This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Maya_Levine
Employee
Employee
‎2020-10-28 04:14 PM

CloudGuard Blueprint Architecture Diagrams

UPDATED JUNE 16, 2021 - AWS Gateway Load Balancer Diagrams and GCP Architecture Diagrams have been added!

 

This document is designed to help with deciding how to architect cloud environments. It includes reference architectures for multi-cloud and specific cloud providers. It provides a succinct, technical overview of deployment options, highlighting the values and architecture differences of each one.

 

 

Preview file
2046 KB
4 Replies
mk1
Collaborator
‎2020-10-29 01:05 AM

Very useful document! Thank you!

mk1
Collaborator
‎2021-03-01 12:10 AM

Hello @Maya_Levine,

Is there any videos somewhere in the community or in YouTube showing more details about the designs (AWS) in the document? I'd like to know why VPN is used between TGW and Egress VPCs, instead of standard VPC attachment to the TGW. The part with VPC peering between Ingress VPC and the rest of spokes is also interesting.

Thank you!

0 Kudos
Maya_Levine
Employee
Employee
‎2021-03-02 11:12 AM
In response to mk1

Hello, 

With a standard VPC attachment you are bound to the VPC's public routing. The attachments point to a subnet so you can only point to one ENI at a time. This limits you to an HA solution, you cannot use auto-scaling. 

We use VPN because in AWS peering is not transitive. The better way to pass traffic across multiple CP instances is VTI (Virtual Tunnel Interfaces). TGW comes with some sort of VPN GW and has ECMP, which will load balance traffic from any source VPC to CP GW. We also use VPNs because we have automation that allows us to build tunnels with the CME (see the Cloud Management Extension R80.10 and Higher Administration Guide). It will automatically take care of everything when a new auto-scaling instance is in the auto-scaling group. It will trigger a script to build site to site VPNs, advertise routes, and more. 

In terms of resources, I attached a PDF made by Cloud Security Architect Eugene Tcheby that goes over the differences between TGW-ASG and TGW-HA. You can also check out this webinar which goes over what is required to deploy an auto-scaling group of CG GWs:

 
Best Regards, 
Maya
Preview file
868 KB
mk1
Collaborator
‎2021-03-03 11:27 PM
In response to Maya_Levine

Thank you for your reply and for the useful links and file!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events