- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Re: Additional External IP (AWS)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Additional External IP (AWS)
The customers has a cluster R80.10 on AWS environment.
The front-end 172.31.19.x with public IP address (eth0)
The back-en 172.31.18.x (eth1)
On the front-end interfaces are configured severals subiterfaces to public services, something like this
ETH0
172.31.19.x public1
172.31.19.y public2
172.31.19.z public3
172.31.19.v public4
172.31.19.q public5
But the customer reach the limit of interface to associate public IP address and need to public more.
We try to do that add another external interface but it does not work.
Anyone how which is the procedure in this case??
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Both the number of interfaces and the number of IPs you can associate to a given interface are a function of the AWS instance size you are using.
Your options are:
- Use an elastic load balancer, which can also rewrite the source port for an incoming connection (allowing you to reduce the number of IPs assigned to the gateway).
- Use more (smaller) gateways to protect these servers.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We ran into this exact same issue with AWS. In order to get more IPs, we had to add another external interface. It's a pain... There was a lot of tinkering involved, a lot of swearing and a lot of headdesks...
What I had to do was setup policy based routing on the CheckPoint to make sure that incoming and outgoing traffic went in/out of the same interface. I also had to setup incoming/outgoing NAT. Unfortunately, this doesn't work if you are using a Logical Server object to NAT to the ELB CNAME. So we ended up with NAT using the local ELB IP addresses which are subject to change, and when they do, the site goes down...
One of the reasons we needed so many IPs was that ELB's only supported a single certificate. With the new ALBs, they support multiple so if you have a lot of different websites requiring https, you can add multiple to ALBs. So we were able to merge a lot of load balancers and lower the number of IPs we needed.
Also, as Dameon stated, we are in the process of moving part of our stuff to another CheckPoint so that we can get down to 1 external interface and re-implement the Logical Server workaround so we can NAT to CNAME and not have the issue with the ALB IP changing.
Hope this helps and good luck!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Thanks for the comments.
We already be able to do the configuration and works fine.
We configure a second external Interface, to avoid any routing problem we configure ISP Redundancy between two external Interfaces.
Thanks again. I hope this help for others