topic Re: CheckPoint IaaS VMSS -Azure - Doubt in Outbound NAT for Internal server in Cloud Firewall

CheckPoint IaaS VMSS -Azure - Doubt in Outbound NAT for Internal server

Prabulingam_N1 — Sun, 29 Nov 2020 13:52:47 GMT

Dear CheckMates,

I have CheckPoint VMSS working in Azure.

I have given Hide NAT behind Gateway for Internal Server, so it gets Hide behind one of VMSS and reaches Internet - works fine

Requirement is - I want to Hide NAT my Internal Server to a New Public IP (Not to use any of VMSS Public IP)

I tried creating New External Interface in VMSS and able to Hide NAT my Internal Server to that New IP.

Outbound packet gets Hide NAT with New IP, but UNABLE to see REPLY traffic from Internet.

Is there any way to achieve the Outbound Hide NAT for Internal Server using New IP apart from VMSS IP?

Regards, Prabu

Re: CheckPoint IaaS VMSS -Azure - Doubt in Outbound NAT for Internal server

PhoneBoy — Tue, 01 Dec 2020 16:57:30 GMT

Not sure exactly what you can do on the Azure side to make this work, but that is where the issue lies.

Re: CheckPoint IaaS VMSS -Azure - Doubt in Outbound NAT for Internal server

Prabulingam_N1 — Wed, 02 Dec 2020 04:32:08 GMT

Hello PhoneBoy,

Yeah looks like that will not work as I had made many trials and reason could be in "ifconfig" of VMSS where the Primary External Interface is tagged and no other External can be added onto its NIC settings (ens192P2g3..... adapter is bound for eth0 ONLY)

Now as per document I'm doing the below and still unable to get it done.

1) Created CheckPoint VMSS without ILPIP.

2) Integrated with Mgmt Server with Frontend NIC Private IP of VMSS

3) Created Inbound LB rule in FrontendLB to reach Internal Server - works fine

4) Now my VMSS & Internal Server both don't have Internet Outbound Connectivity.

5) As per CheckPoint document and Azure, I had given Outbound Rule in FrontendLB so that Backend VMSS instances will get Outbound Internet using FrontendLB Public IP.

But no luck. I tried some NAT in SmartConsole on VMSS Objects and subnets for Internal Server - -No Luck

Any idea how should I achieve the Outbound Internet Connection for my VMSS instances which has ONLY Private IP (No ILPIP) and for Internal Servers

Regards, Prabu

Re: CheckPoint IaaS VMSS -Azure - Doubt in Outbound NAT for Internal server

Matthias_Haas — Mon, 07 Dec 2020 07:34:13 GMT

Hi Prabu,

according to the information on this page Azure LB I guess it´s too complicated for a VMSS as outbound Load Balancing Rules have the following limitation:

< Outbound rules can only be applied to primary IP configuration of a NIC. You can't create an outbound rule for the secondary IP of a VM or NVA. Multiple NICs are supported.

So you would have to add NICs to each ScaleSet Member , not sure if this is supported by Checkpoint at all.

In addition, the LB has to be of type "Standard", with a Basic LB you can not configure outbound Rules.

May be a Single GW or Checkpoint Cluster for outbound traffic could be a alternative ?

At least for a Single GW I have tested it that way:

https://community.checkpoint.com/t5/Cloud-Network-Security-IaaS/STATIC-NAT-in-Azure-Checkpoint/td-p/75730

Matthias

Re: CheckPoint IaaS VMSS -Azure - Doubt in Outbound NAT for Internal server

Prabulingam_N1 — Mon, 07 Dec 2020 11:10:14 GMT

Hi Matthias,

Yes I could create additional NIC but it cannot be used for Outbound traffic.

Yes in Single GW it is working but not in Cluster & VMSS.

Anyways I could able to get Internet Outbound for VMSS & Internal servers with FrontendLB's IP as my VMSS don't have ILPIP.

Regards, Prabu

Re: CheckPoint IaaS VMSS -Azure - Doubt in Outbound NAT for Internal server

Matthias_Haas — Mon, 07 Dec 2020 11:26:20 GMT

Hi Prabu,

<Yes I could create additional NIC but it cannot be used for Outbound traffic.

Have you studied the provided microsoft link:

With outbound rules, you can explicitly define outbound SNAT behavior.

Outbound rules allow you to control:

Which virtual machines are translated to which public IP addresses.
- Two rules were backend pool A uses IP address A and B, backend pool B uses IP address C and D.

Matthias

Re: CheckPoint IaaS VMSS -Azure - Doubt in Outbound NAT for Internal server

Prabulingam_N1 — Mon, 07 Dec 2020 12:15:05 GMT

Hi Matthias,

Yes had looked into SNAT behavior.

But in my setup - For FrontendLB - The backend Pools weer only VMSS and no other Internal VMs.

So I made HIDE NAT with All gateway(VMSS) for Internal machine so that Internal machine will Hide behind VMSS and go outside.

Had Outbound Rules for VMSS to use FrontendLB Public IP. So my both VMSS & Internal VMs use FrontendLB IP for outgoing Traffic.

