- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Cloudguard IAAS Routing doubt and S2S VPN
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cloudguard IAAS Routing doubt and S2S VPN
Hi Team,
Just a confusion about routing in Azure and would really appreicate if someone can help me on the doubt
I am going to setup Check Point cluster in Azure which will have
- VNET - 10.1.0.0/16
- FE Subnet - 10.1.1.0/24
- BE Subnet- 10.1.2.0/24
- FE-FW1 - 10.1.1.4/24
- FE-FW2 - 10.1.1.5/24
- FE Cluster - 10.1.1.7/24
- BE-FW1 - 10.1.2.4/24
- BE-FW2 - 10.1.2.5/24
- BE Cluster - 10.1.2.7/24
- DB Subnet - 10.1.3.0/24
- App Subnet - 10.1.4.0/24
- BE LB - 10.1.2.6/24
- FE LB - 10.1.1.6/24
In this case for DB & App Subnet UDRs will be
0.0.0.0/0 NH 10.1.2.4 or 10.1.2.6?
for 10.1.0.0/16 NH 10.1.2.4 or 10.1.2.6?
Plus I have received two public IP addresses for both the VMs. Since I wanted to configure VPN which Public IP should be configured on VPN Link selection page?
TIA
Blason R
Blason R
CCSA,CCSE,CCCS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
first thing, CP cluster in Azure has these Private IPs:
Frontend - 1 per GW + VIP
Backend - 1 per GW (no VIP).
also you get two LBs:
1 Frontend (external) - has Public IPs only.
1 backend (internal) - has internal private IPs only.
when you route traffic from your peered vNets , you route the default GW to the internal LB Private IP.
Now regarding the VPN , both GWs get Public IPs that are attached to their frontend IPs interfaces. these are usually used to manage the GWs from a Management Server located outside their environment (On-Premise or other Cloud Vendor).
The VIP IP address is attached to the Primary Member Frontend Interface. it also has a Public IP attached to it. you use this IP for VPN configuration.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Nir,
Thanks for the reply; now regarding public IP do we get VIP as well for public IP adress? and those needs to be defined in Topology as well?
Blason R
CCSA,CCSE,CCCS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you have 3 Public IPs:
1) 1 per GW - to manage the GWs from remote location.
2) 1 on the VIP - used usually for VPN.
check the Azure High-Availability admin guide for the configuration:
anyway , you don't define the Public IPs on the Topology of the Cluster , only the Private IPs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Guys,
I am still confused on Inbound NAT rule by disassociating public IP from one vm to External LB. I have setup whose outbound flow is working fine however I am having issues with Inbound NAT. This is cluster deployment
My vnet is 10.2.0.0/16
Web Subnet is 10.2.2.0/24 and web server IP is 10.2.2.4
Public IP associated was 20.30.40.50; now I have disassociated the public IP and then as per SKU I could not attach to LB hence I decided to go with new public IP.
Now while adding Inbound NAT rule in Azure portal
Front End new Public IP is 13.82.65.188
Service : HTTP
Port: 80
What will be my Target virtual machine? cpcluster1 or cpcluster2?
What will be my member-ip ? cluster VIP or member-ip1 or member-ip2
Target port I am sending at 9944 [ This would go to Check Point]
***********
Then on Check Point
Osource = Any
Odst =? [Its not accepting cluster object] [
OService = 9944
Xsource = original
xlate Dst = 10.2.2.4 [web server IP]
xlate port = 80
This is what error I am getting on portal
Gateway: cpazurecluster
Policy: Standard
Status: Failed
- Invalid Object 'cpazurecluster' in Original Dst of Address Translation Rule 2. The valid objects are: host, gateway, network, address range and router.
- Policy verification failed.
--------------------------------------------------------------------------------
Blason R
CCSA,CCSE,CCCS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Check the admin guide from " Configure NAT Rules"
this will explain the NAT and the load balancer configuration.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Blason,
I would use Load Balancing Rules (instead of a Inbound NAT Rule). If you enable "Floating IP (direct server return)", which is disabled per default, the LB will not NAT the Destination IP. In this case you will see the Public IP on the Firewall and you can do the NAT accordingly. That´s more straightforward in my opinion.
If using a Standard LB, please make sure to have a Network Security Group which has to allow the traffic (this is not necessary if you use a Basic LB which is sufficient and allows the traffic per default).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content