Create a Post
RayP
Explorer

Cloudguard Implementation without a Public loadbalancer / public IP's

Jump to solution

Hi all,

Where can i find information about a Cloud Guard Implementation without a public loadbalancer or without a loadbalancer without Public IP's.

Situation (See the screenshot)

-2x Check Point Applicance ClusterXL (On-Premise) with a connection to Azure by ExpressRoute

-1x Check Point Management (On-Premise)

-Microsoft Azure Environment with multiple VNET's.

 

The Azure environment is only accessible by the ExpressRoute connection.

I want to use the Check Point Cloud Guard between VNET's and the ExpressRoute within Azure without a Internet Connection or the use of Public IP's.

So traffic from On-Premise must go to the FrontEnd Loadbalancer -Check Point CloudGuard -> BackEnd Loadbalancers -> Different kind of azure virtual machines and vice versa.

When we create a CloudGuard Network Security environment within Azure, we choose not to use "Use Public IP Prefix", but it still does.

How can we achieve this, or is this even possible?

 

 

0 Kudos
1 Solution

Accepted Solutions
Nir_Shamir
Employee
Employee

Hi,

I have done this several times. this is what you need to do:

1) you can't use the Frontend LB because it only has Public IPs. you can even delete it if you don't need to use it.

2) All your UDRs need to go to the Internal LB private IP and on the CloudGuard GWs make sure the default route in changed to the Azure Router on eth1 subnet.

This way all the traffic goes in and out from the same interface of the Check Point GWs (eth1) .

This way you have like a Firewall on a stick.

you can also detach the Public IPs from the CloudGuard GWs interface eth0 . the only thing you can't remove is the Public IP on the Cluster's VIP.

View solution in original post

2 Replies
Nir_Shamir
Employee
Employee

Hi,

I have done this several times. this is what you need to do:

1) you can't use the Frontend LB because it only has Public IPs. you can even delete it if you don't need to use it.

2) All your UDRs need to go to the Internal LB private IP and on the CloudGuard GWs make sure the default route in changed to the Azure Router on eth1 subnet.

This way all the traffic goes in and out from the same interface of the Check Point GWs (eth1) .

This way you have like a Firewall on a stick.

you can also detach the Public IPs from the CloudGuard GWs interface eth0 . the only thing you can't remove is the Public IP on the Cluster's VIP.

RayP
Explorer

Thnx for the information Nir_Shamir, that helped us.👍

 

0 Kudos