Traffic Flows
Inbound Traffic

-
The request traffic arrives from the Internet at the External Load Balancer in the Check Point deployed solution.
-
The External Load Balancer forwards the request traffic to a VMSS Gateway instance.
-
The VMSS Gateway instance:
-
Inspects the request traffic.
-
Performs Static NAT on the request traffic.
-
Forwards the request traffic to the Application's Internal Load Balancer.
-
-
The Application's Internal Load Balancer forwards the request traffic to the Web Server Host.
Inbound Traffic Reply

-
The reply traffic arrives from the Web Server Host to the original VMSS Gateway instance.
-
The VMSS Gateway instance:
-
Inspects the reply traffic.
-
Forwards the reply traffic to the External Load Balancer.
-
-
The External Load Balancer forwards the reply traffic to the destination on the Internet.
Outbound Traffic

-
The request traffic arrives from the Web Server Host at the Internal Load Balancer in the Check Point deployed solution.
- The Internal Load Balancer forwards the request traffic to a VMSS Gateway instance.
-
The VMSS Gateway instance:
-
Inspects the request traffic.
-
Performs Hide NAT on the request traffic.
-
Forwards the request traffic to the Internet.
-
Outbound Traffic Reply

-
The reply traffic arrives from the Internet at the External Load Balancer in the Check Point deployed solution.
-
The External Load Balancer forwards the reply traffic to a Check Point Security Gateway instance (Active Cluster Member) in the VMSS.
-
The Check Point Security Gateway instance:
-
Inspects the reply traffic.
-
Forwards the reply traffic to the Internal Load Balancer in the Check Point deployed solution.
-
East-West Outbound Traffic

-
The request traffic arrives from the Web Server Host 1 at the Internal Load Balancer in the Check Point deployed solution.
-
The Internal Load Balancer forwards the request traffic to a VMSS Gateway instance.
-
The VMSS Gateway instance:
-
Inspects the request traffic.
-
Forwards the request traffic to the corresponding Internal Load Balancer of the Web Server Host 2.
-
-
The Internal Load Balancer of the Web Server Host 2 forwards the request traffic to the destination Web Server Host 2.
East-West Outbound Traffic Reply

-
The reply traffic arrives from the Web Server Host 2 at the Internal Load Balancer in the Check Point deployed solution.
-
The Internal Load Balancer forwards the reply traffic to the same VMSS Gateway instance that processed the request traffic from the Web Server Host 1 to the Web Server Host 2.
-
The Check Point Security Gateway instance:
-
Inspects the reply traffic.
-
Forwards the reply traffic to the corresponding Internal Load Balancer of the Web Server Host 1 in the Check Point deployed solution.
-
Intra-Subnet Traffic
Traffic travels freely in the subnet without inspection.
Remote Access VPN
-
On each attempt to create a site or connect to the site, the client runs a DNS query to resolve the current active IP addresses and do a load-sharing mechanism on the resolved IP list.
-
When the client initiates the connection, IKE negotiations take place with the configured Gateway on Azure. After the negotiations finish, a Remote Access tunnel is established.
-
As part of the IKE negotiations, the Gateway assigns a special IP called Office Mode to the client. By this assignment, the Gateway can identify the Remote Access client and give it access to the internal resources - derived from the configured Policy in SmartConsole.
-
The Remote Access client can auto-trust a new VMSS Instance Certificate that was issued by the same Management Server.
-
For more information about how Remote Access works with the Check Point Gateway, see the R81 Remote Access VPN Administration Guide.