Architect-ed for Automation: AWS Transit VPCs with Check Point CloudGuard

There are a number of reasons why organizations are drawn to AWS for their public cloud needs; increased business agility, improved process efficiencies and lower networking costs to name a few. And, if the latest AWS quarterly earnings are any indication, this trend shows no sign of slowing down any time soon.


Check Point has been partnering with AWS for many years, jointly helping customers securely migrate workloads and data into AWS virtual private clouds (VPCs). Transforming ones datacenter from a hardware-centric to an application-centric or software-defined model ushers in tremendous benefits, but if not done properly, can also bring about some rather undesirable consequences, especially from a cyber security perspective.


The same cyber-security strategy defending our premises-based networks should also be part of our cloud strategy. However, that’s easier said than done since our physical networks and appliances don’t touch nor were they built for the elastic and dynamic nature of the cloud.  Thus, we developed our CloudGuard cloud security solution to seamlessly extend the same industry-leading threat prevention capabilities to AWS in a package purpose-built for cloud environments. In doing so, we ensure customers don’t lose any of the benefits of the cloud model while maintaining a strong security posture.


Another significant milestone in the development of our CloudGuard solution for AWS is the recent availability of our automated Security Transit VPC.


As an organizations cloud footprint expands to include multiple geographically disperse virtual private clouds (VPCs), AWS created an elegant method for effectively managing it all; the Transit VPC. Transit VPCs simplify network management by serving as global network transit centers, thus minimizing the number of connections needed to connect multiple Amazon VPCs and remote networks. This construct allows you to create as many virtual networks as needed and design different options for connecting the networks to each other.


Integrating our CloudGuard advanced cloud security solution into the Transit VPC provides a logical way to protect cloud workloads and traffic across an organizations entire AWS infrastructure. In this design, Transit VPCs act as central connection brokers – or “hubs” in a typical “hub & spoke” model – where all traffic to and from VPC “spokes” traverse through these central broker hubs.


With our CloudGuard security solution, Security Transit VPCs can now be deployed to provide central “scrubbing” or security zones for a vast array of use cases across public (or hybrid) cloud environments. What’s more, only CloudGuard provides all this with optimal costs & performance along with complete automation and agility at scale!


How it works :

Our approach leverages the powerful automation of AWS CloudFormation templates to automatically deploy CloudGuard-powered Security hubs and auto-configure VPC route-tables. It also includes a Check Point process running on a customers’ AWS management server that monitors for changes to deployed VPCs. The result is any customer VPC (newly created or existing) now automatically steers all its traffic via AWS managed VPN to a designated Security Transit VPC hub.


The solution provides a best-of-breed approach to building advanced security services into AWS while supporting the dynamic nature of the cloud. Specifically, this no-compromise solution delivers:

  • Simplicity: fast, automated deployments
  • Orchestration: CloudFormation templates as well as API integration via Check Point management
  • Agility: Supports a variety of customer use cases with limitless scale
  • Award-winning comprehensive security services inherent to the transit function


For additional information on our CloudGuard for AWS solution, please visit the product page or try it out on the AWS marketplace.