topic Azure Checkpoint VSEC Cluster Internal Load balancer in Cloud Firewall

Azure Checkpoint VSEC Cluster Internal Load balancer

Chandhrasekar_S — Mon, 12 Feb 2018 14:52:47 GMT

Hi All,

I deployed CheckPoint VSEC cluster from Microsoft Azure Market place. I see the cluster is having a public load balancer, which has two cluster gateways outside IP's as front end IPs

I would like to spin up a second internal load balancer, which will have the cluster gateways inside IP's configured

I am able to deploy the load balancer and add the gateway IPs fine, however the challenge I am facing is, in order to achieve HA in Azure, we have to configure the second load balancer name is $FWDIR/conf/azure-ha.json file and reconf it.

I tried adding the second (internal) load balancer name after the comma, the azure_ha_cli.py isn't recognizing the second load balancer name and isn't failing over.

Does anyone have tried this and can you let me know how you are achieving HA using this method

Thanks,

Chandru

Re: Azure Checkpoint VSEC Cluster Internal Load balancer

Martin_Valenta — Fri, 16 Feb 2018 07:00:01 GMT

In json file you can specify only public load balancer name, it doesn't count with internal load balancer. Azure template for vsec cluster is deployed per design specified here Deploying a Check Point Cluster in Microsoft Azure

Re: Azure Checkpoint VSEC Cluster Internal Load balancer

Chandhrasekar_S — Thu, 22 Mar 2018 02:25:52 GMT

I agree, in JSON file you specify the load balancer name. I have internal load balancer working fine on eth0 interface

I do understand, Azure template for vSEC cluster only supports load balancer on eth0 interface

It would be better if Check Point comes up having a load balancer on eth1 interface as well

Re: Azure Checkpoint VSEC Cluster Internal Load balancer

Martin_Valenta — Thu, 22 Mar 2018 03:30:18 GMT

You might want to look on Auto scale option, this will give you load balancer on eth0 and eth1 Trust me having just one load balancer in front of cluster will give you a lot of fun.

Re: Azure Checkpoint VSEC Cluster Internal Load balancer

Chandhrasekar_S — Sun, 25 Mar 2018 01:58:45 GMT

Yes Check Point Scale sets offer load balancers on both eth0 and eth1 interfaces. however they can only do stateless protocols like http and https. It works for internet facing apps.

I cant deploy them every where, since we have to inspect other stateful protocols like sql server, rdp etc.

Re: Azure Checkpoint VSEC Cluster Internal Load balancer

Jerry_Thornhil1 — Fri, 13 Jul 2018 15:02:16 GMT

all,

how do you get the cluster to answer health probes from load balancers? even on internal interfaces.

Re: Azure Checkpoint VSEC Cluster Internal Load balancer

Nikhil_Deshmukh — Thu, 19 Jul 2018 12:22:16 GMT

External Load Balancer's :- They are needed when you want to Publish Web Services (Web page / Application running on any Server) over the Internet.

See as per my understanding Internal Load Balancer's are used for Balancing the Traffic loads for any server between different nodes or not to expose Server's directly to User's.

Wht is your specific requirement with Load Balancer's to be acknowledged by VSec on the Internal Azure plane.?