Hi,

I have deployed CloudGuard for AWS cross AZ cluster for AWS transit gateway R81.20

Routing and passing traffic from a spoke VPC to the transit gateway through the cluster and out to the internet works ok using hide NAT

Routing and passing traffic from Azure across a S2S VPN terminating on the cluster, through the cluster, then to the spoke VPC (no NAT) works ok.

I have a requirement for ingress traffic from the internet to public IPs (e.g. AWS elastic IPs) to be directed to the cluster, where the traffic can be NAT-ed to the EC2 instances which are on private IP addresses in Spoke VPCs. This will typically be https traffic on port 443 and will require many (greater than 10) public IP addresses in the production state.

I understand that the CloudGuard cluster public IP "floats" between the cluster members.

I looked into using AWS load balancers however:

1. They will send the traffic with a destination address of the Check Point requiring adding multiple IPs on the Check Point interfaces and static NAT. Still need to know how to add 10 (public) IP addresses on the Cloud Guard Cluster members, so that the public IPs stay with the active member.

2. Return traffic may be asymmetric, if the traffic source IP address is untranslated, the return traffic will exit to the internet via the cluster and the load balancer won't see it.

I am currently reading sk174447 and it hints that ingress traffic isn't a valid use case with Security VPC and TGW, although it doesn't say it's not possible....

Before I scrap what I am doing and choose option 3 in sk174447 is there any way to make Ingress traffic from internet to ec2 instances (through the CloudGuard cluster) work for maybe a dozen webservers?

Thanks in advance

Andrew