vSEC Controller for Microsoft Azure

vSEC Controller integrates the Microsoft Azure cloud with Check Point security. The Check Point Data Center Server connects to the Microsoft Azure cloud and retrieves object data. vSEC Controller updates IP addresses and other object properties in the Data Center Objects group.

Connecting to Microsoft Azure

You must authenticate and connect to your Microsoft Azure account to pull objects. You can use Service Principal Authentication or Microsoft Azure Active Directory User Authentication.

• Service Principal Authentication (default)
  1. Application ID - Enter your Service Principal application ID in the UUID format.
  2. Application Key - Enter the Service Principal secret.
  3. Directory ID - Enter the Tenant ID from the Service Principal in the UUID format.

  You can create the Service Principal with the Azure portal, Azure Powershell and the Azure CLI.

• Microsoft Azure Active Directory User Authentication
  1. User name - Enter as <username>@<domain>. The account type needed is a work or school account.
  2. Password - Enter the password for your Microsoft Azure account.

The minimum recommended permission is Reader. You can assign Reader permission to:

• All Resource Groups that you want to pull an item from OR
• Add the permission on a subscription level.

Note - If you have less permissions, some of the functionality might not work.

Microsoft Azure Objects

• Subscription - Helps you organize access to your cloud components.
• Virtual Network - Represents your Microsoft Azure Virtual Network (VNET) in the cloud.
• Subnet - A range of IP addresses in a VNET. A VNET can be divided into many subnets.
• Virtual Machine (VM) - Virtual computing environment.
• Virtual Machine Scale Set (VMSS) - Manages sets of Virtual Machines.
• Resource Group - Holds the components of your subscription as a group.
• Network Security Group (NSG) - NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to the Virtual Machine instances in a Virtual Network. NSGs can be associated with either subnets or individual Virtual Machine instances within that subnet.

Importing Objects in Microsoft Azure

To connect to the Microsoft Azure Data Center Server:

1. In SmartConsole, click Objects menu > More object types > Server > Data Center > Microsoft Azure.
2. Select one of the authentication modes, Service Principal or Azure AD User. Click OK.
3. Import objects from your Microsoft Azure server to your policy.
   • Network by Subscriptions - Import VNETS, subnets, Virtual Machines or VMSSs.
   • Network Security Groups (NSG) - Import all IP addresses that belong to a specific NSG. The NSG is used only as a container for the list of all IPs (NICs and subnets) that are attached to this group.
   • Tags - Imports all the IP addresses of Virtual Machines and VMSSs that have specific tags and values.

   Note - All changes in Microsoft Azure are updated automatically with the Check Point security policy. Users with permissions to change Resource Tags in Microsoft Azure may be able to change their access permissions.

4. Install the Access Control Policy.

   Imported Properties	Description
   Name	Name of the object and of the object Resource Group. Format is: obj_name (obj_resource_group_name) The user can edit the name after importing the object.
   Name in server	Name of the object and of the object Resource Group. Format is: obj_name (obj_resource_group_name)
   Type in server	Object type.
   IP address	Virtual Machines or VMSS IP addresses. In the case of subnets, NSGs or Tags, the field contains a list of all the IPs in the container.
   Note	Contains the address prefixes for VNETs and subnets.
   URI	Object path.
   Tags	Keys and Values attached to the Object.
   Location	Physical location in Microsoft Azure.

Auto Scaling in Microsoft Azure

The Microsoft Azure Auto Scaling service with the Check Point Auto Scaling group can increase or decrease the number of vSEC Gateways according to the current load.

vSEC Controller for Microsoft Azure can work with the Check Point Auto Scaling Group. The Check Point Security Management Server can update Data Center objects automatically on the Check Point Auto Scaling group.

Enable the Identity Awareness Blade as explained in Auto Scaling in Microsoft Azure, sk115533, Section 6-A - Enabling additional Software Blades.