This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
leonfranken
Contributor
Contributor
‎2021-11-07 03:27 PM

CloudGuard Network for Azure VMSS Gateway Load Balancer (Public Preview) VXLAN issue

Hi all,

Microsoft just announced Azure Gateway Load Balancer to be in Public Preview.
Check Point published the following article about this:

https://blog-checkpoint-com.cdn.ampproject.org/c/s/blog.checkpoint.com/2021/11/02/check-point-cloudg...

Configuration steps can be found at: 

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_Azure_VMSS_GWLB/Content/Topics-Azure-...

This weekend I've tried to set this up. Basically the setup is almost identical to a normal CoudGuard Scale Set. The only difference is the fact that you need to forward traffic from a Azure Standard Load Balancer (ASLB) using a VXLAN tunnel to the Azure Gateway Load Balancer (AGLB). The AGLB forwards the traffic to one of your CloudGuard instances using VXLAN as well. The problem I am facing is the fact that no VXLAN interfaces are deployed in my CloudGuard instance. Documentation doesn't mention configuring these interfaces yourself.

Troubleshooting steps I took:

  • tcpdump on eth0 shows UDP port 2001 coming from the AGLB. This is the VXLAN tunnel port.
  • Created the external VXLAN tunnel interface using: add vxlan id 801 dev eth0 remote <AGLB_IP> dstport 2001
    after this a tcpdump on interface vxlan801 immediately show my actual test traffic arriving
  • Created the internal VXLAN tunnel interface using: add vxlan id 800 dev eth0 remote <AGLB_IP> dstport 2000
  • The Known Limitations describe that the solution uses bridge mode. I did create a bridge group containing both the vxlan800 and vxlan801 interfaces but without any difference.

I am not sure if I am missing some steps in the deployment or if there is an issue with the Azure template.

Hopefully other CheckMates members can share their experience!

Leon

 

Labels
0 Kudos
10 Replies
This widget could not be displayed.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events