- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Azure Checkpoint VSEC Cluster Internal Load balanc...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Azure Checkpoint VSEC Cluster Internal Load balancer
Hi All,
I deployed CheckPoint VSEC cluster from Microsoft Azure Market place. I see the cluster is having a public load balancer, which has two cluster gateways outside IP's as front end IPs
I would like to spin up a second internal load balancer, which will have the cluster gateways inside IP's configured
I am able to deploy the load balancer and add the gateway IPs fine, however the challenge I am facing is, in order to achieve HA in Azure, we have to configure the second load balancer name is $FWDIR/conf/azure-ha.json file and reconf it.
I tried adding the second (internal) load balancer name after the comma, the azure_ha_cli.py isn't recognizing the second load balancer name and isn't failing over.
Does anyone have tried this and can you let me know how you are achieving HA using this method
Thanks,
Chandru
- Tags:
- ha
- microsoft azure
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In json file you can specify only public load balancer name, it doesn't count with internal load balancer. Azure template for vsec cluster is deployed per design specified here Deploying a Check Point Cluster in Microsoft Azure
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree, in JSON file you specify the load balancer name. I have internal load balancer working fine on eth0 interface
I do understand, Azure template for vSEC cluster only supports load balancer on eth0 interface
It would be better if Check Point comes up having a load balancer on eth1 interface as well
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You might want to look on Auto scale option, this will give you load balancer on eth0 and eth1 Trust me having just one load balancer in front of cluster will give you a lot of fun.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes Check Point Scale sets offer load balancers on both eth0 and eth1 interfaces. however they can only do stateless protocols like http and https. It works for internet facing apps.
I cant deploy them every where, since we have to inspect other stateful protocols like sql server, rdp etc.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
External Load Balancer's :- They are needed when you want to Publish Web Services (Web page / Application running on any Server) over the Internet.
See as per my understanding Internal Load Balancer's are used for Balancing the Traffic loads for any server between different nodes or not to expose Server's directly to User's.
Wht is your specific requirement with Load Balancer's to be acknowledged by VSec on the Internal Azure plane.?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
all,
how do you get the cluster to answer health probes from load balancers? even on internal interfaces.