Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Gongya_Yu
Collaborator
Jump to solution

Cloudguard deployment best practices

We are in the process of the deployment of cloudguard with Checkpoint assistance, also I am watching a few Checkpoint deployment videos. I noticed a few architecture options we moved from and to. As the change is hard after the deployment is done. I have the following questions:

1. cluster failover pros and cons:

    For our cloudguard deployment in AWS, our cluster failover is achieved via API updating the route table. When we came to Azure deployment, we had LB,

    Does AWS have LB option too ?

    LB is a must for Azure ? (Note: We do not need Northbound, only need Southbound to on-prem)

2.  Using Route Server or not

     Based on some difference for routing approaches between AWS and Azure, Route servers should be used or not ?

3. VNET for Cloudguard

    Cloudguard should be deployed in the same vnet with other network components or in its dedicated vnet.

Any suggested best practices for these options ?

thanks a lot !!

 

   

1 Solution

Accepted Solutions
Nir_Shamir
Employee Employee
Employee

1. AWS doesn't have an LB option , everything works with API. we used to have the same in Azure until we moved to work with LBs. the API failover in AWS is pretty fast and usually you don't even notice it.

2. Route-Servers are more dynamic the the regular UDRs . if you have a small static network then I would use UDRs. for large networks and VNETS + constant changes I would use Route Servers do ease the operation of changes.

3. I always deploy the CloudGuard GWs in a separate compartment (VNET or VPC etc.) it's easier to manage it and it doesn't mixup with the rest of your networks.

View solution in original post

(1)
2 Replies
Nir_Shamir
Employee Employee
Employee

1. AWS doesn't have an LB option , everything works with API. we used to have the same in Azure until we moved to work with LBs. the API failover in AWS is pretty fast and usually you don't even notice it.

2. Route-Servers are more dynamic the the regular UDRs . if you have a small static network then I would use UDRs. for large networks and VNETS + constant changes I would use Route Servers do ease the operation of changes.

3. I always deploy the CloudGuard GWs in a separate compartment (VNET or VPC etc.) it's easier to manage it and it doesn't mixup with the rest of your networks.

(1)
the_rock
Legend
Legend

You got the answer.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.