Deep Dive - Azure Gateway Load Balancer and CloudG...

Shay_Levin · ‎2021-12-09

The new Azure GWLB service simplified the network architecture and allow you to easily get security services using third-party virtual appliances.

Check the Deep Dive video below for a deep dive walkthrough

Prabulingam_N1 · ‎2021-12-15

Hi Shay,

Thanks for this Deep-dive session.

If in case I deploy CG (Cluster or VMSS) and place below FrontendLB so that it can protect internal Webservers - what difference it makes rather than creating GLB with CG pools as described?

Still we can perform E-W or N-S traffic inspection if CG placed below FrontendLB.

Whats the advantage of this New topology compared to CG placed below FrontendLB.

Regards, Prabu

Shay_Levin · ‎2021-12-15

The main advantage of the GWLB solutions is that you don't need to change the source IP address of the packet for ingress traffic.

So, your webservers will see the client's original source IP address.

With the "regular" scale set deployment, you will need to create a NAT rule that replaces the client's original source IP of the packet with the GW IP address for ingress traffic.

The second advantage is that it’s effortless to connect vNets to the service and protect them; also, the consumer vNet can be located in a different region and on another tenant.

With the “regular” scale set / cluster, you will need to create vNet peering and set UDRs.

The disadvantage of the solution is that Azure does not support E/W traffic for now.

I believe they will solve that limitation soon; as they already got heads up on that.

I hope I answer your question

--Shay

Prabulingam_N1 · ‎2021-12-15

Hello Shay,

Hope E/W traffic can be covered in future.

Thanks for explanation.

Regards, Prabu

sumeetkashyap · ‎2023-08-25

Hi @Shay_Levin,

I have tried GLB with CG , Seems solution is not working in Azure platform .

I can inbound traffic reaching till firewall but there us no response from firewall .
tcpdump is able to capture the inbound packets but same is not getting captured with fw monitor.

fw ctl zdebug + drop doen't show any drops and for same traffic logs are also not reflecting on smart console.

Interface config :
[Expert@cicppocgw0:0]# tcpdump -nni vxlan801
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vxlan801, link-type EN10MB (Ethernet), capture size 262144 bytes
09:29:43.831533 IP 165.225.124.115.49471 > 20.235.104.161.443: Flags [S], seq 3719711221, win 65535, options [mss 1460,sackOK,eol], length 0
09:29:43.832747 IP 165.225.124.115.49470 > 20.235.104.161.443: Flags [S], seq 3413802471, win 65535, options [mss 1460,sackOK,eol], length 0
09:29:44.494574 IP 123.129.217.197.6028 > 20.235.104.161.23: Flags [S], seq 350972065, win 24524, length 0
09:29:46.244334 IP 193.57.40.49.49030 > 20.235.104.161.13899: Flags [S], seq 519229892, win 1024, length 0
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
[Expert@cicppocgw0:0]# ^C
[Expert@cicppocgw0:0]# tcpdump -nni vxlan801
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vxlan801, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

Tcpdump ;
=======
[Expert@cicppocgw0:0]# tcpdump -nni vxlan801
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vxlan801, link-type EN10MB (Ethernet), capture size 262144 bytes
09:29:43.831533 IP 165.225.124.115.49471 > 20.235.104.161.443: Flags [S], seq 3719711221, win 65535, options [mss 1460,sackOK,eol], length 0
09:29:43.832747 IP 165.225.124.115.49470 > 20.235.104.161.443: Flags [S], seq 3413802471, win 65535, options [mss 1460,sackOK,eol], length 0
09:29:44.494574 IP 123.129.217.197.6028 > 20.235.104.161.23: Flags [S], seq 350972065, win 24524, length 0
09:29:46.244334 IP 193.57.40.49.49030 > 20.235.104.161.13899: Flags [S], seq 519229892, win 1024, length 0

==============
fw monitor

=====

[Expert@cicppocgw0:0]# fw monitor -e "host(20.235.104.161),accept;"
PPAK 0: Get before set operation succeeded of fwmonitor_kiss_enable
PPAK 0: Get before set operation succeeded of simple_debug_filter_off
PPAK 0: Get before set operation succeeded of kiss_debug_force_kdprintf_enable
PPAK 0: Get before set operation succeeded of fwmonitorfreebufs
************************************************************** NOTE **************************************************************
*** Using "-e" filter will not monitor accelerated traffic. To monitor and filter accelerated traffic please use the "-F" filter ***
************************************************************************************************************************************
FW monitor will record only ip & transport layers in a packet
For capturing the whole packet please do -w
PPAK 0: Get before set operation succeeded of fwmonitor_ppak_all_position
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
PPAK 0: Get before set operation succeeded of fwmonitormaxpacket
PPAK 0: Get before set operation succeeded of fwmonitormask
PPAK 0: Get before set operation succeeded of fwmonitorallocbufs
PPAK 0: Get before set operation succeeded of printuuid

================

[Expert@cicppocgw0:0]# fw ctl zdebug drop | grep 20.235.104.161

Shay_Levin · ‎2023-08-29

Hi,

I have just deployed it last week, didn't have any issue.

i guess some kind of configuration issue.

Drop me an email shayl@checkpoint.com , let's schedule a zoom call to solve it out

Are you a member of CheckMates?

Deep Dive - Azure Gateway Load Balancer and CloudGaurd AutoScale Integration