topic Re: Azure Scale Set - CloudGuard - Is source NAT necessary? in Cloud Firewall

Azure Scale Set - CloudGuard - Is source NAT necessary?

Gusa2727 — Thu, 15 Sep 2022 11:18:05 GMT

Hi, we are thinking on deploying a multiple Gateways in a Scale Set solution in Azure. How is assymetric routing avoided with this solution? I know that some time ago, we had to use source NAT, but we would not like to apply this solution for our network.

On the other hand, as far I know, in Azure we have not something similar to AWS Gateway Load Balancer which uses geneve to ensure that the replay goes using the same firewall instance.

Fortinet has the FGSP protocol which syncs sessions within all firewall instances in the cluster, so it is not a problem if the traffic goes through one intance, and the replay goes through a different one. Is there something similar for Check Point? Thanks.

Re: Azure Scale Set - CloudGuard - Is source NAT necessary?

G_W_Albrecht — Thu, 15 Sep 2022 11:19:19 GMT

Why do you think this is a General Topic ?

Re: Azure Scale Set - CloudGuard - Is source NAT necessary?

Chris_Atkinson — Thu, 15 Sep 2022 12:51:23 GMT

Azure GWLB via VXLAN:

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_Azure_VMSS_GWLB/Content/Topics-Azure-VMSS-GWLB/Introduction-to-VMSS.htm

Re: Azure Scale Set - CloudGuard - Is source NAT necessary?

Gusa2727 — Thu, 15 Sep 2022 13:58:28 GMT

Thanks, I missed that Azure has released a GWLB similar to AWS GWLB.

After checking the below video, it looks like it is still a preview solution, and it does not work for inspecting the east-west traffic, right? In case we want to inspect east-west traffic through Gateways in a scale set, and without having to deploy an External LB, is there a way to achieve this keeping aside from using source nat?

https://www.youtube.com/watch?v=gN74syBIJio

Thanks.

Re: Azure Scale Set - CloudGuard - Is source NAT necessary?

Dmitry_Gorn — Sun, 18 Sep 2022 06:11:39 GMT

Hi,

Sure. You can deploy a VMSS solution without an External Load Balancer and only use it for East West traffic inspection.

The Load Balancer combination can be selected as part of the deployment template.

For East-West traffic, as long as the request and reply go via the Internal Load Balancer (as documented) you will not have to S-NAT the traffic.

Refer to the "East West" and "East West Reply" sections in the traffic flows page:

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/Content/Topics-Azure-VMSS/Traffic-Flows.htm?tocpath=Traffic%20Flows%7C_____0#Traffic_Flows

Thanks,

Dmitry

Re: Azure Scale Set - CloudGuard - Is source NAT necessary?

Gusa2727 — Sun, 18 Sep 2022 10:41:26 GMT

Hi @Dmitry_Gorn,

Thank you very much for the helpful information.

So, if I have understood everything correctly:

You have shared information about two different deployments Plans.
- Public Preview CloudGuard Gateway Load Balancer
  - This Plan only requires one subnet (FrontEnd subnet)
  - This Plan does not require SNAT for external traffic. We have to chain a Public LB or Standar IP of our applications to our GWLB deployed in this Plan.
  - This deployment only works for North/South traffic.
- CloudGuard Scale Set
  - This Plan requires two subnets (FrontEnd and BackEnd subnets)
  - This Plan DOES NOT require SNAT for East/West traffic, because the Azure Internal LB is aware of the replay traffic, and sends the replays to the right Gateway to avoid asymmetric routing issues.
  - This Plan DOES requiere SNAT for North/South traffic. It is not especifically pointed in the document, but jugding for the Traffic Flows section, it is likely that SNAT is required for sure.

Now, the thing is that we would like to find a solution able to inspect both, N/S and E/W traffic, without using SNAT for any of these traffic flows. Assuming that it is not possible for E/W Traffic to point to the GWLB and it just works if you link a Public LB or Standard IP to it, in order to be able to inspect N/S and E/W traffic flows, we would need to different deployments Plans, right? Thanks!

Re: Azure Scale Set - CloudGuard - Is source NAT necessary?

Dmitry_Gorn — Mon, 19 Sep 2022 06:07:36 GMT

You are correct. The SNAT for N-S traffic is mentioned in the traffic flow "animated GIFs". Perhaps we can make it more clear in the admin guide - will put it on the list.

You are also correct that you will need two separate deployments - one with GWLB and one regular VMSS. A regular VMSS cannot work with GWLB (GWLB required VXLAN tunnels and in general operates differently).

One more option to consider is to use XFF header feature on the VMSS for N-S traffic. Traffic will still be NATed but you will have XFF headers.

Thanks,

Dmitry

Re: Azure Scale Set - CloudGuard - Is source NAT necessary?

Gusa2727 — Mon, 19 Sep 2022 10:52:06 GMT

Thank you very much!