Traffic flows
North South Egress (V2I/B2I)
Traffic Flows:
-
VNET forwards traffic to ILB
Internal Load Balancer, used to load balance traffic in a virtual network -
ILB load balances to an instance of the active-active NVA
Network Virtual Appliance - A resource deployed in Azure's Virtual Hub that includes Security Gateways and other networking infrastructure. -
NVA instance does SNAT
Source Network Address Translation (Source NAT): from VNET private IP address to NVA NIC private IP address(To configure this in SmartConsole
Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. see Step 7: Set Routing Intent and Routing Policies) -
Azure platform does SNAT: from NVA NIC private IP address to NVA NIC public IP address
-
Forward the packet to the Internet
-
Returned traffic arrives to Public NIC IP address
-
Azure platform does SNAT: from NVA NIC public IP address to NVA NIC private IP address
-
NVA reverses the SNAT done on step 3 and forwards the packet to VNET
North South Ingress (I2V/I2B)
Traffic Flows:
-
Traffic arrives from Internet to SLB
Software Load Balancer, used to distribute tenant and tenant customer network traffic to virtual network resources. SLB enables multiple servers to host the same workload, providing high availability and scalability -
SLB load balances to one of the instances of the active-active NVA private NIC IP address
-
NVA instance does SNAT: from NVA NIC private IP address to Vnet NIC private IP address
Note: To configure the NAT in SmartConsole see Integrating CloudGuard Network Security NVA with Azure Virtual WAN > Configure NAT rules.
-
Forward the packet to the Vnet
-
Returned traffic arrives at the NVA private NIC IP address
-
NVA reverses the SNAT done on step 4 and forwards the packet back to the Internet
North South (B2V)
Traffic Flows:
-
On-premises sends traffic to Azure Gateway or SD-WAN
Software Defined – Wide Area Network (WAN), more information on this solution:
https://www.checkpoint.com/cyber-hub/network-security/what-is-sd-wan/ NVA -
Gateway forwards to ILB
-
ILB sends to NVA instance
-
NVA sends to VNET
-
VNET sends to ILB
-
ILB sends to NVA instance
-
NVA undoes SNAT and forwards to Gateway
-
Gateway forwards back to on-premises
North South (V2B)
Traffic Flows:
-
VNET to ILB
-
ILB sends traffic to a Firewall instance
-
NVA forwards to Gateway
-
Gateway forwards to on-premises
-
On-premises forwards to Gateway
-
Gateway forwards to ILB
-
ILB forwards to Firewall instance
-
Firewall sends to VNET
East-West (V2V)
Traffic Flows:
-
VNET1 sends traffic to ILB
-
ILB chooses one of active-active instances
-
NVA sends directly to destination (VNET2)
-
VNET2 sends traffic to ILB
-
ILB forwards traffic to appropriate NVA instance statefully
-
NVA sends traffic back to VNET1
East-West (V2V inter-hub, both hubs with Firewall NVA)
Traffic Flows:
-
VNET1 sends traffic to ILB
-
ILB chooses an active NVA instance
-
NVA sends to remote NVA ILB
-
ILB chooses an active NVA instance
-
NVA forwards directly to VNET 2
-
VNET 2 sends traffic to ILB
-
ILB sends to correct NVA instance
-
NVA sends to remote NVA ILB
-
ILB sends to correct NVA instance
-
NVA forwards directly to VNET
East-West (V2V one hub with Firewall)
Traffic Flows:
-
VNET sends traffic to ILB
-
ILB Sends traffic to one NVA instance
-
NVA forwards traffic to remote Router
-
Router forwards traffic to VNET
-
VNET forwards traffic Router
-
Router forwards to remote ILB
-
ILB forwards to correct NVA instance
-
NVA sends directly to VNET
East-West (B2B)
Traffic Flows:
-
On-premises sends traffic to Azure Gateway
-
Gateway forwards to ILB
-
ILB forwards to NVA instance
-
NVA forwards to Gateway
-
Gateway forwards to on-premises
-
On-premises sends replies to Gateway
-
Gateway forwards traffic to ILB
-
ILB sends to NVA instance
-
NVA Instance forwards to Gateway
-
Gateway forwards to on-premises
