Create a Post
Showing results for 
Search instead for 
Did you mean: 

Cloudguard IAAS Routing doubt and S2S VPN

Hi Team,


Just a confusion about routing in Azure and would really appreicate if someone can help me on the doubt

I am going to setup Check Point cluster in Azure which will have 

  • VNET -
  • FE Subnet -
  • BE Subnet-
  • FE-FW1 -
  • FE-FW2 -
  • FE Cluster -
  • BE-FW1 -
  • BE-FW2 -
  • BE Cluster -
  • DB Subnet - 
  • App Subnet -
  • BE LB -
  • FE LB -

In this case for DB & App Subnet UDRs will be  NH or

for NH or

Plus I have received two public IP addresses for both the VMs. Since I wanted to configure VPN which Public IP should be configured on VPN Link selection page?



Blason R


0 Kudos
7 Replies


first thing, CP cluster in Azure has these Private IPs:

Frontend - 1 per GW + VIP

Backend - 1 per GW (no VIP).

also you get two LBs:

1 Frontend (external) - has Public IPs only.

1 backend (internal) - has internal private IPs only.


when you route traffic from your peered vNets , you route the default GW to the internal LB Private IP.


Now regarding the VPN , both GWs get Public IPs that are attached to their frontend IPs interfaces. these are usually used to manage the GWs from a Management Server located outside their environment (On-Premise or other Cloud Vendor).

The VIP IP address is attached to the Primary Member Frontend Interface. it also has a Public IP attached to it. you use this IP for VPN configuration. 

0 Kudos

Hi Nir,

Thanks for the reply; now regarding public IP do we get VIP as well for public IP adress? and those needs to be defined in Topology as well?

0 Kudos

you have 3 Public IPs:

1) 1 per GW - to manage the GWs from remote location.

2) 1 on the VIP - used usually for VPN.

check the Azure High-Availability admin guide for the configuration:

anyway , you don't define the Public IPs on the Topology of the Cluster , only the Private IPs.

0 Kudos

Hey Guys,

I am still confused on Inbound NAT rule by disassociating public IP from one vm to External LB. I have setup whose outbound flow is working fine however I am having issues with Inbound NAT. This is cluster deployment

My vnet is

Web Subnet is and web server IP is

Public IP associated was; now I have disassociated the public IP and then as per SKU I could not attach to LB hence I decided to go with new public IP.

Now while adding Inbound NAT rule in Azure portal

Front End new Public IP is

Service : HTTP

Port: 80

What will be my Target virtual machine? cpcluster1 or cpcluster2?

What will be my member-ip ? cluster VIP or member-ip1 or member-ip2

Target port I am sending at 9944 [ This would go to Check Point]


Then on Check Point

Osource = Any

Odst =? [Its not accepting cluster object] [

OService = 9944

Xsource = original

xlate Dst = [web server IP]

xlate port = 80


This is what error I am getting on portal

Gateway: cpazurecluster
Policy: Standard
Status: Failed
- Invalid Object 'cpazurecluster' in Original Dst of Address Translation Rule 2. The valid objects are: host, gateway, network, address range and router.
- Policy verification failed.

0 Kudos


Check the admin guide from " Configure NAT Rules"


this will explain the NAT and the load balancer configuration.

0 Kudos

Hi, Blason,

I would use Load Balancing Rules (instead of a Inbound NAT Rule). If you enable "Floating IP (direct server return)", which is disabled per default, the LB will not NAT the Destination IP. In this case you will see the Public IP on the Firewall and you can do the NAT accordingly. That´s more straightforward in my opinion.

If using a Standard LB, please make sure to have a Network Security Group which has to allow  the traffic (this is not necessary if you use a Basic LB which is sufficient and allows the traffic per default).

0 Kudos

Hi Blason,  

in cpnat.jpg - for NAT Rule - use attached NAT rule (Create Dynamic Object)
in webnet.jpg - for Network IP Configuration - use cluster-vip (not member IP) - attached & LoadBalancing Rule


Regards, Prabu

0 Kudos