Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide

Overview

Use this guide to:

Introduction to Virtual Machine Scale Sets (VMSS)

Virtual Machine Scale Sets (VMSS) are an Azure compute resource you can use to deploy and manage sets of identical Virtual Machines (VMs). The scale sets increase or decrease the number of Virtual Machines based on the current needs.

For example, multiple web servers server a web application. The web servers are deployed across multiple fault and update domains. A Load Balancer distributes network traffic across this group of web servers as needed.

In the current cyber-landscape, it is critical that you protect these environments from attackers with a security solution that is as scalable as the resources it protects. As the number of resources you protect scales up or down, the number of Security Gateways that provide protection has to scale as well.

Azure Autoscale is set up to increase or decrease the number of Check Point CloudGuard IaaS Security Gateways that protect your environment in the VMSS. A Check Point Security Management Server manages these Check Point CloudGuard Security Gateways. The Check Point Security Management Server can be located either in Azure, or on-premises.

See Azure documentation for information on configuring multiple Virtual Machines - Configure multiple virtual machines in an availability set for redundancy.

Prerequisites

Scale-In and Scale-Out Events

Each VMSS must define Scale-In and Scale-Out events.

You can edit or view the configuration in Azure Portal > VMSS > Scaling.

Default triggers for the firewall VMSS:

  • Scale-out on more than 80% CPU usage, for an average of five minutes.

  • Scale-in on less than 60% CPU usage, for an average of five minutes.

Note - For additional information, see Autoscale setting

Scale-In

A scale-in event occurs as a result of a decrease of the current load. When a scale-in event triggers, Azure Autoscale designates one or more of the gateways as candidates for termination. The External Load Balancer stops forwarding new connections to these gateways, and Autoscale ends them. The Check Point Security Management Server detects that these CloudGuard IaaS Security Gateways are stopped and automatically deletes these gateways from its database.

Note - We recommended that you have at least two Security Gateways for redundancy and availability purposes.

Scale-Out

A scale-out event occurs, if the current load increases. When a scale-out event is triggered:

  • Azure Autoscale launches one or more new instances of the Check Point CloudGuard IaaS Security Gateways.

  • The new instances of CloudGuard IaaS Security Gateways automatically execute the Check Point First Time Configuration Wizard and then reboot.

During the scale-out, the Check Point Security Management Server detects that new instances of CloudGuard IaaS Security Gateways launched. The Security Management Server waits until the CloudGuard IaaS Security Gateways finish to deploy and then the Security Management Server automatically:

  • Initializes a Secure Internal Communication (SIC) channel with these CloudGuard IaaS Security Gateways.

  • Installs a Security Policy on these CloudGuard IaaS Security Gateways.

After a Security Policy is installed, these CloudGuard IaaS Security Gateways start to respond to health probes. The Load Balancer then starts to forward new connections to them. The newly created CloudGuard IaaS Security Gateways report their status and send logs to the Check Point Security Management Server.

Components of the Check Point Deployed Solution

The diagram below depicts an Azure Virtual Network (VNET) with the Check Point solution deployed.

There are two backend subnets - WebApp1 and WebApp2.

WebApp1 and WebApp2 are each a user-deployed backend subnet. Each has its own load-balanced web server.

Load Balancers

In the diagram below you can see Load Balancers at three levels.

Network Diagram

Note - WebAppA and WebAppB routing tables have the same VNET address, but different subnet addresses.