This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
AyGit
Contributor
‎2020-11-13 07:51 AM

CloudGuard (VMSS & Cluster) deployment in Azure - mono RG

Hi,

I'm wondering if it is possible to implement NorthBound VMSS instances and SouthBound Cluster instances in one Resource Group via Azure deployment template - cf. the diagram below?

Is it possible to modify the template in Azure in order to change this restriction? If so, do you have any documentation?

2020-11-13_16h46_03.png

Same question for the VNet, is it possible to have both North/South hubs in one VNet?

2020-11-13_16h46_12.png

Kind regards.

0 Kudos
Reply
5 Replies
PhoneBoy
Admin
Admin
‎2020-11-15 07:07 PM

VMSS cannot be used for outbound traffic.
Not sure how Geo ClusterXL would work with inbound traffic.
It certainly would not be scalable the way VMSS is.

Not aware of any specific limitation in regards to putting the two in the same VNet.  
My question is: why is this relevant?

0 Kudos
Reply
AyGit
Contributor
‎2020-11-16 05:49 PM
In response to PhoneBoy

Hi,

I'll use VMSS for Inbound Internet traffic and ClusterXL for Outbound Internet and E/W traffic as described in the blueprint.

I'm limited with one RG and one VNet for the deployment of both hubs, in the Azure subscription I have.

When launching the Azure template, I'm facing with the fact that RG should be empty and the VNet created during each template. So 2 x RG and 2 x VNet.

So, is there any information/documentation about the template ARM modification that I can do?

0 Kudos
Reply
Martin_Valenta
Advisor
‎2020-12-11 02:27 AM
In response to AyGit

why do you need to deploy it in this way?

0 Kudos
Reply
AyGit
Contributor
‎2020-12-11 03:06 AM
In response to Martin_Valenta

hI @Martin_Valenta 

As explained in the reply below, we don't need to keep the frontend public facing LB, as we already implemented a VMSS in NorthBound hub for this purpose.

When we've in touch with Check Point guys, they told us modify the template instead of deleting the LB manually, as the template will keep it and in case of updates, the LB will be created again.

Regards,

0 Kudos
Reply
AyGit
Contributor
‎2020-12-11 01:41 AM

Hi guys

I come back to my Azure deployment. So, I have now 2 RG and one VNet with 4 subnets: 2 for NothBound (front and back) and 2 for SouthBound (front and back).
I deployed the VMSS in NorthBound RG with one external LB for inbound Internet traffic.
I've deployed also the HA (cluster) in SouthBound RG for outbound Internet traffic and E/W traffic. But I found 2 LB deployed, contrary to VMSS template, in this one we cannot choose the number of LB.

  • one Frontend-lb with a public IP
  • one backend-lb 

In my case, I don't need the frontend-lb as the inbound Internet traffic will be handled by the NorthBound firewalls.
So I'd like to redeploy the template by modifying the Azure json template file. However I'm facing with multiple errors with the '_artifacts Location’ parameter, and need your help for resolving this issue.

  • By default the value added is  [deployment().properties.templateLink.uri] --> this value is not accepted:

2020-12-10_23h48_44.png

2020-12-10_14h28_20.png

  • I entered the value directly in the template file in the line "networkSetupURL". But the deployment failed again with a different error:

2020-12-10_15h18_02.png

 

 

 

 

 

I tried differents way to overcome this behaviour in vain ...

Regards.

0 Kudos
Reply