Ideas needed in CheckPointCG-VMSS
I need some idea on attached Topology to achieve. Anyone can help me on this please.
1) Had spinned CheckPoint-CG VMSS in Azure.
2) Placed WebServer in Backend and Outgoing Internet traffic thru VMSS works fine.
3) Inbound traffic to Webserver thru VMSS also works fine with FrontendLB configured.
4) Since VMSS cannot support Site-to-Site VPN, we used Azure VirtualNetworkGW placed in VMSS VNet (New GatewaySubnet for AzureVPN)
5) Site Connection between Azure NativeVPNGW & 3rd Party got created fine & Connected Status
6) Used VPN Route based in Azure (not BGP) in "Connections" in Azure Portal
7) Requirement is:
a) Traffic from Peer-side to reach AzureVPNGW thru S2S-Tunnel.
b) Then AzureVPNGW should forward this traffic to VMSS for Inspection.
c) After Inspection, VMSS should in-turn route the traffic to Internal WebServer.
d) Inbound is (Traffic from PeerSide =>>> S2S =>>> AzureVPNGW =>>> VMSS =>>> WebServer)
e) Outbound is (Traffic From WebServer =>>> VMSS =>>> AzureVPNGW =>>> S2S =>>> PeerSide)
f) When packet from PeerServer leaves their localGW, it got encrypted
g) But don't see this packet in VMSS (Unable to check in AzureVPNGW)
h) But Webserver sends reply packets towards VMSS for this Inbounded traffic.
i) Looks like AzureVPNGW routes the Inbound traffic directly to WebServer and not to VMSS for inspection.
I unable to configure any separate routes in AzureVPNGW towards VMSS as both are part of same VNet
Either way traffic not reaching each other.
Any ideas on how can I achieve this.
did you try to define a UDR (User Defined Route) attached to your Azure VPN Gateway subnet, to route traffic for your WebServer to your VMSS ?
something like name=To_WebServer_via_VMSS, address prefix = 192.168.40.100/32, next hop = CG-VMSS
We can use UDR apply to the Azure Gateway subnet to route traffic to the VMSS for inspection, but pay attention, you should have:
To_WebServer, address prefix = 192.168.40.100/32, next hop: ILB of the VMSS as mentioned by Raphael
Hope help you