Overview of CloudGuard Network for Azure VMSS

Use this guide to:

Note - For the list of supported versions, refer to the Support Life Cycle Policy.

Licensing

Check Point CloudGuard Security Gateways and Check Point CloudGuard Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. must have a license.

There are two licensing options:

  • Pay As You Go (PAYG)

  • Bring Your Own License (BYOL)

Because the number of Security Gateways in VMSS can increase and decrease over time, we recommend that you use Security Gateways with the Pay As You Go (PAYG) license model. For the list of countries, see sk109360.

You can use the Check Point VMSS for Microsoft Azure solution template to launch BYOL Security Gateways.

To buy BYOL licenses, contact Check Point Sales.

For more information about licensing, see the CloudGuard Network Central License Management Utility guide.


Important - A VMSS with a mixture of BYOL and PAYG Security Gateways is not supported. All Security Gateways in a Scale Set must use the same payment plan, either PAYG or BYOL.

Introduction to Virtual Machine Scale Sets (VMSS)

Virtual Machine Scale Sets (VMSS) are an Azure compute resource you can use to deploy and manage sets of identical Virtual Machines (VMs). The Scale Sets increase or decrease the number of Virtual Machines based on the current needs.

For example, multiple web servers server a web application. The web servers are deployed across multiple fault and update domains. A Load Balancer distributes network traffic across this group of web servers as needed.

In the current cyber-landscape, it is very important that you protect these environments from attackers with a security solution that is as scalable as the resources it protects. As the number of resources you protect scales up or down, the number of Security Gateways that provide protection has to scale as well.

Azure Autoscale is set up to increase or decrease the number of Check Point CloudGuard Network Security Gateways that protect your environment in the VMSS. A Check Point Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. manages these Security Gateways. The Security Management Server can be located either in Azure, or on-premises.

See Azure documentation for information on the configuration of multiple Virtual Machines - Configure multiple virtual machines in an availability set for redundancy.

Prerequisites

Make sure you are familiar with these topics:

Vendor

Topics

Microsoft Azure

  • VMSS

  • Autoscaling

  • Load Balancers

    • High Availability ports

  • Identity and Access Management

Check Point

  • Check Point

  • Check Point with Azure

Components of the Check Point Deployed Solution

The diagram below depicts an Azure Virtual NetworkClosed Environment of logically connected Virtual Machines. (VNET) with the Check Point solution deployed.

There are two backend subnets - WebApp1 and WebApp2.

WebApp1 and WebApp2 are each a user-deployed backend subnet. Each has its own load-balanced web server.

The Check Point deployed solution has these components:

  • Frontend subnet

  • Virtual Machine Scale Set (VMSS)

    The number of instances that you can deploy in the Cloud is dynamic.

  • Internal Load Balancer

  • Backend subnet

  • External Load Balancer

  • Public IP address for each VMSS instance (optional)

  • You cannot deploy other VMs in the VMSS subnets