case when North -South traffic is not needed:

  1. Traffic travels from the Web server to the Internal Load Balancer based on the UDR.

  2. The Internal Load Balancer forwards the traffic to the active Security Gateway.

  3. The active Security Gateway inspects the traffic, performs Hide NAT on the packet to the Private Cluster IP address or its frontend IP address (depending on your configuration) and sends it to the destination.

    Note - Azure will NAT the IP address from the Private IP address to Public IP address.

  1. Traffic travels from the internal Web server to the Internal Load Balancer of the Check Point solution.

  2. The Internal Load Balancer forwards the traffic to the active Security Gateway.

  3. The active Security Gateway inspects the traffic and forwards it to the internal application server.

  4. The application server sends a reply to the Internal Load Balancer based on the UDR.

  5. The Internal Load Balancer sends the request to the active Security Gateway.

  6. The active Security Gateway inspects the traffic and forwards it to the internal Web server.

The Internal Load Balancer deploys by default as part of the solution template and is automatically configured. It is configured to listen and forward any TCP or UDP traffic High Availability ports. It gets an automatically assigned name: backend-lb.

Azure sends probes from the source IP address 168.63.129.16 to TCP port 8117 to monitor the health of the Cluster Members.

Intra-Subnet Traffic

Traffic travels freely in the subnet without inspection.