topic Re: Cloudguard deployment best practices in Cloud Firewall

Cloudguard deployment best practices

Gongya_Yu — Sat, 15 Jun 2024 22:11:32 GMT

We are in the process of the deployment of cloudguard with Checkpoint assistance, also I am watching a few Checkpoint deployment videos. I noticed a few architecture options we moved from and to. As the change is hard after the deployment is done. I have the following questions:

1. cluster failover pros and cons:

For our cloudguard deployment in AWS, our cluster failover is achieved via API updating the route table. When we came to Azure deployment, we had LB,

Does AWS have LB option too ?

LB is a must for Azure ? (Note: We do not need Northbound, only need Southbound to on-prem)

2. Using Route Server or not

Based on some difference for routing approaches between AWS and Azure, Route servers should be used or not ?

3. VNET for Cloudguard

Cloudguard should be deployed in the same vnet with other network components or in its dedicated vnet.

Any suggested best practices for these options ?

thanks a lot !!

Re: Cloudguard deployment best practices

Nir_Shamir — Sun, 16 Jun 2024 07:14:32 GMT

1. AWS doesn't have an LB option , everything works with API. we used to have the same in Azure until we moved to work with LBs. the API failover in AWS is pretty fast and usually you don't even notice it.

2. Route-Servers are more dynamic the the regular UDRs . if you have a small static network then I would use UDRs. for large networks and VNETS + constant changes I would use Route Servers do ease the operation of changes.

3. I always deploy the CloudGuard GWs in a separate compartment (VNET or VPC etc.) it's easier to manage it and it doesn't mixup with the rest of your networks.

Re: Cloudguard deployment best practices

the_rock — Sun, 16 Jun 2024 12:13:25 GMT

You got the answer.

Andy