Cloudguard IAAS Routing doubt and S2S VPN
Just a confusion about routing in Azure and would really appreicate if someone can help me on the doubt
I am going to setup Check Point cluster in Azure which will have
- VNET - 10.1.0.0/16
- FE Subnet - 10.1.1.0/24
- BE Subnet- 10.1.2.0/24
- FE-FW1 - 10.1.1.4/24
- FE-FW2 - 10.1.1.5/24
- FE Cluster - 10.1.1.7/24
- BE-FW1 - 10.1.2.4/24
- BE-FW2 - 10.1.2.5/24
- BE Cluster - 10.1.2.7/24
- DB Subnet - 10.1.3.0/24
- App Subnet - 10.1.4.0/24
- BE LB - 10.1.2.6/24
- FE LB - 10.1.1.6/24
In this case for DB & App Subnet UDRs will be
0.0.0.0/0 NH 10.1.2.4 or 10.1.2.6?
for 10.1.0.0/16 NH 10.1.2.4 or 10.1.2.6?
Plus I have received two public IP addresses for both the VMs. Since I wanted to configure VPN which Public IP should be configured on VPN Link selection page?
first thing, CP cluster in Azure has these Private IPs:
Frontend - 1 per GW + VIP
Backend - 1 per GW (no VIP).
also you get two LBs:
1 Frontend (external) - has Public IPs only.
1 backend (internal) - has internal private IPs only.
when you route traffic from your peered vNets , you route the default GW to the internal LB Private IP.
Now regarding the VPN , both GWs get Public IPs that are attached to their frontend IPs interfaces. these are usually used to manage the GWs from a Management Server located outside their environment (On-Premise or other Cloud Vendor).
The VIP IP address is attached to the Primary Member Frontend Interface. it also has a Public IP attached to it. you use this IP for VPN configuration.
you have 3 Public IPs:
1) 1 per GW - to manage the GWs from remote location.
2) 1 on the VIP - used usually for VPN.
check the Azure High-Availability admin guide for the configuration:
anyway , you don't define the Public IPs on the Topology of the Cluster , only the Private IPs.
I am still confused on Inbound NAT rule by disassociating public IP from one vm to External LB. I have setup whose outbound flow is working fine however I am having issues with Inbound NAT. This is cluster deployment
My vnet is 10.2.0.0/16
Web Subnet is 10.2.2.0/24 and web server IP is 10.2.2.4
Public IP associated was 220.127.116.11; now I have disassociated the public IP and then as per SKU I could not attach to LB hence I decided to go with new public IP.
Now while adding Inbound NAT rule in Azure portal
Front End new Public IP is 18.104.22.168
Service : HTTP
What will be my Target virtual machine? cpcluster1 or cpcluster2?
What will be my member-ip ? cluster VIP or member-ip1 or member-ip2
Target port I am sending at 9944 [ This would go to Check Point]
Then on Check Point
Osource = Any
Odst =? [Its not accepting cluster object] [
OService = 9944
Xsource = original
xlate Dst = 10.2.2.4 [web server IP]
xlate port = 80
This is what error I am getting on portal
- Invalid Object 'cpazurecluster' in Original Dst of Address Translation Rule 2. The valid objects are: host, gateway, network, address range and router.
- Policy verification failed.
Check the admin guide from " Configure NAT Rules"
this will explain the NAT and the load balancer configuration.
I would use Load Balancing Rules (instead of a Inbound NAT Rule). If you enable "Floating IP (direct server return)", which is disabled per default, the LB will not NAT the Destination IP. In this case you will see the Public IP on the Firewall and you can do the NAT accordingly. That´s more straightforward in my opinion.
If using a Standard LB, please make sure to have a Network Security Group which has to allow the traffic (this is not necessary if you use a Basic LB which is sufficient and allows the traffic per default).