AnsweredAssumed Answered

Multiple External Interfaces for vSec on Azure

Question asked by Neil Cav on Nov 12, 2017
Latest reply on Dec 8, 2017 by Jeroen Demets

Hi,

 

Does anybody have any experience in creating multiple external interfaces for a vSEC in Azure? I'd like to have the ability to have multiple external ip addresses to NAT to numerous backend services. I can successfully create a second interfaces as per the article: How to add a network interface to a Check Point Security Gateway in Azure 

 

The interfaces works with a public IP, but only if I change the default gateway to point to it. So I have:

 

Front end subnet: 10.0.0.0/24 - interface: 10.0.0.4. Azure GW: 10.0.0.1 (public ip assigned in azure)

Back end subnet 10.0.1.0/24 - interface: 10.0.1.4: Azure GW: 10.0.1.1

front end subnet#2: 10.0.3.0/24 - interface: 10.0.3.5: Azure GW: 10.0.3.1 (public ip assigned in azure)

Web server subnet: 10.0.2.0/24 

web server #1 address: 10.0.2.5,  web server #2 address: 10.0.2.6

 

Default route via front end subnet - 0.0.0.0 via 10.0.0.1

 

So i'd like to be able to NAT from one public IP addresses used in front end subnet 1 to web server 1 and another NAT from front end subnet #2 to web server 2.

 

I can create NAT rules for the two web servers, but I can only connect to them when I change the default route, so I can connect to web server #1 via the public ip only if the default route is pointing at the the Azure GW for the subnet for the public IP for that interface. I suspect it's because the traffic is coming via one public IP address, but routing out via another (following the single default route).

 

Is there a way to do this with PBR?- so that any traffic originating from one interface is replied to on that same interface (kind of overriding the default route).

 

Or is there an easier way to use two public IP's on a vsec in Azure? I've tried adding multiple IP's on a single interface from inside Azure, but I can't see any traffic arriving on the second IP.

 

Thanks,

Neil.

Outcomes