Traffic flows in Cloud Firewall NVA for Azure Virtual WAN

North-South Egress (V2I/B2I)

Traffic Flows:

  1. VNET forwards traffic to ILBClosed Internal Load Balancer, used to load balance traffic in a virtual network.

  2. ILB load-balances to an instance of the active-active NVAClosed Network Virtual Appliance - A resource deployed in Azure's Virtual Hub that includes Security Gateways and other networking infrastructure..

  3. NVA instance does SNATClosed Source Network Address Translation (Source NAT).: from the VNET private IP address to the NVA NIC private IP address.

    (To configure this in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., see Step 7: Set Routing Intent and Routing Policies).

  4. Azure platform does SNAT: from the NVA NIC private IP address to the NVA NIC public IP address.

  5. Forward the packet to the Internet.

  6. Returned traffic arrives to the Public NIC IP address.

  7. Azure platform does SNAT: from the NVA NIC public IP address to the NVA NIC private IP address.

  8. NVA reverses the SNAT done on step 3 and forwards the packet to VNET.

North-South Ingress (I2V/I2B)

Traffic Flows:

  1. Traffic arrives from the Internet to the SLBClosed Software Load Balancer, used to distribute tenant and tenant customer network traffic to virtual network resources. SLB enables multiple servers to host the same workload, providing high availability and scalability.

  2. The SLB load-balances to one of the instances of the active-active NVA private NIC IP address.

  3. The NVA instance does SNAT: from the NVA NIC private IP address to the Vnet NIC private IP address.

    Note: To configure the NAT in SmartConsole, see Integrating Cloud Firewall Security NVA with Azure Virtual WAN > Configure NAT rules.

  4. The NVA instance forwards the packet to the VNET.

  5. Returned traffic arrives at the NVA private NIC IP address.

  6. The NVA reverses the SNAT done on step 4 and forwards the packet back to the Internet.

North-South (B2V)

Traffic Flows:

  1. On-premises sends traffic to the Azure gateway or SD-WANClosed Software Defined – Wide Area Network (WAN), more information on this solution: https://www.checkpoint.com/cyber-hub/network-security/what-is-sd-wan/ NVA.

  2. The gateway forwards to the ILB.

  3. The ILB sends to the NVA instance.

  4. The NVA sends to the VNET.

  5. The VNET sends to the ILB.

  6. The ILB sends to the NVA instance.

  7. The NVA undoes SNAT and forwards to the gateway.

  8. The gateway forwards back to on-premises.

North-South (V2B)

Traffic Flows:

  1. The VNET sends traffic to the ILB.

  2. The ILB sends traffic to a Firewall instance.

  3. The NVA forwards to the gateway.

  4. The gateway forwards to on-premises.

  5. On-premises forwards to the gateway.

  6. The gateway forwards to the ILB.

  7. The ILB forwards to the Firewall instance.

  8. The Firewall sends traffic to the VNET.

East-West (V2V)

Traffic Flows:

  1. The VNET1 sends traffic to the ILB.

  2. The ILB chooses the one of active-active instances.

  3. The NVA sends directly to the destination (VNET2).

  4. The VNET2 sends traffic to the ILB.

  5. The ILB forwards traffic to the appropriate NVA instance statefully.

  6. The NVA sends traffic back to the VNET1.

East-West (V2V inter-hub, both hubs with Firewall NVA)

Traffic Flows:

  1. The VNET1 sends traffic to The ILB.

  2. The ILB chooses an active NVA instance.

  3. The NVA sends to the remote NVA ILB.

  4. The ILB chooses an active NVA instance.

  5. The NVA forwards directly to the VNET 2.

  6. The VNET 2 sends traffic to the ILB.

  7. The ILB sends to the correct NVA instance.

  8. The NVA sends to the remote NVA ILB.

  9. The ILB sends to the correct NVA instance.

  10. The NVA forwards directly to the VNET.

East-West (V2V one hub with Firewall)

Traffic Flows:

  1. The VNET sends traffic to the ILB.

  2. The ILB sends traffic to one NVA instance.

  3. The NVA forwards traffic to the remote Router.

  4. The Router forwards traffic to the VNET.

  5. The VNET forwards traffic to the Router.

  6. The Router forwards to the remote ILB.

  7. The ILB forwards to the correct NVA instance.

  8. The NVA sends directly to the VNET.

East-West (B2B)

Traffic Flows:

  1. On-premises sends traffic to the Azure Gateway.

  2. The Gateway forwards to the ILB.

  3. The ILB forwards to the NVA instance.

  4. The NVA forwards to the Gateway.

  5. The Gateway forwards to on-premises.

  6. On-premises sends replies to the Gateway.

  7. The Gateway forwards traffic to the ILB.

  8. The ILB sends to the NVA instance.

  9. The NVA Instance forwards to the Gateway.

  10. The Gateway forwards to on-premises.