Overview

Use this guide to:

Introduction to Virtual Machine Scale Sets (VMSS)

Virtual Machine Scale Sets (VMSS) are an Azure compute resource you can use to deploy and manage sets of identical Virtual Machines (VMs). The Scale Sets increase or decrease the number of Virtual Machines based on the current needs.

For example, multiple web servers server a web application. The web servers are deployed across multiple fault and update domains. A Load Balancer distributes network traffic across this group of web servers as needed.

In the current cyber-landscape, it is very important that you protect these environments from attackers with a security solution that is as scalable as the resources it protects. As the number of resources you protect scales up or down, the number of Security Gateways that provide protection has to scale as well.

Azure Autoscale is set up to increase or decrease the number of Check Point CloudGuard IaaS Security Gateways that protect your environment in the VMSS. A Check Point Security Management Server manages these Check Point CloudGuard Security Gateways. The Check Point Security Management Server can be located either in Azure, or on-premises.

See Azure documentation for information on the configuration of multiple Virtual Machines - Configure multiple virtual machines in an availability set for redundancy.

Prerequisites

Make sure you are familiar with these topics

Vendor

Topics

Microsoft Azure

  • VMSS

  • Autoscaling

  • Load Balancers

    • High Availability ports

  • Identity and access management

Check Point

  • Check Point R80.10 and Higher

  • Check Point with Azure

Remote Access VPN

As an Azure Certified solution, CloudGuard IaaS complements Azure cloud security controls to enable you to seamlessly secure your remote workforce with elastic scalability and High Availability. The Remote Access VPN solution gives full access to the corporate network with a VPN client for existing and/or new remote users.

The solution provides full automation as part of Check Point's Cloud Management Extension (CME) for scale out and/or scale in of a Gateway, and the capability to probe an Azure DNS service for available Gateways.

The Remote Access VPN is supported from R80.40 Management Server or Multi-Domain Management Server and above, and R80.40 Gateway version and above.

Scale In and Scale Out Events

Each VMSS must define Scale In and Scale Out events.

You can edit or see the configuration in Azure Portal > VMSS > Scaling.

Default triggers for the firewall VMSS:

  • Scale Out on more than 80% CPU usage, for an average of five minutes.

  • Scale In on less than 60% CPU usage, for an average of five minutes.

Note - You can use CloudGuard Metrics as triggers for scale in and scale out events. For more information, see Additional Information.

Scale In

A scale in event occurs as a result of a decrease of the current load. When a scale in event triggers, Azure Autoscale designates one or more of the gateways as candidates for termination. The External Load Balancer stops forwarding new connections to these gateways, and Autoscale ends them. The Check Point Security Management Server detects that these CloudGuard IaaS Security Gateways are stopped and automatically deletes these gateways from its database.

Note - We recommend that you have at least two Security Gateways for redundancy and availability purposes.

Scale Out

A scale out event occurs, if the current load increases. When a scale out event is triggered:

  • Azure Autoscale launches one or more new instances of the Check Point CloudGuard IaaS Security Gateways.

  • The new instances of CloudGuard IaaS Security Gateways automatically runs the Check Point First Time Configuration Wizard and then reboot.

During the scale out, the Check Point Security Management Server detects that new instances of CloudGuard IaaS Security Gateways launched. The Security Management Server waits until the CloudGuard IaaS Security Gateways finish to deploy and then the Security Management Server automatically:

  • Initializes a Secure Internal Communication (SIC) channel with these CloudGuard IaaS Security Gateways.

  • Installs a Security Policy on these CloudGuard IaaS Security Gateways.

After a Security Policy is installed, these CloudGuard IaaS Security Gateways start to respond to health probes. The Load Balancer then starts to forward new connections to them. The newly created CloudGuard IaaS Security Gateways report their status and send logs to the Check Point Security Management Server.

Notes:

  1. In case of scale out event, the latest available Check Point image is used to deploy the new Virtual Machine.

  2. When you use the template version 20181017 or above:

    1. Fast Deployment Images (Blink) with a pre-installed Jumbo Hotfix Accumulator is used.

    2. In case of scale out event, a newer Virtual Machine uses the latest available Check Point image.

      For R80.10, the latest available image might include a newer Jumbo Hotfix Accumulator version.

    For more information, see these SK articles:

    • CloudGuard for Azure Latest Updates - see sk132192

    • Jumbo Hotfix Accumulator for R80.10 - see sk116380

    • Blink - Gaia Fast Deployment - see sk120193

Components of the Check Point Deployed Solution

The diagram below depicts an Azure Virtual Network (VNET) with the Check Point solution deployed.

There are two backend subnets - WebApp1 and WebApp2.

WebApp1 and WebApp2 are each a user-deployed backend subnet. Each has its own load-balanced web server.

The Check Point deployed solution has these components:

  • Frontend subnet

  • Virtual Machine Scale Set (VMSS)

    The number of instances that you can deploy in the Cloud is dynamic.

  • Internal Load Balancer

  • Backend subnet

  • External Load Balancer

  • Public IP address for each VMSS instance (optional)

  • You cannot deploy other VMs in the VMSS subnets

If the Remote Access VPN is enabled, during solution template deployment these additional resources are deployed:

  • Function App (Azure function)

  • System Assigned Managed Identity with Contributor role on the VMSS solution's Research Group

  • Azure Function Application Insights

  • Azure Function App Service Plan

  • Azure Function Storage account

  • App Service Domain

Load Balancers

In the diagram below you can see Load Balancers at three levels.

Network Diagram

Note - WebAppA and WebAppB routing tables have the same VNET address, but different subnet addresses.

Remote Access VPN: High Level Architectural Diagram

  1. Azure function gets Public IPs of VMSS instances whose provision process is finished.

  2. Azure function creates, in case it does not exist, or updates a DNS Zone Record Set with the VMSS Instances’ public IPs.

  3. Remote Access VPN client runs a DNS query to resolve the current active IP addresses.

  4. Azure DNS returns the current active IP addresses.

  5. Client does a load-share mechanism on the resolved IP list and establishes Remote Access VPN connection with the applicable VMSS instance. It then gets access to internal resources.

For Remote Access VPN limitations, see Known Limitations.

Multi region Remote Access VPN: High Level Architectural Diagram

  1. Every Azure function gets Public IPs of VMSS instances, from the same region, whose provision process has finished.

  2. Every Azure function creates, in case it does not exist, or updates its separate DNS Zone Record Set with the VMSS Instances’ public IPs.

  3. Remote Access VPN client sends a DNS query to the Traffic Manager URL to resolve the current active IP addresses.

  4. Traffic Manager with the geographic traffic routing method directs the client request to the Azure DNS Record Set with the VMSS Instances’ public IPs from the same or the nearest region

  5. Traffic Manager returns the VMSS Instances’ public IPs list from the Azure DNS Record Set, from the same or the nearest region

  6. Client does a load-share mechanism on the resolved IP list and establishes a Remote Access VPN connection with the appropriate VMSS instance. It then gets access to internal resources.

  7. Remote Access VPN client can reach internal resources from different regions if VNET Peering is configured. For example, a client from the EU region can access internal resources in a US region and vice versa.

For Site-2-Site VPN configuration between Cluster High Availability, see the Check Point CloudGuard IaaS High Availability for Azure Administration Guide.