Create a Post
RLopez
Explorer

Cloudguard cluster in Azure and VPN

Jump to solution

Hello, 

I have some doubts about the template in the Azure's marketplace and the deployment guide avalaible online. The marketplace template deploys also 2 loadbalancers, in front and behind the cluster, in order to manage the HA.

The front loadbalancer has a public ip, and it manages the incoming connections to the active firewall and is able to do it with tcp and udp, but no other protocols as esp. So how does it manage the esp traffic of a vpn?, I tried it in a lab, but I was not able to make it works..

Thanks in advance!

 

0 Kudos
2 Solutions

Accepted Solutions
Nir_Shamir
Employee
Employee

if you don't need to publish any applications then the frontend-lb is not used and you can delete it but I would leave it there for future use.

the internal-lb is a must have because we don't have a VIP on the Internal network and we use it to pass the traffic to the ACTIVE member.

All the internal traffic is routed towards it and from it to the ACTIVE member.

the external VIP will fail over without the use of the frontend-lb.

View solution in original post

(1)
Shay_Levin
Admin
Admin

Regarding the recommendation for keeping the external LB, if he doesn't need it, it's completely safe to delete it and add a new one when he needs it.

View solution in original post

(1)
6 Replies
Shay_Levin
Admin
Admin

Hi @RLopez 

The termination of the VPN tunnel is not on the load balancer.

The cp cluster has a virtual public ip address that is used for VPN termination.

Check Step 10 in the admin guide, how to configure VPN , here

 

0 Kudos
RLopez
Explorer

Hello,

Thank you @Shay_Levin! .  So if this cluster does not publish nothing on internet from the azure cloud and it only does a vpn with the dc onpremises and his firewalling, do the loadbalancers of the azure template still being needed? I understood that they are managing the flow of the incoming traffic in case of a failover event including the vpn traffic...

 

0 Kudos
Nir_Shamir
Employee
Employee

if you don't need to publish any applications then the frontend-lb is not used and you can delete it but I would leave it there for future use.

the internal-lb is a must have because we don't have a VIP on the Internal network and we use it to pass the traffic to the ACTIVE member.

All the internal traffic is routed towards it and from it to the ACTIVE member.

the external VIP will fail over without the use of the frontend-lb.

View solution in original post

(1)
Shay_Levin
Admin
Admin

Regarding the recommendation for keeping the external LB, if he doesn't need it, it's completely safe to delete it and add a new one when he needs it.

View solution in original post

(1)
John_Richards
Participant

I tried the link above and coming back as "not found". Would it be possible to re-post the link or have the document available for download?

0 Kudos