Configure Load Balancers in Cloud Firewall for Azure VMSS

Network Diagram

Load Balancers Overview

On the diagram above, you can see Load Balancers at three levels.

  • The Load Balancer at the first level is the External Load Balancer, where traffic comes in from the Internet.

  • The Load Balancer at the second level is the Internal Load Balancer of the Check Point deployed solution.

  • The Load Balancer at the third level (in this diagram there are two), is the Internal Load Balancer of the Web Servers.

    Subnets with load balanced hosts (such as web servers), use the Load Balancers at the third level.

  • Standard - Both Load Balancers (this includes the ELB public IP address).

  • External Only - The Internal Load Balancer is not deployed.

  • Internal Only - The External Load Balancer (this includes its public IP) is not deployed. For outbound inspection, it is mandatory to deploy an External Load Balancer and, or instance level public IP addresses.

User Defined Routes

Route

Destination

Nexthop

Route Purpose

East-West

Entire VNET

Virtual appliance -

Internal Load Balancer's private IP address

Inspects all traffic that goes to other subnets in the VNET.

Note - You can replace this one route for the entire VNET with multiple specific subnet routes.

Outbound

0.0.0.0/0

Virtual appliance -

Internal Load Balancer's private IP address

Inspects outbound traffic.

Note - The destination address has not been identified by any instance during any route (such as inbound). Therefore, it is subject to inspection by the Check Point Cloud Firewall Gateway instances in the VNET.

Inbound

VMSS backend subnet

Virtual NetworkClosed Environment of logically connected Virtual Machines.

Sends inbound reply traffic to the original Cloud Firewall Gateway instance to enable inspection.

Note - This enables the inbound traffic to go back to the Cloud Firewall Gateway that is involved in the inspection.

Intra-subnet

Subnet itself

Virtual Network

Sends in-subnet traffic directly to its destination without inspection by a Cloud Firewall Gateway. There is no micro-segmentation.

If the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. is in the VNET, make sure to have specific routes to allow traffic between the Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. Virtual Machine and the VMSS instances.

Routing Tables

Note - WebAppA and WebAppB routing tables have the same VNET address, but different subnet addresses.

1

Example 1

Frontend

WebAppA:80

Backend port

8081

 

Example 2

Frontend

WebAppB:80

Backend port

8083

2

Destination

10.0.0.0/16

Nexthop

None (Drop)

 

10.0.1.0/24

Virtual Network

3

Destination

0.0.0.0/0

Nexthop

None (Drop)

4

Frontend

Nexthop

 

10.0.0.0/16 -VNET address

10.0.2.4 -IP address of the Internal Load Balancer

 

0.0.0.0/0

10.0.2.4 -IP address of the Internal Load Balancer

 

10.0.2.0/24

Virtual Network

 

10.0.3.0/24 (WebApp1) - Subnet address

Virtual Network

5

Frontend

Nexthop

 

10.0.0.0/16 -VNET address

10.0.2.4 -IP address of the Internal Load Balancer

 

0.0.0.0/0

10.0.2.4 -IP address of the Internal Load Balancer

 

10.0.2.0/24

Virtual Network

 

10.0.4.0/24 (WebApp2) - Subnet address

Virtual Network

6

WebAppA (subnet) load balanced VMSS

WebAppB (subnet) load balanced VMSS

For the Site-to-Site VPN configuration between ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. High Availability, see the Check Point Cloud Firewall High Availability for Azure Administration Guide.

Configuring the Load Balancer to Listen on Additional Ports

Step

Description

1

Go to the Azure portal.

2

Find the External Load Balancer.

The Load Balancer is in your Resource Group.

The Load Balancer name is frontend-lb

3

Configure a new Load Balancing RuleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.:

  1. From the Load Balancing Rules> Add.

  2. Give the rule a name.

    Example:

    vmss-app-1-tcp-443

  3. In the Frontend IP address field, select the pre-existing Frontend IP address.

  4. In the Protocol field, select TCP.

  5. In the Port field, select 443.

  6. In the Backend port field, select a high port.

    Note - These ports cannot be used: Ports defined in sk52421 (ports used by Check Point software), 32768 – 65535 as defined in sk162619 (FWD daemon listening on multiple random high ports), 444, 8082, and 8880.

  7. In the Backend pool field, select the pre-existing VMSS pool.

  8. In the Health probe, select the health probe.

    This is the probe that was created by default by the template (TCP, port 8117).

  9. Select the Session persistence.

  10. Set the Idle timeout.

  11. In the Floating IP field, use the same value used in Deploy the Load Balancer with floating IP from step 5.

  12. Click Add.

Configuring the Load Balancer to Listen on Additional Public IP Addresses

You can configure the VMSS to secure multiple web applications, each with its own IP address.

Step

Description

1

Go to the Azure portal.

2

Find the External Load Balancer.

The Load Balancer is in your Resource Group.

The Load Balancer name is frontend-lb

3

In the Azure portal, allocate a new public IP address.

  1. In the pane Go to Public IP addresses > Click Create.

  2. Add name of the IP. (For example: name-public-https)

  3. Resource group - put group of the VMSS.

  4. Click Create.

4

Configure the Frontend IP pool.

  1. Go to the Load Balancer.

  2. Click Frontend IP configuration > Add.

  3. Give the IP pool a name.

    Example:

    vmss-app-2

  4. Select the public IP address you created in Step 3.

  5. Click OK.

5

Configure a new Load Balancing Rule:

  1. Click Load Balancing Rules > Add.

  2. Give the rule a name.

    Example,

    vmss-app-2-tcp-80

  3. In the Frontend IP address field, select the newly created Frontend IP address.

  4. In the Protocol field, select TCP.

  5. In the Port field, select 80.

  6. In the Backend port field, select 8083.

  7. In the Backend pool field, select the pre-existing VMSS pool.

  8. In the Health probe field, select the health probe.

    This is the probe that was created by default by the template (TCP, port 8117).

  9. Select the Session persistence.

  10. Set the Idle timeout.

  11. In the Floating IP field, use the same value used in Deploy the Load Balancer with floating IP from step 5.

  12. Click Add