Deploying CloudGuard Network Cross AZ Cluster with multiple VIPs

To protect multiple web-facing servers or applications, you can use separate ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Virtual IP addresses (VIPs) for each server or application. To do this, add more private secondary IP addresses to the Cross AZ Cluster members. Then, associate a new Elastic IP address with the new private secondary IP address on the Cluster active member.

To add a new secondary private IP address and Elastic IP address, do these steps:

  1. Assign a secondary private IPv4 address to an external interface on the two Cluster members.

  2. Allocate and associate a new Elastic IP address with the secondary private IP address on the Cluster active member.

  3. Connect with SSH to each Cluster MemberClosed Security Gateway that is part of a cluster..

  4. Create an alias interface for the private and public IP addresses of each new VIP on the two members:

    add interface eth0 alias <private VIP>/<Mask Length>

    add interface eth0 alias <public VIP>/<Mask Length>

    Use the command show interface eth0 aliases to make sure that the alias interfaces are configured correctly. The private IP address of the VIP is expected to be different between members, but the public IP address must be the same.

    Make sure to add the two alias interfaces on each Cluster member.

  5. From Expert mode, run:

    python3 $FWDIR/scripts/aws_ha_cli.py restart

    During the restart, the Cluster daemon:

    • Creates a map of secondary private IP address pairs and associated Elastic IP addresses. This map is stored in the file: $FWDIR/conf/aws_cross_az_cluster.json.

    • Creates a dynamic object for each private IP address pair. You can use this dynamic object for inbound protection (see the "Configuring Inbound Protection" chapter for more information).

      The dynamic object name follows this format: LocalGatewayExternal-<ASSOCIATED ELASTIC IP>

      For example, if the Elastic IP address associated with an IP address pair is 1.2.3.4, the dynamic object name is: LocalGatewayExternal-1.2.3.4

    Note - To create a dynamic object and a NAT ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., see steps 2.e - 2.h in the "Configuring Inbound Protection" chapter, "Using NAT on the Cluster" topic.

  6. To make sure that all secondary private IP addresses and associated Elastic IP addresses exist in the Cross AZ Cluster map file, run:

    python3 $FWDIR/scripts/aws_ha_conf.py show

    Notes:

    • The private secondary IP address pairs remain consistent and do not change after Cluster failover or Cluster daemon restart.

    • Do not manually change the $FWDIR/conf/aws_cross_az_cluster.json file. Manual change can cause a Cross AZ Cluster failover failure.

    • The maximum number of secondary IP addresses you can add depends on the instance type.

      You can increase the instance size to add more secondary IP addresses. See AWS secondary IP addresses limit per instance size for more information.