This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
CP-NDA
Collaborator
‎2023-01-17 03:31 AM
Jump to solution

Filter VNET Peering traffic

Hi,

 

We are setting up some VNET Peerings between multiple subscription

VNET Peering are UP and connected however we are not able to filter traffic coming from these VNET (Peered) via the CloudGuard GW

When working with local subnet we jut change the UDR to use CloudGuard as a Gateway however that feature is not availbale with the VNET Peering.

Do we need to implement a Transit GW ?

Is there any documentation / support on this setup ?

Thank you

0 Kudos
1 Solution

Accepted Solutions
Nir_Shamir
Employee Employee
Employee
‎2023-01-17 03:45 AM
Jump to solution

Hi,

what you need to do is to add a UDR in the peered subnet (the one that is peered to the GW vNet) and forward the traffic that you need inspected to the GW IP (if its a single GW) or the Internal-LB IP (if it's a cluster or VMSS).

the peered subnet can reach that IP because of the peering and will route the traffic directly to the GWs via the peering connection.

View solution in original post

4 Replies
Nir_Shamir
Employee Employee
Employee
‎2023-01-17 03:45 AM
Jump to solution

Hi,

what you need to do is to add a UDR in the peered subnet (the one that is peered to the GW vNet) and forward the traffic that you need inspected to the GW IP (if its a single GW) or the Internal-LB IP (if it's a cluster or VMSS).

the peered subnet can reach that IP because of the peering and will route the traffic directly to the GWs via the peering connection.

CP-NDA
Collaborator
‎2023-01-17 03:47 AM
In response to Nir_Shamir
Jump to solution

Hi @Nir_Shamir 

 

I will do the test but in terms of security we are not managing the second tenant. So if the UDR is changed that means they will have full access to our VNET?

How can we control that setting ?

Thank you

 

0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2023-01-17 04:02 AM
In response to CP-NDA
Jump to solution

you can deploy NSGs on your Subnets.

Also if you Subnets have UDRs to have the return traffic go through the Firewall then even if they don't do the UDR on their end they might reach your resources directly but the return traffic will go through the Firewall which will drop those connections as Out Of State and they won't be able to reach them or open any connections to them.

0 Kudos
CP-NDA
Collaborator
‎2023-01-17 04:18 AM
In response to Nir_Shamir
Jump to solution

@Nir_Shamir  Indeed we've been able to validate the Out of state during our tests but I though that it would be possible to have a more secure and best solution. the traffic should not hit the machines even if they change the UDR

I will check with NSG to only allow connection to CloudGuard from the remote tenant

Thank you !

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events