cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Build Azure CloudGuard using Terraform

Hi Expert,

Anyone can advise how can we build a Vsec CloudGuard using Terraform code.

something that can mapped original ARM template as attached.

Best Regards,

Rano

5 Replies

Re: Build Azure CloudGuard using Terraform

based on Javier's link https://community.checkpoint.com/docs/DOC-3027

I managed to get some progress:
- bring up 2 Vsec Gateway

- apply correct API

- test API

$FWDIR/scripts/azure_ha_test.py

- register to MDM (manual step)

what is missing:

1. cluster VIP integration 'cluster-vip'

2. failover testing

anyone has any input.

resource "azurerm_resource_group" "rg" {
name = "rg-firewall"
location = "SouthEast Asia"
}
resource "azurerm_virtual_network" "vnet" {
name = "vnet-firewall"
resource_group_name = "${azurerm_resource_group.rg.name}"
address_space = ["172.16.1.0/24"]
location = "SouthEast Asia"
}

resource "azurerm_subnet" "External_subnet" {
name = "External"
resource_group_name = "${azurerm_resource_group.rg.name}"
virtual_network_name = "${azurerm_virtual_network.vnet.name}"
address_prefix = "172.16.1.0/27"
}

resource "azurerm_subnet" "Internal_subnet" {
name = "Internal"
resource_group_name = "${azurerm_resource_group.rg.name}"
virtual_network_name = "${azurerm_virtual_network.vnet.name}"
address_prefix = "172.16.1.32/27"
}

resource "azurerm_network_interface" "vsec-eth0" {
name = "vsec-eth0"
location = "SouthEast Asia"
resource_group_name = "${azurerm_resource_group.rg.name}"
enable_ip_forwarding = "true"

ip_configuration {
name = "member-ip"
subnet_id = "${azurerm_subnet.External_subnet.id}"
private_ip_address_allocation = "Static"
private_ip_address = "172.16.1.10"
primary = true

#public_ip_address_id = "${azurerm_public_ip.gwpublicip.id}"
}

ip_configuration {
name = "cluster-vip"
subnet_id = "${azurerm_subnet.External_subnet.id}"
private_ip_address_allocation = "Static"
private_ip_address = "172.16.1.12"
primary = false
}
}

resource "azurerm_network_interface" "vsec-eth1" {
name = "vsec-eth1"
location = "SouthEast Asia"
resource_group_name = "${azurerm_resource_group.rg.name}"
enable_ip_forwarding = "true"

ip_configuration {
name = "member-ip"
subnet_id = "${azurerm_subnet.Internal_subnet.id}"
private_ip_address_allocation = "Static"
private_ip_address = "172.16.1.40"
primary = true
}
}

resource "azurerm_network_interface" "vsec2-eth0" {
name = "vsec2-eth0"
location = "SouthEast Asia"
resource_group_name = "${azurerm_resource_group.rg.name}"
enable_ip_forwarding = "true"

ip_configuration {
name = "member-ip"
subnet_id = "${azurerm_subnet.External_subnet.id}"
private_ip_address_allocation = "Static"
private_ip_address = "172.16.1.11"
primary = true

}
}

resource "azurerm_network_interface" "vsec2-eth1" {
name = "vsec2-eth1"
location = "SouthEast Asia"
resource_group_name = "${azurerm_resource_group.rg.name}"
enable_ip_forwarding = "true"

ip_configuration {
name = "ipconfig0"
subnet_id = "${azurerm_subnet.Internal_subnet.id}"
private_ip_address_allocation = "Static"
private_ip_address = "172.16.1.41"
}
}

resource "azurerm_virtual_machine" "vsec01" {
name = "vsec01"
location = "SouthEast Asia"
resource_group_name = "${azurerm_resource_group.rg.name}"
network_interface_ids = ["${azurerm_network_interface.vsec-eth0.id}", "${azurerm_network_interface.vsec-eth1.id}"]
primary_network_interface_id = "${azurerm_network_interface.vsec-eth0.id}"
availability_set_id = "${azurerm_availability_set.avset.id}"
vm_size = "Standard_D2S_v3"

storage_os_disk {
name = "vsec01-osdisk"
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Standard_LRS"
}

storage_image_reference {
publisher = "checkpoint"
offer = "check-point-vsec-r80"
sku = "sg-byol"
version = "latest"
}

plan {
name = "sg-byol"
publisher = "checkpoint"
product = "check-point-vsec-r80"
}

os_profile {
computer_name = "vsec01"
admin_username = "azureuser"
admin_password = "password"

