Create a Post
Showing results for 
Search instead for 
Did you mean: 

do you need to add the external IP of the cluster to the LoadBalancerFrontend IP configuration?


we're setting up CloudGuard Iaas High Availability in Azure (R80.30)
I can access the two firewall members when using their respective external IPs. But connectivity using the cluster-vip external IP doesn't seem to work. Trying to establish a VPN tunnel or just pinging doesn't work. I'm not seeing anything on the Active firewall with fw monitor
do you need to add the cluster-vip external IP to the LoadBalancerFrontend IP configuration?


0 Kudos
5 Replies


you should have a NSG attached to the external subnet ?

If so, please check if the access to the  VIP is allowed



0 Kudos



This is the NSG attached to the frontend subnet


AllowAllInbound Any Any Any Any Allow

AllowVnetInbound Any Any VirtualNetwork VirtualNetwork Allow

AllowAzureLBInbound Any Any AzureLoadBalancer Any Allow

DenyAllInbound Any Any Any Any Deny



AllowVnetOutbound Any any VirtualNetwork VirtualNetwork Allow

AllowInternetOutbound Any Any Any Internet Allow

DenyAllOutbound Any Any Any Any Deny

0 Kudos

ok, and your VIP is attached to the external interface of the master  I guess ?




0 Kudos

to your specific question, no, you don't need it, the VIP for VPN purposes on the CG IaaS HA Template is a "floating IP" attached as secondary to the NIC of the active member, this job is done by a service principal deployed by the template if selected (this is by default); attached image.

If you selected "NO" that can cause the no modification of this IP to the active member also.



0 Kudos

So. The IP for cluster was assigned but to the standby member. We've been able to fix that with

So now we can ping the vip and see it's being directed to the proper active member. We still can't establish a VPN tunnel but that might need another post...

0 Kudos