This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cdav
Contributor
‎2023-11-22 02:27 PM

Deploy AWS Cross-AZ Cluster without Public Addresses/EIPs

Hi CheckMates,

 

Can I deploy a cross az cluster without the public addresses. The template from CheckPoint deploys with public connectivity and this isn't necessarily a requirement for my use case as it would only be serving east/west/south traffic. I am thinking the EIP used for cluster address could be configured as any ENI and that SmartConsole does not require it for any critical functionality? Appreciate i might be corrected there 😅

Ideally the template I create would include 2 public and 2 private subnets for ingress/egress and sync. The ENIs in public subnet wont have associated public addresses (or could use 4 private subnets). Outbound connectivity can be routed via a NAT gateway in the same VPC or via transit gateway to my outbound VPC and NATed

Any help/advice will be greatly appreciated.

C

 

 

0 Kudos
5 Replies
Shay_Levin
Admin
Admin
‎2023-11-22 11:49 PM

Hi,

1. Cross az cluster will not work without public VIP.

2. With singe az cluster you have the option to use public or private.

3. If a VPN is unnecessary, I recommend using VMSS GWLB.

 

0 Kudos
cdav
Contributor
‎2023-11-23 12:13 AM
In response to Shay_Levin

Could there be future developments to negate this requirement? Would be nice to not have to provision public endpoints when they're not required.

I have deployed a GWLB cluster to manage egress traffic - these are currently deployed with public addresses as its deployed from template but again in the process of creating my own. Assuming these can be deployed without the public addresses? 

Thanks for confirming.

0 Kudos
Roman_Kats
Employee
Employee
‎2023-11-23 12:39 AM
In response to cdav

Hi @cdav 

Cross AZ Cluster members located in different Availability Zones, hence in different subnets.

 

Cross AZ subnets.jpg

Using private IPs only means the Cluster IP (VIP) has to be part of the subnets range belongs to both cluster members. Since subnets ranges of cluster members are completely different , there is no way to define Cluster IP.
They way  it can be achieved is to associate Elastic IP with private IP of active cluster member and move it to another member in case of failover.  

The GWLB solution can be deployed without elastic IPs, this option is available in our CFT and Terraform templates.
The GWLB solution supports East-West and North-South traffic flows
For more details refer to:
CloudGuard Network for AWS Gateway Load Balancer Auto Scale Group Deployment Guide

GWLB Workshop  - https://unrivaled-melba-1a81a6.netlify.app/

cdav
Contributor
‎2023-11-23 01:19 AM
In response to Roman_Kats

Hi @Roman_Kats thank you for the above!

 

Yes i understand the point regarding gateways being in different azs/subnets. Are you saying there is a way to achieve to private clustering? My understanding would be:

  1. deploy cluster members with interfaces in  "public" subnet but no associated public address.
  2. create addtional eni and map to active members public eni
  3. in the event of failover construct a method for moving the eni to new active members eni
  4. still leave the "private/internal" interfaces for SYNC.

 

Regards,

C

0 Kudos
cdav
Contributor
‎2023-11-23 03:20 PM
In response to cdav

completely misunderstood your response. Can see this isnt achievable.

Many thanks

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events