Regards, Prabu

Re: CheckPoint IaaS VMSS -Azure - Doubt in Outbound NAT for Internal server

Matthias_Haas — Mon, 07 Dec 2020 14:24:18 GMT

Hi Prabu,

the backend Pool consists of NICs, not VMs. As you would have a VM/scaleset with multiple NICs you could define two backendPools on the external LB, each containing a different NIC of the same VM/scaleset

Same is true for your external and internal LB which is deployed with your VMSS. Check the backend Pool of these LBs, same scaleset but different NICs
(eth1 with the backend-lb, eth0 with the frontend-lb)

Matthias

Re: CheckPoint IaaS VMSS -Azure - Doubt in Outbound NAT for Internal server

Prabulingam_N1 — Mon, 07 Dec 2020 17:07:21 GMT

Hi Matthias,

Created New NIC on VMSS instance and tried to add or create New backendpool for this new NIC - no luck.

Its not getting added fo new NIC VMSS instance.

Regards, Prabu

Re: CheckPoint IaaS VMSS -Azure - Doubt in Outbound NAT for Internal server

Matthias_Haas — Tue, 08 Dec 2020 07:03:46 GMT

Hi Prabu,

I guess you still have only two NICs at the instance level ?

Regards

Matthias

Re: CheckPoint IaaS VMSS -Azure - Doubt in Outbound NAT for Internal server

Prabulingam_N1 — Tue, 08 Dec 2020 07:12:54 GMT

Hi Matthias,

I created 3rd NIC as External apart from etho(External) & eth1(Internal).

So already 1st backendpool for FrontendLB has been tagged with eth0 of VMSS.

Now if I try to create 2nd backendpool with 3rd NIC of VMSS - unable to do so.

Regards, Prabu

Re: CheckPoint IaaS VMSS -Azure - Doubt in Outbound NAT for Internal server

Matthias_Haas — Tue, 08 Dec 2020 07:34:50 GMT

Hi Prabu,

when I added a 3rd NIC , I had to redeploy the already running instances. Only then the 3 NICs where available at the instance level and I could add a further backend pool with the third NIC.

Have you done this ?

Regards

Matthias

Re: CheckPoint IaaS VMSS -Azure - Doubt in Outbound NAT for Internal server

Prabulingam_N1 — Tue, 08 Dec 2020 07:38:01 GMT

Hi Matthias,

Yup after new VMSS spinned, I can see 3rd New NIC as well.

Created 2nd Backendpool to tag New NIC, but unable to do so.

Thats where I was stuck.

Regards, Prabu

Re: CheckPoint IaaS VMSS -Azure - Doubt in Outbound NAT for Internal server

Matthias_Haas — Tue, 08 Dec 2020 11:00:12 GMT

Hi Prabu,

look´s like the NIC has to have network acceleration enabled (which is not the case if added via the Azure Portal).

If doing so via azure CLI like:

az vmss update -g cpss --name cpss --set virtualMachineProfile.networkProfile.networkInterfaceConfigurations[2].enableAcceleratedNetworking=true

i was able to add a 2nd Backenpool. (after redeploying the instance again)

After configuring a outbound rule, the second public IP of the external LB was used.

Regards

Matthias

Re: CheckPoint IaaS VMSS -Azure - Doubt in Outbound NAT for Internal server

Prabulingam_N1 — Tue, 08 Dec 2020 11:07:46 GMT

Hi Matthias,

Let me try your action.

In Azure CLI - Should i need to replace any text in below:

az vmss update -g cpss --name cpss --set virtualMachineProfile.networkProfile.networkInterfaceConfigurations[2].enableAcceleratedNetworking=true

Regards, Prabu

Re: CheckPoint IaaS VMSS -Azure - Doubt in Outbound NAT for Internal server

Matthias_Haas — Tue, 08 Dec 2020 11:17:14 GMT

Hi Prabu,

yes, the name is the resource group the scalest ist deployed in and after the "-g" switch you have to add the name of your scaleset.

If it is succesfull, the added NIC (I called it eth2) should have acceleration enabled:

After that, you have to redeploy the instance again.

Regards

Matthias

Re: CheckPoint IaaS VMSS -Azure - Doubt in Outbound NAT for Internal server

Prabulingam_N1 — Tue, 08 Dec 2020 15:21:50 GMT

Hi Matthias,
Thanks for your input, I could able to create 2nd BackendPool & tagged New NIC as well.

Now my requirement is that my VMSS should go Outbound to Internet thru this New NIC.
It doesn't work if I do as above?
It works only thru backendpool which has eth0..Not with backendpool which has newnic

Regards, Prabu

Re: CheckPoint IaaS VMSS -Azure - Doubt in Outbound NAT for Internal server

Matthias_Haas — Wed, 09 Dec 2020 10:11:42 GMT

Hi Prabu,

your VMSS is using eth0 as your default route is through eth0, I guess ?

If you change the default route to the first IP of the newnic network it will use that interface

But if I get it right, only your internal Server should use that new Public IP ?

Regards

Matthias

Re: CheckPoint IaaS VMSS -Azure - Doubt in Outbound NAT for Internal server

Prabulingam_N1 — Wed, 09 Dec 2020 10:16:24 GMT

Hi Matthias,

I also changed the Default route in VMSS from eth0 to newnic & checked. VMSS lost Internet connection. (Then changed back from newnic to eth0 in Default Route - started woking)

For Internal server, I made HIDE NAT of NewNIC IP of VMSS.

No luck.

Seems to me a limitation????

Regards, Prabu

Re: CheckPoint IaaS VMSS -Azure - Doubt in Outbound NAT for Internal server

Matthias_Haas — Wed, 09 Dec 2020 10:22:46 GMT

Hi Prabu,

did you put the newnic (10.10.10.5) in the same subnet as eth0 (10.10.10.4) ?

Regards

Matthias