Overview of Google Cloud Platform Autoscaling Managed Instance Group (MIG)

This document will guide you in deploying a new autoscaling Managed Instance Group (MIG) for the Google Cloud Platform (GCP) using the Check Point Management Server and Check Point Gateway. Before you begin, become familiar with the terms below:

  • Managed instance group (MIG) is a GCP Compute Engine resource that is a collection of VM instances managed as a single entity.

  • Autoscaling helps your applications effortlessly handle increases in traffic, while reducing cost when the need for resources is lower. Simply define the Autoscaling policy, and the autoscaler will perform automatic scaling based on the measured load.

A typical use case consists of a web application served by multiple web servers deployed across multiple zones. Normally, a Load Balancer distributes network traffic across this group of web servers. In contrast, autoscaling will increase or decrease the number of web servers according to the current load.

In the current cyber landscape, protecting these environments from attackers is absolutely critical. Any security solution used must be as scalable as the environment that it protects. In addition, it is important that as the number of protected resources scales up or down, so does the number of protecting gateways.

This document will direct you toward achieving these goals by using the Check Point CloudGuard Security Gateways. Specifically, this document guides you in deploying a new autoscaling Managed Instance Group (MIG) for a Google Cloud Platform (GCP).

Prerequisites

It is assumed that the reader is familiar with the following topics:

Vendor

Topic

GCP

  • GCP Managed Instance Groups (MIG)

  • GCP Autoscaling

  • GCP Load Balancers

  • GCP Identify & Access Management

  • GCP VPC Peering

 

Check Point

  • Check Point R80.30 and higher

  • CloudGuard for GCP

Background

Network Diagram

The diagram below depicts a Google Cloud Platform environment containing two VPCs (one external and one internal).

An External Load Balancer sends incoming traffic to a Check Point Autoscaling Managed Instance Group (MIG) residing on the external VPC. The gateways in the group inspect the traffic and, if allowed by policy, forward the traffic to an Internal Load Balancer. The Internal Load Balancer sends incoming traffic to a group of servers residing on even further internal network. GCP Autoscale is configured to increase or decrease the number of Check Point CloudGuard Security Gateways in the Managed Instance Group (MIG).

The Check Point CloudGuard Security Gateways are managed by a Check Point Management Server. The Management Server can be located either in the GCP, or on-premises.

Scale Out

A scale out event can occur if the current load increases.

When a scale out event is triggered, the following occurs:

  1. GCP Autoscale launches one or more new instances of the Check Point CloudGuard Security Gateway.

  2. The new instances automatically configure themselves and stand ready.

In the meantime, the Check Point Management Server detects that new Check Point instances have been launched. It waits until the CloudGuard Security Gateways have finalized configuration, and then automatically does the following:

  1. Initializes a Secure Internal Communication (SIC) channel with the detected Check Point instances.

  2. Installs a Security Policy on the detected Check Point instances.

Note - In the Security Gateways and Management Servers for R81.10 and higher, the gateways answer the health check probes automatically in port 8117 after CME configuration. The Load Balancer then starts to forward new connections to the detected Check Point instances. The newly created CloudGuard Security Gateways report their status and send logs to the Check Point Management Server.

Scale In

A scale in event can occur as a result of a decrease in the current load. When a scale in event is triggered, the GCP Autoscale designates one or more of the gateways as candidates for termination. The External Load Balancer stops forwarding new connections to these gateways, which are later terminated by Autoscale. The Check Point Management Server detects that these CloudGuard Security Gateways have been terminated and automatically deletes them from its database.

Note:

It is recommended to have at least two Security Gateways for redundancy and availability.