Scaling In and Scaling Out in Cloud Firewall for Azure VMSS

Azure Autoscale adjusts the number of Cloud Firewall Gatewaysin the VMSS based on the traffic load.

It uses two main events:

  • Scale Out: Adds Cloud Firewall Gateways to the VMSS when the traffic load increases.

  • Scale In: Removes Cloud Firewall Gateways from the VMSS when the traffic load decreases.

To view or edit Azure Autoscale settings, go to Azure Portal > VMSS> Scaling. (For more information, see Autoscale Settings.)

Default Cloud Firewall Gateway CPU thresholds to trigger autoscaling events:

  • Scale Out: Triggers at 80% CPU use (5-minute average).

  • Scale In: Triggers at 60% CPU use (5-minute average).

Note - You can use Cloud Firewall metrics as triggers for scale-in and scale-out events. For more information, see To configure Cloud Firewall metrics for the Azure Portal:.

Scale Out

When a scale-out event triggers:

  1. Azure Autoscale launches new Cloud Firewall Gateways.

  2. New Cloud Firewall Gateways automatically run the First Time Configuration Wizard and reboot.

  3. The Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.:

    1. Detects new Cloud Firewall Gateway instances.

    2. Creates a Secure Internal Communication (SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server.) channel with these Cloud Firewall Gateway instances.

    3. Installs a Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. on each new Cloud Firewall Gateway.

  4. The External Load Balancer starts sending traffic to these new Cloud Firewall Gateways.

Note - New Cloud Firewall Gateways report their status and send logs to the Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

Notes:

  1. In the case of a scale-out event, the latest available Check Point image (the most recent build within the same major version of Cloud Firewall for Azure VMSS) is used to deploy the new Virtual Machine.

  2. Check Point recommends using the latest image for the best security and performance, but you can deploy a specific version of Azure image using this guide for reference.

  3. When you use the template version 20181017 or above:

    1. Fast Deployment Images (Blink) with a pre-installed Jumbo Hotfix AccumulatorClosed Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. is used.

    2. In the case of a scale-out event, a newer Virtual Machine uses the latest available Check Point image.

    For more information, see these SK articles:

Scale In

When a scale-in event triggers:

  1. Azure Autoscale marks one or more Cloud Firewall Gateways as candidates for termination.

  2. The External Load Balancer stops sending traffic to marked Cloud Firewall Gateways.

  3. Azure Autoscale terminates marked Cloud Firewall Gateways.

  4. The Security Management Server removes terminated Cloud Firewall Gateways from its database.

Important - : Keep at least two Cloud Firewall Gateways (one in each Availability Zone) running for redundancy and availability.

Note - To configure connection draining (when the load balancer stops assigning connections to a node), refer to sk170304.

Testing Scale-In and Scale-Out Processes

The initial solution deployment process includes these steps:

  1. When the Check Point Cloud Firewall for Azure VMSS solution is deployed, it creates Cloud Firewall Gateways.

  2. Each new Cloud Firewall Gateway automatically runs the First Time Configuration Wizard. This usually takes 10 minutes to complete. Large Virtual Machines may require additional time.

  3. After configuration completes, the Security Management Server automatically installs the Security Policy on these Cloud Firewall Gateways.

  4. To verify deployment success, use SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to:

    • Confirm the Security Policy installation.

    • Verify log generation and transmission by Cloud Firewall Gateways.

Step

Description

1

Connect to the Cloud Firewall Gateway command line interface (CLI) over SSH.

2

Enter Expert mode.

3

Download the CPU load simulation script (simulate_cpu_load.sh) from this link:

https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/common/simulate_cpu_load.sh

4

Place the script in the correct directory of the Cloud Firewall Gateway:

/var/tmp/simulate_cpu_load.sh

5

Set execute permission to the script:

chmod u+x /var/tmp/simulate_cpu_load.sh

6

Validate script syntax:

sh -n /var/tmp/simulate_cpu_load.sh

7

Execute the script to simulate high CPU load:

./var/tmp/simulate_cpu_load.sh

8

In a separate terminal, monitor CPU load(it must be at a high level):

top

Note - After 10 minutes of high CPU load, a scale-out event triggers. Azure Autoscale provisions a new Cloud Firewall Gateway.

9

After the new Cloud Firewall Gateway is provisioned, press any key to stop the simulation script on the original Cloud Firewall Gateway.

10

In a separate terminal, monitor CPU load (it must return to normal levels):

top

Note - After 10 minutes of normal CPU load, a scale-in event triggers. Security Management Server automatically removes the newly provisioned Cloud Firewall Gateway.

Autoscale Settings

Azure Autoscale manages all scale in and scale out events. Go to the Azure portal for an overview of Azure AutoScale.

Azure Autoscale default settings:

  1. Adds a Virtual Machine to the VMSS, if the average CPU usage across the VMSS (as reported by the Azure host) is above 80% for five consecutive 1-minute intervals.

  2. Terminates a Virtual Machine, if the average CPU usage across the VMSS (as reported by the Azure host) is below 60% for five consecutive 1-minute intervals.

Note - After Cloud Firewall metrics are enabled, you can use them to trigger scale-in and scale-out events.

To configure Cloud Firewall metrics for the Azure Portal:

  1. Go to the Azure Portal.

  2. From the Azure portal, navigate to the VMSS Resource Group -> Virtual machine scale set resource > Scaling Policy tab.

  3. In the current Scale Policy profile( the Default one), remove the current scale out, scale in rules. Click on the rules, select Delete.

  4. Add a Scale Out ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.:

    • In the Time Aggregation field, select Average.

    • In the "Metric namespace field, select cloudguard.

    • In the Metric name field, select IPsec number of VPN-1 RA peers.

    • In the checkbox, select Enable metric divide by instance count.

    • In the Operator field, select Greater than.

    • In the Operation field, select Increase count by.

    • In the Instance count field, enter 1.

    • Click Update.

  5. Add a Scale In rule:

    • In the Time Aggregation field, select Average.

    • In the Metric namespace field, select cloudguard.

    • In the Metric name field, select IPsec number of VPN-1 RA peers.

    • In the checkbox, select Enable metric divide by instance count.

    • In the Operator field, select Less than or equal to.

    • In the Operation field, select Decrease count by.

    • In the Instance count field, enter 1.

    • Click Update.

  6. Save the updated Auto Scaling policy.

Azure sends an email alert and ensures that the number of Virtual Machines in the VMSS stays in the range between the minimum and maximum number of Virtual Machines, based on the template.

Make sure to confirm that the settings you need appear on the primary Azure portal. If a setting is not available, use the CLI or the Azure Resource Manager to change it. See the Azure Resource Manager.