Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sandra_Suarez
Participant

Additional External IP (AWS)

The customers has a cluster R80.10 on AWS environment.

The front-end 172.31.19.x with public IP address (eth0)

The back-en 172.31.18.x (eth1)

On the front-end interfaces are configured severals subiterfaces to public services, something like this

ETH0 

172.31.19.x  public1

172.31.19.y  public2

172.31.19.z  public3

172.31.19.v  public4

172.31.19.q  public5

But the customer reach the limit of interface to associate public IP address and need to public more.

We try to do that add another external interface but it does not work.

Anyone how which is the procedure in this case??

3 Replies
PhoneBoy
Admin
Admin

Both the number of interfaces and the number of IPs you can associate to a given interface are a function of the AWS instance size you are using.

Your options are:

  • Use an elastic load balancer, which can also rewrite the source port for an incoming connection (allowing you to reduce the number of IPs assigned to the gateway).
  • Use more (smaller) gateways to protect these servers.
0 Kudos
Matt_J
Contributor

We ran into this exact same issue with AWS. In order to get more IPs, we had to add another external interface. It's a pain... There was a lot of tinkering involved, a lot of swearing and a lot of headdesks... 

What I had to do was setup policy based routing on the CheckPoint to make sure that incoming and outgoing traffic went in/out of the same interface. I also had to setup incoming/outgoing NAT. Unfortunately, this doesn't work if you are using a Logical Server object to NAT to the ELB CNAME. So we ended up with NAT using the local ELB IP addresses which are subject to change, and when they do, the site goes down... 

One of the reasons we needed so many IPs was that ELB's only supported a single certificate. With the new ALBs, they support multiple so if you have a lot of different websites requiring https, you can add multiple to ALBs. So we were able to merge a lot of load balancers and lower the number of IPs we needed. 

Also, as Dameon stated, we are in the process of moving part of our stuff to another CheckPoint so that we can get down to 1 external interface and  re-implement the Logical Server workaround so we can NAT to CNAME and not have the issue with the ALB IP changing. 

Hope this helps and good luck!

0 Kudos
Sandra_Suarez
Participant

Hi

Thanks for the comments.

We already be able to do the configuration and works fine.

We configure a second external Interface, to avoid any routing problem we configure ISP Redundancy between two external Interfaces.

Thanks again. I hope this help for others

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.