CloudGuard Blueprint Architecture Diagrams
UPDATED JUNE 16, 2021 - AWS Gateway Load Balancer Diagrams and GCP Architecture Diagrams have been added!
This document is designed to help with deciding how to architect cloud environments. It includes reference architectures for multi-cloud and specific cloud providers. It provides a succinct, technical overview of deployment options, highlighting the values and architecture differences of each one.
Is there any videos somewhere in the community or in YouTube showing more details about the designs (AWS) in the document? I'd like to know why VPN is used between TGW and Egress VPCs, instead of standard VPC attachment to the TGW. The part with VPC peering between Ingress VPC and the rest of spokes is also interesting.
With a standard VPC attachment you are bound to the VPC's public routing. The attachments point to a subnet so you can only point to one ENI at a time. This limits you to an HA solution, you cannot use auto-scaling.
We use VPN because in AWS peering is not transitive. The better way to pass traffic across multiple CP instances is VTI (Virtual Tunnel Interfaces). TGW comes with some sort of VPN GW and has ECMP, which will load balance traffic from any source VPC to CP GW. We also use VPNs because we have automation that allows us to build tunnels with the CME (see the Cloud Management Extension R80.10 and Higher Administration Guide). It will automatically take care of everything when a new auto-scaling instance is in the auto-scaling group. It will trigger a script to build site to site VPNs, advertise routes, and more.
In terms of resources, I attached a PDF made by Cloud Security Architect Eugene Tcheby that goes over the differences between TGW-ASG and TGW-HA. You can also check out this webinar which goes over what is required to deploy an auto-scaling group of CG GWs: