Network

Follow this network diagram to configure your system. Make sure to replace the IP addresses in the sample environment with the IP addresses in your environment.

Network Diagram

Routing Table for Web and App - User Defined Routes (UDR)

Web and App routing tables have the same Virtual Network address, but different subnet addresses.

Diagram Components

The diagram shows:

Check Point High Availability contains two ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members, Member 1 and Member 2. Each Cluster MemberClosed Security Gateway that is part of a cluster. has two interfaces.

When the Cluster Members are in the same Availability Set, it guarantees that the two Cluster Members are in separate fault domains. For more information, see Manage the availability of Windows virtual machines in Azure.

In the diagram:

  • The cluster protects two web applications.

  • There is Site-to-Site VPN connectivity between the Cluster Members and on-premises Security Gateways.

Each web application has:

  • Public IP address

  • Web server

  • Application server

You must manually configure these components:

  • Backend hosts

  • Subnets

  • Routing tables for Web and App servers

Failover

Traffic Flows

If the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. is in the Virtual Network, make sure to have specific routes to allow traffic between the Management Server Virtual Machine and the Cluster Members.

Note - It is not possible to deploy other Virtual Machines in the Check Point solution subnets.

Inbound Traffic

There are two options for inbound traffic:

  1. Traffic travels into the External Load Balancer:

    1. Packet enters the External Load Balancer with a low port (for example 80/443).

      1. The External Load Balancer forwards the packet to the Active Cluster Member and translates the port to the back-end high port (for example 8081/4433).

    2. The Active Cluster Member inspects the packet and forwards it to the destination performing NAT translation back to the original low port.

  2. Traffic travels into the front-end network interface (VIP):

    1. Packet enters the front-end network interface (eth0) of the Active Cluster Member.

    2. The Active Cluster Member inspects the packet and forwards it to the destination.

Intra-Subnet Traffic

Traffic travels freely in the subnet without inspection.