- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Azure Scale Set - CloudGuard - Is source NAT neces...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Azure Scale Set - CloudGuard - Is source NAT necessary?
Hi, we are thinking on deploying a multiple Gateways in a Scale Set solution in Azure. How is assymetric routing avoided with this solution? I know that some time ago, we had to use source NAT, but we would not like to apply this solution for our network.
On the other hand, as far I know, in Azure we have not something similar to AWS Gateway Load Balancer which uses geneve to ensure that the replay goes using the same firewall instance.
Fortinet has the FGSP protocol which syncs sessions within all firewall instances in the cluster, so it is not a problem if the traffic goes through one intance, and the replay goes through a different one. Is there something similar for Check Point? Thanks.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are correct. The SNAT for N-S traffic is mentioned in the traffic flow "animated GIFs". Perhaps we can make it more clear in the admin guide - will put it on the list.
You are also correct that you will need two separate deployments - one with GWLB and one regular VMSS. A regular VMSS cannot work with GWLB (GWLB required VXLAN tunnels and in general operates differently).
One more option to consider is to use XFF header feature on the VMSS for N-S traffic. Traffic will still be NATed but you will have XFF headers.
Thanks,
Dmitry
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why do you think this is a General Topic ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Azure GWLB via VXLAN:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, I missed that Azure has released a GWLB similar to AWS GWLB.
After checking the below video, it looks like it is still a preview solution, and it does not work for inspecting the east-west traffic, right? In case we want to inspect east-west traffic through Gateways in a scale set, and without having to deploy an External LB, is there a way to achieve this keeping aside from using source nat?
https://www.youtube.com/watch?v=gN74syBIJio
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Sure. You can deploy a VMSS solution without an External Load Balancer and only use it for East West traffic inspection.
The Load Balancer combination can be selected as part of the deployment template.
For East-West traffic, as long as the request and reply go via the Internal Load Balancer (as documented) you will not have to S-NAT the traffic.
Refer to the "East West" and "East West Reply" sections in the traffic flows page:
Thanks,
Dmitry
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Dmitry_Gorn,
Thank you very much for the helpful information.
So, if I have understood everything correctly:
- You have shared information about two different deployments Plans.
- Public Preview CloudGuard Gateway Load Balancer
- This Plan only requires one subnet (FrontEnd subnet)
- This Plan does not require SNAT for external traffic. We have to chain a Public LB or Standar IP of our applications to our GWLB deployed in this Plan.
- This deployment only works for North/South traffic.
- CloudGuard Scale Set
- This Plan requires two subnets (FrontEnd and BackEnd subnets)
- This Plan DOES NOT require SNAT for East/West traffic, because the Azure Internal LB is aware of the replay traffic, and sends the replays to the right Gateway to avoid asymmetric routing issues.
- This Plan DOES requiere SNAT for North/South traffic. It is not especifically pointed in the document, but jugding for the Traffic Flows section, it is likely that SNAT is required for sure.
- Public Preview CloudGuard Gateway Load Balancer
Now, the thing is that we would like to find a solution able to inspect both, N/S and E/W traffic, without using SNAT for any of these traffic flows. Assuming that it is not possible for E/W Traffic to point to the GWLB and it just works if you link a Public LB or Standard IP to it, in order to be able to inspect N/S and E/W traffic flows, we would need to different deployments Plans, right? Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are correct. The SNAT for N-S traffic is mentioned in the traffic flow "animated GIFs". Perhaps we can make it more clear in the admin guide - will put it on the list.
You are also correct that you will need two separate deployments - one with GWLB and one regular VMSS. A regular VMSS cannot work with GWLB (GWLB required VXLAN tunnels and in general operates differently).
One more option to consider is to use XFF header feature on the VMSS for N-S traffic. Traffic will still be NATed but you will have XFF headers.
Thanks,
Dmitry
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much!