Overview of CloudGuard Network for Azure VMSS
Use this guide to:
-
Deploy a new Check Point VMSS for Microsoft Azure.
-
Configure an existing Check Point VMSS for Microsoft Azure Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®., for templates 20180610 and above.
You can locate the template version on each CloudGuard instance in this file:
/etc/cloud-version
Introduction to Virtual Machine Scale Sets (VMSS)
Virtual Machine Scale Sets (VMSS) are an Azure compute resource you can use to deploy and manage sets of identical Virtual Machines (VMs). The Scale Sets increase or decrease the number of Virtual Machines based on the current needs.
For example, multiple web servers server a web application. The web servers are deployed across multiple fault and update domains. A Load Balancer distributes network traffic across this group of web servers as needed.
In the current cyber-landscape, it is very important that you protect these environments from attackers with a security solution that is as scalable as the resources it protects. As the number of resources you protect scales up or down, the number of Security Gateways that provide protection has to scale as well.
Azure Autoscale is set up to increase or decrease the number of Check Point CloudGuard Network Security Security Gateways that protect your environment in the VMSS. A Check Point Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. manages these Check Point CloudGuard Security Gateways. The Check Point Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. can be located either in Azure, or on-premises.
See Azure documentation for information on the configuration of multiple Virtual Machines - Configure multiple virtual machines in an availability set for redundancy.
Prerequisites
Make sure you are familiar with these topics
Vendor |
Topics |
---|---|
Microsoft Azure |
|
Check Point |
|
Scale In and Scale Out Events
Each VMSS must define Scale In and Scale Out events.
You can edit or see the configuration in Azure Portal > VMSS > Scaling.
Default triggers for the firewall VMSS:
-
Scale Out on more than 80% CPU usage, for an average of five minutes.
-
Scale In on less than 60% CPU usage, for an average of five minutes.
Note - You can use CloudGuard Metrics as triggers for scale in and scale out events. For more information, see Additional Information.
Scale In
A scale in event occurs as a result of a decrease of the current load. When a scale in event triggers, Azure Autoscale designates one or more of the gateways as candidates for termination. The External Load Balancer stops forwarding new connections to these gateways, and Autoscale ends them. The Check Point Security Management Server detects that these CloudGuard Network Security Security Gateways are stopped and automatically deletes these gateways from its database.
Notes:
-
We recommend that you have at least two Security Gateways for redundancy and availability purposes.
-
To configure connection draining, where the load balancer stops assigning connections to a node, refer to sk170304.
Scale Out
A scale out event occurs, if the current load increases. When a scale out event is triggered:
-
Azure Autoscale launches one or more new instances of the Check Point CloudGuard Network Security Gateways.
-
The new instances of CloudGuard Network Security Gateways automatically runs the Check Point First Time Configuration Wizard and then reboot.
During the scale out, the Check Point Security Management Server detects that new instances of CloudGuard Network Security Gateways launched. The Security Management Server waits until the CloudGuard Network Security Gateways finish to deploy and then the Security Management Server automatically:
-
Initializes a Secure Internal Communication (SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server.) channel with these CloudGuard Network Security Gateways.
-
Installs a Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. on these CloudGuard Network Security Gateways.
After a Security Policy is installed, these CloudGuard Network Security Gateways start to respond to health probes. The Load Balancer then starts to forward new connections to them. The newly created CloudGuard Network Security Gateways report their status and send logs to the Check Point Security Management Server.
Notes:
-
In case of scale out event, the latest available Check Point image is used to deploy the new Virtual Machine.
-
When you use the template version 20181017 or above:
-
Fast Deployment Images (Blink) with a pre-installed Jumbo Hotfix Accumulator Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. is used.
-
In case of scale out event, a newer Virtual Machine uses the latest available Check Point image.
For more information, see these SK articles:
-
CloudGuard for Azure Latest Updates - see sk132192
-
Blink - Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Fast Deployment - see sk120193
-
Components of the Check Point Deployed Solution
The diagram below depicts an Azure Virtual Network Environment of logically connected Virtual Machines. (VNET) with the Check Point solution deployed.
There are two backend subnets - WebApp1 and WebApp2.
WebApp1 and WebApp2 are each a user-deployed backend subnet. Each has its own load-balanced web server.
The Check Point deployed solution has these components:
-
Frontend subnet
-
Virtual Machine Scale Set (VMSS)
The number of instances that you can deploy in the Cloud is dynamic.
-
Internal Load Balancer
-
Backend subnet
-
External Load Balancer
-
Public IP address for each VMSS instance (optional)
-
You cannot deploy other VMs in the VMSS subnets
Load Balancers
In the diagram below you can see Load Balancers at three levels.
-
The Load Balancer at the first level is the External Load Balancer, where traffic comes in from the Internet.
-
The Load Balancer at the second level is the Internal Load Balancer of the Check Point deployed solution.
-
The Load Balancer at the third level (in this diagram there are two), is the Internal Load Balancer of the Web Servers.
Subnets with load balanced hosts (such as web servers), use the Load Balancers at the third level.
-
Standard - Both Load Balancers (this includes the ELB public IP address).
-
External Only - The Internal Load Balancer is not deployed.
-
Internal Only - The External Load Balancer (this includes its public IP) is not deployed. For outbound inspection, it is mandatory to deploy an External Load Balancer and, or instance level public IP addresses.
Network Diagram
Note - WebAppA and WebAppB routing tables have the same VNET address, but different subnet addresses.
1 |
Example 1 |
Frontend WebAppA:80 |
Backend port 8081 |
|
Example 2 |
Frontend WebAppB:80 |
Backend port 8083 |
2 |
Destination 10.0.0.0/16 |
Nexthop None (Drop) |
|
10.0.1.0/24 |
Virtual Network |
3 |
Destination 0.0.0.0/0 |
Nexthop None (Drop) |
4 |
Frontend |
Nexthop |
|
10.0.0.0/16 -VNET address |
10.0.2.4 -IP address of the Internal Load Balancer |
|
0.0.0.0/0 |
10.0.2.4 -IP address of the Internal Load Balancer |
|
10.0.2.0/24 |
Virtual Network |
|
10.0.3.0/24 (WebApp1) - Subnet address |
Virtual Network |
5 |
Frontend |
Nexthop |
|
10.0.0.0/16 -VNET address |
10.0.2.4 -IP address of the Internal Load Balancer |
|
0.0.0.0/0 |
10.0.2.4 -IP address of the Internal Load Balancer |
|
10.0.2.0/24 |
Virtual Network |
|
10.0.4.0/24 (WebApp2) - Subnet address |
Virtual Network |
6 |
WebAppA (subnet) load balanced VMSS WebAppB (subnet) load balanced VMSS |
For Site-2-Site VPN configuration between Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. High Availability, see the Check Point CloudGuard Network High Availability for Azure Administration Guide.