Getting Started with CloudGuard Network for AWS


Before you use this solution, you must be familiar with these AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. terms and services:

  • Amazon EC2

  • Amazon VPC

  • AWS CloudFormation


  • AWS Transit Gateway

If you are new to AWS, see Getting Started with AWS.


AWS Transit Gateway (TGW) is an Amazon Web service that connects multiple Virtual Private Clouds (VPCs) to a single gateway. TGW provides a single connection from the central gateway to each Amazon VPC, on-premises data center, or remote office across the network. Unlike traditional AWS peering, TGW traffic flows between VPCs without the need for data to pass through the public internet.

TGW acts as a hub to route traffic on all connected networks. The hub and spoke model simplify VPC management and reduces operation costs. Each network only needs to connect to the TGW to communicate with other networks. When new VPCs connect to the TGW, they are immediately visible to other networks. This ease of connectivity simplifies network scaling and data transmission.

CloudGuard Network Security supports AWS TGW. It offers end-to-end protection for enterprise workloads located in AWS VPCs. CloudGuard protects services in the public cloud from sophisticated threats, and unauthorized access and prevents later Denial of Service (DoS) attacks. On the micro-level, CloudGuard Network Security inspects data that enters and leaves the private subnet in the AWS VPC to prevent attacks and mitigate data loss or leakage.

This guide explains how to deploy Check Point's CloudGuard Network Cross AZ ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. in AWS, specifically in AWS's Transit Gateway High Availability solution.

AWS Transit Gateway with CloudGuard Network Security:

  • Simplifies VPC connections.

  • Provides a security cluster which synchronizes connections, prevents interruptions in case of failure, and uses the full 50 Gb/s network throughput.

  • Easy to deploy through the use of a CloudFormation template, part of the Check Point Cloud Security Blue Print.

Highlights of Check Point's CloudGuard for AWS Transit Gateway High Availability:

Costs and Licenses

You are responsible for the cost of the AWS services used when you deploy the solution as described in this guide.

The AWS CloudFormation template for the Security VPC includes parameters that you can configure. Some of these settings, such as instance type, affect the cost of deployment. For estimated costs, see the AWS pricing calculator.

This Transit VPC Transit Gateway (TGW) solution uses Amazon Machine Images (AMIs) from the AWS Marketplace. You must subscribe to Check Point CloudGuard in the AWS Marketplace before you can start the deployment.

You need a license for all Check Point CloudGuard Security Gateways, Check Point CloudGuard Security Management Server, and AWS CloudFormation templates described in this guide must have a license. These are the licensing options:

  • Pay As You Go (PAYG)

  • Bring Your Own License (BYOL)

To buy BYOL licenses, contact Check Point Sales.


Cross AZ Cluster has two types of architecture for Check Point CloudGuard Network AWS:

Cross AZ Cluster with Transit Gateway

Cross AZ Cluster without Transit Gateway

The end-to-end solution includes:

  • Security VPC with the CloudGuard Network Cross AZ Cluster members deployed in different Availability Zones.

  • Sync between the Cross AZ Cluster members.

  • Public routing tables associated with public subnets.

  • Private routing table associated with the private subnets with a default route to the Active member private interface (eth1).

  • Ingress routing integration:

    The routing table associated with the IGW contains routes to private subnets trough the Active member public interface (eth0).

  • Transit Gateway architecture includes:

    • TGW routing table related to the TGW subnets with a default route to the Active member public interface (eth0).

    • VPC attachment for the Security VPC to AWS Transit Gateway, attachments with TGW subnets.

    • Spoke (Consumer) VPCs attached to the AWS TGW.

Security Policy

A Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. package is a collection of different types of policies enforced after you install the policy on the Security Gateways.

A policy package can have one or more of these policy types:

The Standard policy package is the default Security Policy defined in a newly deployed Security Management Server. Each policy package has a default cleanup ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that drops all traffic.