custom_data = <<EOF
#!/bin/bash
clish -c 'set hostname vsec01' -s
cat <<EEOFF >$FWDIR/conf/azure-ha.json
{
"debug": false,
"subscriptionId": "subscription_id",
"location": "southeastasia",
"environment": "AzureCloud",
"resourceGroup": "rg-firewall",
"credentials": {
"tenant": "tenant_id",
"grant_type": "client_credentials",
"client_id": "",
"client_secret": ""
},
"proxy": "",
"virtualNetwork": "vnet-firewall",
"clusterName": "vsec0",
"clusterNetworkInterfaces": {
"eth0": [
"172.16.1.12",
"vsec0"
]
},
"lbName": ""
}
EEOFF
azure-ha-conf --client-id client_id' --client-secret 'client_secret' --force
/opt/CPda/bin/dastop
config_system -s 'install_security_gw=true&install_ppak=true&gateway_cluster_member=true&install_security_managment=false&ipstat_v6=off&ftw_sic_key=sic_key'
/opt/CPda/bin/dastart
shutdown -r now
EOF
}

os_profile_linux_config {
disable_password_authentication = false
}

boot_diagnostics {
enabled = "true"
storage_uri = "${azurerm_storage_account.mystorageaccount.primary_blob_endpoint}"
}

}

resource "azurerm_virtual_machine" "vsec02" {
name = "vsec02"
location = "SouthEast Asia"
resource_group_name = "${azurerm_resource_group.rg.name}"
network_interface_ids = ["${azurerm_network_interface.vsec2-eth0.id}", "${azurerm_network_interface.vsec2-eth1.id}"]
primary_network_interface_id = "${azurerm_network_interface.vsec2-eth0.id}"
availability_set_id = "${azurerm_availability_set.avset.id}"
vm_size = "Standard_D2S_v3"

storage_os_disk {
name = "vsec02-osdisk"
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Standard_LRS"
}

storage_image_reference {
publisher = "checkpoint"
offer = "check-point-vsec-r80"
sku = "sg-byol"
version = "latest"
}

plan {
name = "sg-byol"
publisher = "checkpoint"
product = "check-point-vsec-r80"
}

os_profile {
computer_name = "vsec02"
admin_username = "azureuser"
admin_password = "password"

custom_data = <<EOF
#!/bin/bash
clish -c 'set hostname vsec02' -s
cat <<EEOFF >$FWDIR/conf/azure-ha.json
{
"debug": false,
"subscriptionId": "subscription_id",
"location": "southeastasia",
"environment": "AzureCloud",
"resourceGroup": "rg-firewall",
"credentials": {
"tenant": "tenant_id",
"grant_type": "client_credentials",
"client_id": "",
"client_secret": ""
},
"proxy": "",
"virtualNetwork": "vnet-firewall",
"clusterName": "vsec0",
"clusterNetworkInterfaces": {
"eth0": [
"172.16.1.12",
"vsec0"
]
},
"lbName": ""
}
EEOFF
azure-ha-conf --client-id client_id' --client-secret 'client_secret' --force
/opt/CPda/bin/dastop
config_system -s 'install_security_gw=true&install_ppak=true&gateway_cluster_member=true&install_security_managment=false&ipstat_v6=off&ftw_sic_key=sic_key'
/opt/CPda/bin/dastart
shutdown -r now
EOF
}

os_profile_linux_config {
disable_password_authentication = false
}

boot_diagnostics {
enabled = "true"
storage_uri = "${azurerm_storage_account.mystorageaccount.primary_blob_endpoint}"
}

}
0 Kudos
Employee+
Employee+

Re: Build Azure CloudGuard using Terraform

Thanks for sharing Ranokarno, it looks promising. Feel free to share your code once you feel it is mature through the codepoint 😉 BTW, why didn't you try the VMSS setup directly instead of the cluster one? 

Re: Build Azure CloudGuard using Terraform

Hi Javier,

My understanding that VMSS relies on Azure Loadbalancer which then defeat the purpose of Cloudguard gateway to identify source/destination rules. especially since we are moving toward Identity awareness with Azure Datacenter objects.

However I am interested how can we automate security gateway registration via autoprov-cfg script without enabling VMSS.

Employee+
Employee+

Re: Build Azure CloudGuard using Terraform

The azure LB does not source NAT, so the CG gateways do see the original source addresses. 

Re: Build Azure CloudGuard using Terraform

Thanks for your advise Jonathan Lebowitsch , I am currently testing it with dual instance vsec gateway and loadbalancer.

I think this approach much better than building cluster Vsec.

it reduce the overhead of API request, UDR change, etc.