Additional External IP (AWS)
The customers has a cluster R80.10 on AWS environment.
The front-end 172.31.19.x with public IP address (eth0)
The back-en 172.31.18.x (eth1)
On the front-end interfaces are configured severals subiterfaces to public services, something like this
But the customer reach the limit of interface to associate public IP address and need to public more.
We try to do that add another external interface but it does not work.
Anyone how which is the procedure in this case??
Both the number of interfaces and the number of IPs you can associate to a given interface are a function of the AWS instance size you are using.
Your options are:
- Use an elastic load balancer, which can also rewrite the source port for an incoming connection (allowing you to reduce the number of IPs assigned to the gateway).
- Use more (smaller) gateways to protect these servers.
We ran into this exact same issue with AWS. In order to get more IPs, we had to add another external interface. It's a pain... There was a lot of tinkering involved, a lot of swearing and a lot of headdesks...
What I had to do was setup policy based routing on the CheckPoint to make sure that incoming and outgoing traffic went in/out of the same interface. I also had to setup incoming/outgoing NAT. Unfortunately, this doesn't work if you are using a Logical Server object to NAT to the ELB CNAME. So we ended up with NAT using the local ELB IP addresses which are subject to change, and when they do, the site goes down...
One of the reasons we needed so many IPs was that ELB's only supported a single certificate. With the new ALBs, they support multiple so if you have a lot of different websites requiring https, you can add multiple to ALBs. So we were able to merge a lot of load balancers and lower the number of IPs we needed.
Also, as Dameon stated, we are in the process of moving part of our stuff to another CheckPoint so that we can get down to 1 external interface and re-implement the Logical Server workaround so we can NAT to CNAME and not have the issue with the ALB IP changing.
Hope this helps and good luck!
Thanks for the comments.
We already be able to do the configuration and works fine.
We configure a second external Interface, to avoid any routing problem we configure ISP Redundancy between two external Interfaces.
Thanks again. I hope this help for others