- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- How do I NAT multiple hosts on port 443 or80 behin...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I NAT multiple hosts on port 443 or80 behind cloud guard azure firewall?
Hi Team,
As a standard practice I am deploying vsec firewall in Azure with 1 Vnet and 4 subnets
10.1.1.0/24 Frontend
10.1.2.0/24 backend
10.1.3.0/24 Web Servers
What I understood from documents is
I need to put a route for 10.1.3.0 on Firewall and define UDR on Azure portal for outbound traffic. Now since I have around 4 web servers in 10.1.3.x network; I guess we are natting all those servers behind 10.1.1.x subnet or behind firewall IP address.
In this case my original destination would 10.1.1.10 [Firewall external IP] and xlate destination IP is 10.1.3.10 [web server]
If the next server then can I use 10.1.1.20:443 [virtual IP from pool] and nat with 10.1.3.20:443 by adding proxy arp for 10.1.1.20 on firewall?
Blason R
CCSA,CCSE,CCCS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
look at the Cluster HA for Azure admin guide:
from step 6.
you need to use the External LB to publish applications / web sites.
it involves some NAT rules and also allows you to have multiple Public IP addresses which can be used per application.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nir,
Related to this question, the Frontend-lb, and its Public IP, if we are not doing any publishing is there any reason they cannot be deleted, from studying the HA guides and SK's the only purpose is for inbound publishing?
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
If you are not publishing any applications or using the Frontend-LB then you can remote it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Nir,
Customer has a external WAF which is pointed to CNAME or IP address of the servers. I am little confused how CG Cluster would fit here for Inbound filtering for those servers? If in case Inbound traffic is routed through CG Azure cluster?
Blason R
CCSA,CCSE,CCCS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can put the application Gateway / WAF in front of the Cluster instead of the Frontend LB.
I did it one time and the Application Gateway monitored the Servers through the Cluster.
I don't really like this design because the WAF does all the work with HTTP/S traffic and we are only seeing HTTP/S traffic coming from it, after it was already scanned by the WAF so we are only doing access control.