So, not actual secondary IP, nor the assigned EIP should figure anywhere in the Gaia configuration or topology of the vSEC object?

Thank you.

I'm just covering all the bases while trying to solve the mystery of disappearing Logical Server in this thread:

https://community.checkpoint.com/thread/5748-inconsistent-behavior-of-vsec-in-aws 

Right, but I'm glad to document the knowledge for others that might have the same question.

A reference architecture sk article would be good, similar to the Azure one. It needs to step through where, when, why for EIP use as none of the guides, even the AWS getting started guide, tackle this subject.

I am not sure if the subject is deserving separate sk or should be incorporated in updated document describing AWS deployment scenarios.

The EIPs are essentially a Static Nat entries of AWS.

• You need one assigned to the external interface of each vSEC 
• In case of clustered deployment, additional EIP should be associated with the Secondary IP attached to the active cluster member.
• Further EIPs are associated with each additional Secondary IP representing either Statically NATed servers behind vSEC/Cluster/ASG, or each AWS Internal Load Balancer object represented by the Logical Server object in Check Point.
• I'd imagine that if you are employing external ELB, one EIP per such should be assigned as well. 

Hi Vladimir,

I have question for cluster environment. If I attach secondary IP to active member with EIP, in case of failover how it will be diverted to another member. 

We offer a number of CloudFormation templates for AWS that can make the initial deployment simple: AWS CloudFormation Templates 

This also links to other SKs for specific configurations (autoscaling, clustering).

I actually have a mild objection to the use of the templates from the get-go: 

1. They are finicky and require certain pre-requisites not mentioned in deployment scenarios (number of available EIPs in the Region, location of the management server).

2. When stack is utilized, it may roll-back unexpectedly with limited feedback.

3. It deprives us of the ability to step on the rake a few times. The process that is conducive to downing of comprehension and formation of the long-term memory:)

Nothing wrong with eventually transitioning to coded deployment, but it pays to have to go through the manual process few times.

Just a personal preference.

Totally agree.

The SKs linked in the CloudFormation SK tell you how to do stuff manually if you so desire.

Automation is the only way to do a real deployment, thus why we have CloudFormation scripts that make this easy

Twiddling the nerd knobs on your own (or as you said, stepping on the rake) is definitely important.

This will provide a better understanding of what's going on "behind the scenes" and give you some ability to troubleshoot when things go belly-up (as they sometimes do). 

I learned quite a lot about the vSEC Controller when I actually stood up the environment demonstrated here: https://community.checkpoint.com/message/7699-leveraging-the-r8010-api-to-automate-and-streamline-se...‌

Below are few examples of deployment in AWS that I am presently running in my lab. The dual AZ cluster with external ELB and the ASG are not too far away, provided the client(s) is/are interested: