Scaling In and Scaling Out in CloudGuard Network for Azure VMSS

Azure Autoscale adjusts the number of CloudGuard Network Security Gateways in the VMSS based on the traffic load.

It uses two main events:

  • Scale Out: Adds Security Gateways to the VMSS when the traffic load increases.

  • Scale In: Removes Security Gateways from the VMSS when the traffic load decreases.

To view or edit Azure Autoscale settings, go to Azure Portal > VMSS> Scaling. (For more information, see Autoscale Settings.)

Default Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. CPU thresholds to trigger autoscaling events:

  • Scale Out: Triggers at 80% CPU use (5-minute average).

  • Scale In: Triggers at 60% CPU use (5-minute average).

Note - You can use CloudGuard Metrics as triggers for scale-in and scale-out events. For more information, see To configure CloudGuard metrics for the Azure Portal:.

Scale Out

When a scale-out event triggers:

  1. Azure Autoscale launches new Security Gateways.

  2. New Security Gateways automatically run the First Time Configuration Wizard and reboot.

  3. The Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.:

    1. Detects new Security Gateway instances.

    2. Creates a Secure Internal Communication (SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server.) channel with these Security Gateway instances.

    3. Installs a Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. on each new Security Gateway.

  4. The External Load Balancer starts sending traffic to these new Security Gateways.

Note - New Security Gateways report their status and send logs to the Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

Notes:

  1. In the case of scale-out event, the latest available Check Point image is used to deploy the new Virtual Machine.

  2. When you use the template version 20181017 or above:

    1. Fast Deployment Images (Blink) with a pre-installed Jumbo Hotfix AccumulatorClosed Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. is used.

    2. In the case of scale-out event, a newer Virtual Machine uses the latest available Check Point image.

    For more information, see these SK articles:

Scale In

When a scale-in event triggers:

  1. Azure Autoscale marks one or more Security Gateways as candidates for termination.

  2. The External Load Balancer stops sending traffic to marked Security Gateways.

  3. Azure Autoscale terminates marked Security Gateways.

  4. The Security Management Server removes terminated Security Gateways from its database.

Important - : Keep at least two Security Gateways (one in each Availability Zone) running for redundancy and availability.

Note - To configure connection draining (when the load balancer stops assigning connections to a node), refer to sk170304.

Testing Scale-In and Scale-Out Processes

The initial solution deployment process includes these steps:

  1. When the Check Point CloudGuard Network for Azure VMSS solution is deployed, it creates CloudGuard Network Security Gateways.

  2. Each new Security Gateway automatically runs the First Time Configuration Wizard. This usually takes 10 minutes to complete. Large Virtual Machines may require additional time.

  3. After configuration completes, the Security Management Server automatically installs the Security Policy on these Security Gateways.

  4. To verify deployment success, use SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to:

    • Confirm the Security Policy installation.

    • Verify log generation and transmission by Security Gateways.

Step

Description

1

Connect to the Security Gateway command line interface (CLI) over SSH.

2

Enter Expert mode.

3

Download the CPU load simulation script (simulate_cpu_load.sh) from this link:

https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/common/simulate_cpu_load.sh

4

Place the script in the correct directory of the Security Gateway:

/var/tmp/simulate_cpu_load.sh

5

Set execute permission to the script:

chmod u+x /var/tmp/simulate_cpu_load.sh

6

Validate script syntax:

sh -n /var/tmp/simulate_cpu_load.sh

7

Execute the script to simulate high CPU load:

./var/tmp/simulate_cpu_load.sh

8

In a separate terminal, monitor CPU load(it must be at a high level):

top

Note - After 10 minutes of high CPU load, a scale-out event triggers. Azure Autoscale provisions a new Security Gateway.

9

After the new Security Gateway is provisioned, press any key to stop the simulation script on the original Security Gateway.

10

In a separate terminal, monitor CPU load (it must return to normal levels):

top

Note - After 10 minutes of normal CPU load, a scale-in event triggers. Security Management Server automatically removes the newly provisioned Security Gateway.

Autoscale Settings

Azure Autoscale manages all scale in and scale out events. Go to the Azure portal for an overview of Azure AutoScale.

Azure Autoscale default settings:

  1. Adds a Virtual Machine to the VMSS, if the average CPU usage across the VMSS (as reported by the Azure host) is above 80% for five consecutive 1-minute intervals.

  2. Terminates a Virtual Machine, if the average CPU usage across the VMSS (as reported by the Azure host) is below 60% for five consecutive 1-minute intervals.

Note - After CloudGuard metrics is enabled, you can use it to trigger scale-in and scale-out events.

To configure CloudGuard metrics for the Azure Portal:

  1. Go to the Azure Portal.

  2. From the Azure portal, navigate to the VMSS Resource Group -> Virtual machine scale set resource > Scaling Policy tab.

  3. In the current Scale Policy profile( the Default one), remove the current scale out, scale in rules. Click on the rules, select Delete.

  4. Add a Scale Out ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.:

    • In the Time Aggregation field, select Average.

    • In the "Metric namespace field, select cloudguard.

    • In the Metric name field, select IPsec number of VPN-1 RA peers.

    • In the checkbox, select Enable metric divide by instance count.

    • In the Operator field, select Greater than.

    • In the Operation field, select Increase count by.

    • In the Instance count field, enter 1.

    • Click Update.

  5. Add a Scale In rule:

    • In the Time Aggregation field, select Average.

    • In the Metric namespace field, select cloudguard.

    • In the Metric name field, select IPsec number of VPN-1 RA peers.

    • In the checkbox, select Enable metric divide by instance count.

    • In the Operator field, select Less than or equal to.

    • In the Operation field, select Decrease count by.

    • In the Instance count field, enter 1.

    • Click Update.

  6. Save the updated Auto Scaling policy.

Azure sends an email alert and ensures that the number of Virtual Machines in the VMSS stays in the range between the minimum and maximum number of Virtual Machines, based on the template.

Make sure to confirm that the settings you need appear on the primary Azure portal. If a setting is not available, use the CLI or the Azure Resource Manager to change it. See the Azure Resource Manager.