Create a Post
AyGit
Contributor

GCP external TCP LB healtcheck

Jump to solution

Hi,

We are deploying CloudGuard firewalls in GCP in MIG mode.  A GCP external TCP LB will be set in front the CloudGuard firewalls.

The LB will be internet facing and in a single region.

We are struggling to attach a healthceck in the LB backend configuration, as we can only use HTTP one. Protocol choice is grayed as you can see below.

Do you know how a workaround to set a TCP healtcheck? FYI, we don't use internal LB for the moment.

Regards

2021-04-19_18h22_58.png

 

0 Kudos
1 Solution

Accepted Solutions
arielto
Employee
Employee

Hi @AyGit 

When selecting a TCP load balancing, you have 2 options for backend types.

You can set a TCP health check when selecting the Backend service as backend type.

FYI - R&D is currently working on a new MIG solution that will handle HC automatically after that a GW has been provisioned by CME. The ETA for the solution release is June 2021.  

View solution in original post

5 Replies
arielto
Employee
Employee

Hi @AyGit 

When selecting a TCP load balancing, you have 2 options for backend types.

You can set a TCP health check when selecting the Backend service as backend type.

FYI - R&D is currently working on a new MIG solution that will handle HC automatically after that a GW has been provisioned by CME. The ETA for the solution release is June 2021.  

View solution in original post

AyGit
Contributor

Hi @arielto 

Thanks for your feedback. Soluton working as you described. 

Furthermore the new MIG template, should be also great if we have a solution for Cluster/HA deployment using private Cluster VIP address for architecture without SMS public IP address.

Regards

0 Kudos
arielto
Employee
Employee

Hi @AyGit 
Glad to hear you are all set.

What do you mean by private Cluster VIP, and without SMS public IP address?

Please note that there is a GCP limitation stating we can't attach more than 1 public IP per NIC.

Also, cluster members should have public IP for GCP API calls.

Thanks,

Ariel

0 Kudos
AyGit
Contributor

Hi @arielto ,

We are constrained by the network interconnection between the SMS and GCP environment which are connected through a VPN IPSec link. I attached a diagram which represent our network architecture.

So we use the GCP public IP for the VIP and the internal nic1 private IP for each member in order to have the connection with GCP. And I've supposed that the communication with GCP was only through the Cluster VIP (I have some error messages with the VIP public IP address in cloud_proxy.elg log file).

Regards

0 Kudos
arielto
Employee
Employee

Hi @AyGit ,

Unfortunately, I can't see the image in a good enough quality.

Please send me a personal mail with the image attached to get an understanding of the environment.

Thanks,

Ariel

 

0 Kudos