This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Duane_Toler
Advisor
‎2023-09-22 07:54 AM

Azure templates, single gateway, Standard SKU items

I read through the latest Azure deployment templates from the GitHub repo, but I didn't find my answer.  With Azure no longer offering Basic SKU load-balancers and Basic SKU public IP address objects, the deployment will have to deploy  the Standard SKU equivalents.  I know this is a bit silly, but just to verify:  For the Single gateway deployment, are the Azure templates sufficiently updated to deploy the Standard SKU objects?

Historically, the marketplace-single deployment used a Basic SKU frontend load-balancer (I've used this many times). On HA deployments, a Standard SKU was always deployed.  For my historically-deployed customers, when we do new R81.20 deployments for upgrade/migrations, should I expect to see a Standard SKU frontend load-balancer now?  I have Ansible templates in place already to do object moves and public-IP address object upgrades, so handling it isn't a problem; just need to know if it's there.

Looking through the latest templates, I didn't see any references for deploying the load-balancer, tho.  I do see the artifacts nested-templates with various options, including said load-balancer (which, yes, does have Standard SKU only), but I didn't see where this nested template was being referenced.

Template: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/azure/templates/marketplace-single/mainTe...

VNET nested template:  https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/azure/templates/nestedtemplates/vnet-new....

Am I missing something? Or is the load-balancer just not deployed for single-gateway templates anymore?

(yeah i know... "just do a test deployment in a different resource-group and find out for yourself"... yes, but sure would be nice to know ahead of time, tho, so I can prep the Ansible pieces ahead of time)

 

0 Kudos
2 Replies
Bryan-Smith
Employee
Employee
‎2023-09-22 08:47 AM

@Duane_Toler - No load balancer is deployed via the Azure Single Gateway marketplace template. 

https://support.checkpoint.com/results/sk/sk109360

  • This template can create a new virtual network or allow you to deploy into an existing virtual network
  • The template does not create the Web and App subnets - you will need to add these subnets yourself.
  • The template does not deploy any web or application VMs
  • VMs launched in the backend subnets might require Internet access in order to finalize their provisioning. You should launch these VMs only after you have applied NAT hide rules on the gateway to support this type of connectivity.
  • After you deploy the template, the gateway will automatically execute the Check Point First Time Configuration Wizard based on the parameters provided. Once the First Time Configuration Wizard completes, the gateway is expected to reboot
  • By default, every Check Point Security Gateway and Security Management Server's WebUI is accessible from the internet by browsing to http://<virtual-machine-public-IP>. Restricting access to the WebUI is possible by configuring a Network Security Group, or by configuring the Check Point Gateway and Management Server settings.
0 Kudos
Duane_Toler
Advisor
‎2023-09-22 08:53 AM
In response to Bryan-Smith

Curious.. the diagram still shows an Azure load-balancer for the inbound NAT rules.  This is also needed for attaching other public IP address objects (and corresponding NAT rules) for other VMs/private-endpoints in the backend subnet, or VNET-peered subnets.

 

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Trending Discussions
GCP Cloudguard GW manual-failover
UPCOMING CLOUDMATES EVENTS
    Sort by:
    All CloudMates Events