Deploying Auto Scaling CloudGuard gateways in Azure using VM Scale Sets
This is a step by step guide I created on how to deploy CloudGuard (Vsec) virtual gateways in Azure using virtual machine scale sets in Microsoft Azure. Feel free to comment, leave feedback or contact me directly should you have questions.
For the full list of White Papers, go here.
I know that the ARM templates are available for the VM Scale Sets. But, is it possible to deploy the Gateway Scale Sets without the ARM template, say in Terraform? I know that the ARM template accepts parameters if this was done in a different way, is there a bootstrap file or something to pass along when creating the VM?
Thank you for your response; I'd love to eventually be able to do this in Terraform as we can pass parameters as well or use a user_data file to bootstrap the VM.
Changes based on feedback received:
- Exercise 9: "LocalGatewayExternal" dynamic gateway object created applies for for Virtual machine types B2s and above (page 33), otherwise traditional dynamic gateway object "LocalGateway" applies.
Added how to configure "Hide NAT" rule in NAT policy (page 37)
- Exercise 10: Added comment on why auto-scaling of CloudGuard virtual gateways average 7-10 minutes despite tweaks in Azure Auto scaling parameters; Mostly due to First Time Wizard. New CloudGuard deployment templates including Blink in the roadmap (page 40)- Document to be updated as soon as images with improvements released.
Thanks Eugene Tcheby . I have what may be a silly question; but must ask. In this deployment where the Gateway is deployed as a Scale Set, what IP address does one use to create new NAT Rules or Policies? The Scale Set has multiple nodes, my understanding they are identical. But how is that tracked from a CheckPoint perspective when it comes to updating NAT Rules and Polices etc?
Hi Eugene, I had tried the same, but sadly ssh connection to gateway not working from management server too. I have created the allow SSH rule (with ssh, icmp services) in Access Control Policy of Gateway (SmartConsole). I have tried with destinations LocalGatewayExternal and also with individual Gateway objects, but no luck.Do we need NSG for fronted subnet? not sure as the rules there are driven by Gateway policy rules itself. Also gateways and management server are in the same frontend subnet. I have followed the document for entire configuration. Everything seems ok, except this final configuration.
I manage to establish SSH connection to Gateway. The dynamic object name on both the gateways is "LocalGateway". Now it works as expected, I tried with HTTP and RDP services.
Eugene, Oscar Medina, creating this same setup with terraform should be a simple as a terraform template including the same load balancer components and the VMSS with the Check Point image. Note that the Check Point management server will be automatically registering the gateways populated by the VMSS so no need to code anything on that side. Let us know if you have issues terraforming this 😉
Thanks https://community.checkpoint.com/people/jhija3895aba2-c664-3ac5-9425-5b0626caeb0f I ended up using the Azure ARM Templates for our CheckPoint Gateway Scale Sets, but it is awesome to know I can do that, and I should have known that, since it is a matter of picking the image from the gallery and adding the bootstrap script.
I've got similar scenario for our Management Servers which I've deployed in HA mode (primary/secondary). I am using the ARM template and modified it to include adding both nodes into an Availability Set. Do you see anything wrong with doing so? I am just trying to use Azure native capabilities for redundancy...
Not at all, any combination of Check Point HA capabilities with the cloud platform native HA is always recommended. Distributing across regions and combining on-prem mgmt. with cloud mgmt are also combinations we see in other organizations.
This is a very nice exercise that i will like to perform myself.
Although everything looks straightforward i have something to clear out.
Gateways from scale set - how we can ensure that they have the latest hotfix's included as the scaleset scales out? Is this something that concerns only the Cloud Provider, they should offer the latest images?
Thanks a lot again for this exercise which will help me a lot in mastering this solution.
When defining your scale set configuration and parameters, essentially what happens when scaling out - the additional virtual gateways being deployed are identical to the ones from your default set of Cloudguard virtual gateways. In short, should you update your original virtual gateways with the latest hotfix, auto scaling will inherit the same gateway configuration from your default virtual machines including latest hotfix if already installed
I have followed the guide, but I have problems with the NAT.
However, each gateway performs a Source NAT on the external IP. That means, the internal loadbalancer only gets packets from gateway's external IP.
That generate anti spoofing, when the internal LB / webserver is responding.
[Expert@vsecvmss000000:0]# dynamic_objects -l
object name : LocalGatewayExternal
range 0 : 10.1.0.6 10.1.0.6
object name : LocalGatewayInternal
range 0 : 10.1.50.5 10.1.50.5
Operation completed successfully
Please change the guide for the NAT section. The dynamic object has to be "LocalGatewayInternal".
Thank you for your feedback, you are absolutely right.I will update the document to reflect the recent improvements. At the time I produced document was we solution template didn't support dynamic object "local Gateway Internal" (because it didn't exist) as translated source in NAT rules. Templates have since been updated to support it. Nevertheless, I will update this document to reflect latest improvements.
We now have official releases of the Virtual Machine Scale Sets admin guide.
URL to latest guide (updated February 11th 2019) ---> Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and above Administration Guide
See pages 25-26 for inbound NAT rules configuration
Also to have the latest updates on Cloudguard Solutions see SK132552 ---> Check Point CloudGuard / vSEC solutions
Hi, when we talk about template is it ARM template or we need to create a template to proceed further when we are talking about the autoprov-cfg.
""autoprov-cfg init Azure -mn "CPMgmt" -tn "template_name" ""
This template object is a Check Point object that is part of autoprovision configuration. This template is a set of configuration for gateways (SIC password, Policy to push, blades to activate etc..). Autoprovision is using a controller (set of credential) to connect to the cloud API, then autoprovision discover new machine tag with Check Point tag and on this tag understand which template to apply..
Eugene Tcheby What's the best way to make sure that during VMSS deployment, there will be certain static route entries added? Should it be via bootstrap file? Vnet where VMSS is deployed is connected via ExpressRoute and i need to make sure that set of static route entries is in place for new instances of VMSS.
by default, the VMSS has one default route, pointing to Internet on eth0.
Eth1 - which is pointing to the backend - has all RfC1918 routes (10/8, 172.16/12, 192.168/16).
Additional setting should be handled with this script: GitHub - CheckPointSW/sddc, I had a similar question in this topic: https://community.checkpoint.com/docs/DOC-3107-custom-script-example-for-autoprovision-of-autoscale-...
You'll need to install it. See the admin guide for more: