Network
Follow this network diagram to configure your system. Make sure to replace the IP addresses in the sample environment with the IP addresses in your environment.
Network Diagram
The diagram.
See the routing tables below the diagram.
Load Balancing Rules of the External Load Balancer
|
1 |
Example 1 |
Frontend Web:443 |
Backend port 8081 |
|
2 |
Example 2 |
Frontend App:80 |
Backend port 8083 |
Frontend Routing Table - User Defined Routes (UDR)
|
3 |
Destination |
Nexthop |
|
|
10.0.0.0/16 |
None (Drop) |
|
|
10.0.1.0/24 |
Virtual Network |
Backend Routing Table - User Defined Routes (UDR)
|
4 |
Destination |
Nexthop |
|
|
0.0.0.0/0 |
None (Drop) |
Routing Table for Web and App - User Defined Routes (UDR)
Web and App routing tables have the same Virtual Network address, but different subnet addresses.
Web:
|
5 |
Frontend |
Nexthop |
|
|
10.0.0.0/16 - Virtual Network address |
10.0.2.4 -IP of the Internal Load Balancer |
|
|
0.0.0.0/0 |
10.0.2.4 -IP of the Internal Load Balancer |
|
|
10.0.3.0/24 (Web) - Subnet address |
Virtual Network |
App
|
6 |
Frontend |
Nexthop |
|
|
10.0.0.0/16 -Virtual Network address |
10.0.2.4 -IP of the Internal Load Balancer |
|
|
0.0.0.0/0 |
10.0.2.4 -IP of the Internal Load Balancer |
|
|
10.0.4.0/24 (App) - Subnet address |
Virtual Network |
Diagram Components
The diagram shows:
-
Virtual Network in Azure that is divided into four subnets
-
Frontend
-
Backend
-
Web
-
App
-
-
On-premises network with these components
Check Point High Availability contains two Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members, Member 1 and Member 2. Each Cluster Member Security Gateway that is part of a cluster. has two interfaces.
When the Cluster Members are in the same Availability Set, it guarantees that the two Cluster Members are in separate fault domains. For more information, see Manage the availability of Windows virtual machines in Azure.
In the diagram:
-
The cluster protects two web applications.
-
There is Site-to-Site VPN connectivity between the Cluster Members and on-premises Security Gateways.
Each web application has:
-
Public IP address
-
Web server
-
Application server
You must manually configure these components:
-
Backend hosts
-
Subnets
-
Routing tables for Web and App servers
Static IP Addresses
|
Name |
Attached to |
Use |
|---|---|---|
|
Cluster public address |
The external interface of the Active Cluster Member. |
VPN |
|
Cluster private address |
The external interface of the Active Cluster Member. |
VPN |
|
Member 1 public address |
The external interface of Member 1. |
Do not disable or delete this resource. |
|
Member 2 public address |
The external interface of Member 2. |
Do not disable or delete this resource. |
|
Web |
Azure Load Balancer |
Public service Web |
|
App |
Azure Load Balancer |
Public service App |
Using the Azure Load Balancer rules to forward traffic that comes from the Internet
Note
You cannot use these ports:
-
80
-
443
-
444
-
8082
-
8880
-
8117
Azure Load Balancer rules
|
Frontend IP address |
Frontend TCP ports |
Destination IP address |
Destination port |
|---|---|---|---|
|
Web |
HTTPS |
Active Cluster Member |
8081 |
|
App |
HTTP |
Active Cluster Member |
8083 |
Failover
This is what happens during Cluster failover:
-
The Cluster Member that fails, immediately stops responding to the Load Balancer health probes.
-
The Cluster Member that gets promoted to Active, starts responding to the Load Balancer health probes.
-
The Azure External Load Balancer and Internal Load Balancer detect the new health status of each Cluster Member and forward traffic to the healthy Cluster Member. For more information, see Azure Load Balancer health probes.
This usually happens in less than 15 seconds based on the health probe Load Balancer configuration. This affects inbound and East-West traffic inspection.
-
The Cluster Member that gets promoted to Active uses the Azure API to associate itself with the cluster's private and public IP addresses.
This usually happens in less than 2 minutes. This affects VPN tunnel failover.
The expected failover times based on use case
|
Use Case |
Expected Failover Time |
Comments |
|---|---|---|
|
Site-to-Site VPN |
Less than 2 minutes |
Depends on the Azure API. |
|
Inbound inspection through the External Load Balancer |
Less than 15 seconds |
Depends on the Load Balancer health probe. |
|
Outbound inspection through the Internal Load Balancer |
Less than 2 minutes |
Depends on the Load Balancer health probe and Azure API. |
|
East-West inspection through the Internal Load Balancer |
Less than 15 seconds |
Depends on the Load Balancer health probe. |
Traffic Flows
If the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. is in the Virtual Network, make sure to have specific routes to allow traffic between the Management Server Virtual Machine and the Cluster Members.
|
|
Note - It is not possible to deploy other Virtual Machines in the Check Point solution subnets. |
Inbound Traffic
There are two options for inbound traffic:
-
Traffic travels into the External Load Balancer:
-
Packet enters the External Load Balancer with a low port (for example 80/443).
-
The External Load Balancer forwards the packet to the Active Cluster Member and translates the port to the back-end high port (for example 8081/4433).
-
-
The Active Cluster Member inspects the packet and forwards it to the destination performing NAT translation back to the original low port.
-
-
Traffic travels into the front-end network interface (VIP):
-
Packet enters the front-end network interface (eth0) of the Active Cluster Member.
-
The Active Cluster Member inspects the packet and forwards it to the destination.
-
Inbound Traffic Reply
-
The traffic travels from the Web Server to the Internal Load Balancer.
-
The Internal Load Balancer forwards it to the Active Cluster Member.
-
The Active Cluster Member forwards it to the destination.
Inbound VPN Traffic
-
The packet enters the frontend NIC of the Active Cluster Member.
-
The Active Cluster Member decrypts the packet.
-
The Active Cluster Member forwards the packet to its destination.
Outbound Traffic
-
Traffic travels to an Internal Load Balancer based on the UDR.
-
The Internal Load Balancer forwards the traffic to the Active Cluster Member.
-
The Active Cluster Member inspects the traffic and forwards it to the destination.
East-West Traffic
-
Traffic travels from one of the internal servers to the Internal Load Balancer of the Check Point solution.
-
The Internal Load Balancer forwards the traffic to the Active Cluster Member.
-
The Active Cluster Member forwards the traffic to the destination.
Note:
The Internal Load Balancer deploys by default as part of the solution template and is automatically configured. It is configured to listen and forward any TCP or UDP traffic High Availability ports. It gets an automatically assigned name: backend-lb.
Azure sends probes from the source IP address 168.63.129.16 to TCP port 8117 to monitor the health of the Cluster Members.
Intra-Subnet Traffic
Traffic travels freely in the subnet without inspection.