Workflow for Setting Up a High Availability Cluster in Azure

Step 1: Deploy with a Template in Azure

Deploy this solution through the Azure Portal. If you use a different environment than the standard Azure environment, see Using a Different Azure Cloud Environment

Notes:

Components of the Check Point Solution

Important - If you deploy the solution to an existing Virtual Network, confirm that an NSG is associated with the frontend subnet that allows all inbound and outbound TCP and UDP traffic. An NSG is necessary to connect to Cluster Members successfully.

Step 2: Set Credentials in Azure

By default, the system assigned managed identity is deployed. If you want to create your own service principal, make sure you set credentials and assign privileges to necessary resources.

Azure Credentials and the Automatic Service Principal

The Check Point Cluster template automatically deploys the Virtual Machine with a system-assigned managed identity and assigns a Contributor role to the Cluster resource group. Therefore, you do not have to create your own service principal. For more information, see What is managed identities for Azure resources?

After you deploy a Check Point Cluster, the automatic credentials can be found in Azure Portal > Resource groups > cluster_resource_group > Access control (IAM). There are two service principals for each Cluster Member, each with a Contributor role.

Important - When you use an existing VNet to deploy the solution, you must assign a Contributor role to the Cluster VNet resource group for each Cluster’s managed identity created by the deployment because they are not automatically assigned.

Creating Your Own Service Principal

See Create a Microsoft Entra application and service principal that can access resources.

Best Practice - We recommend that you set the key to never expire. Go to your resource.

Step 3: Set Up Internal Subnets and Route Tables

You can use the Azure portal or the CLI to add internal subnets. You will now add the Web and App subnets to your Virtual Network.

For each internal subnet, you have to create an Azure routing table with these UDRs:

Important - Associate the newly created routing table with the subnet to which it belongs.

If the subnet houses the Security Management Server that manages the Cluster Members, add these routes below as well. This allows the Security Management Server to communicate directly with each Cluster Member, without passing through the Active Cluster Member.

Step 4: Set Up Routes on Cluster Members to the Internal Subnets

Step 5: Configure Cluster Objects in SmartConsole

Step 6: Configure NAT Rules

To create new objects in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., see Creating Objects in SmartConsole

Step 7: Set Up the External Load Balancer in Azure

By default, the template you deploy creates an External Load Balancer, with the name frontend-lb, which faces the Internet.

The External Load Balancer sends health probes to TCP port 8117 to determine the health of the CloudGuard Network Security Gateways.

Create the load balancing rules in the Azure portal to allow incoming connections:

  1. Go to External Load Balancer > Load balancing rules > Add.

  2. Click Add.

For more information, see Multiple Frontends for Azure Load Balancer. For an example, go to Step 9: Configure the Load Balancer to Listen on Multiple IP Addresses in Azure.

Step 8: Create Dynamic Object LocalGatewayExternal in SmartConsole

In SmartConsole, create the Dynamic object called LocalGatewayExternal.

This object represents the private Cluster Member's IP addresses.

You use this Dynamic object in the next step.

  1. In SmartConsole, click the Objects menu > Object Explorer.

  2. From the top toolbar, click New > Network Object > Dynamic Objects > Dynamic Object.

  3. In the Enter Object Name field, enter (case-sensitive):

    LocalGatewayExternal

  4. Click OK.

  5. Close the Object Explorer.

Step 9: Configure the Load Balancer to Listen on Multiple IP Addresses in Azure

Configure the Load Balancer to listen on additional public IP addresses. This setup is useful if you want the Security Gateway to secure multiple web applications, each with its own public IP address.

Configure the Load Balancer to listen on a second public IP address on TCP port 80, and then forward the traffic to the Check Point CloudGuard Security Gateway to TCP port 8083.

Configure Access Control Rule in SmartConsole

Load Balancer Conditions

The Active Cluster Member uses NAT to forward traffic that belongs to the two web applications, to the right web server.

NAT rules are defined with the special Dynamic ObjectClosed Special object type, whose IP address is not known in advance. The Security Gateway resolves the IP address of this object in real time..

The Dynamic object LocalGatewayExternal represents the private IP addresses of the external interface of Member 1 and Member 2.

For more information, see Step 8: Create Dynamic Object LocalGatewayExternal in SmartConsole.

No

Original
Source

Original
Destination

Original
Services

Translated
Source

Translated
Destination

Translated
Services

Install
On

1

All_Internet

LocalGatewayExternal

TCP 8081

= Original

s AppHost

https

Policy Targets

2

*All_Internet

LocalGatewayExternal

TCP 8083

= Original

s WebHost

http

Policy Targets

Note - When Floating IP is enabled, set Original Destination to be the External Load Balancer Frontend IP Address.

Step 10: Configure VPN

In SmartConsole, create a Network Group object to represent the encryption domain for the Cluster.

Step 11: Configure multiple VIP (optional)

Notes:

  • The multiple VIP feature is supported starting from image build number 1266. You can view the build number in /etc/cloud.version.json.

  • You can skip this section if you already deploy the environment using the “Number of Virtual IPs” template parameter. The Cluster is deployed with automatic multiple VIP configuration.