How Well Does CloudGuard IaaS Support Azure Security?

By Jonathan Maresky, Product Marketing Manager, Cloudguard IaaS, published June 12th, 2019

Check Point CloudGuard IaaS provides support for Microsoft Azure and hybrid cloud deployments, and thereby improves Azure security. This isn’t surprising, considering that Azure is a leading public cloud vendor and is trusted by 95% of Fortune 500 companies, most of which are also Check Point customers.

But how well does CloudGuard IaaS support Azure?

One way to answer this question is to refer back to Microsoft itself:

Reshmi Yandapalli, Principal Program Manager of Azure Networking, published a blog in February outlining considerations when building or choosing Azure security and networking services.

The blog is titled “Best practices to consider before deploying a network virtual appliance”. In the blog, Dr. Yandapalli defines a network virtual appliance (NVA) and outlines four best practices for networking and security ISVs like Check Point to improve the cloud experience for Microsoft Azure customers.

I reviewed the blog’s four best practices with the Check Point R&D team which is responsible for CloudGuard IaaS development and future roadmap. And this is what I learned:

1. Azure accelerated networking support:

The blog recommends that the ISV’s Azure security solution is available on one or more Azure VM types which support Azure’s accelerated networking capability, in order to improve networking performance.

The following picture shows communication between two VMs with and without accelerated networking:

Accelerated networking to improve performance of Azure security (source: Microsoft)

According to Amir Kaushansky, Product Manager of CloudGuard IaaS, Check Point was the first vendor to be certified as compliant with Azure accelerated networking. Accelerated networking can be used to significantly improve performance and reduce latency, jitter, and CPU utilization.

Depending on workload and VM size, we have observed ~2-3X increased throughput as a direct result of Azure accelerated networking.

 2. Multi-NIC support:

Each Azure VM type has one or more NICs (Network Interface Controllers). The article explains that using VMs with multiple NICs improves network traffic management via traffic isolation. For example, you can use one NIC for data plane traffic and one NIC for management plane traffic.

Azure H-series VMs with # NICs per size (source: Microsoft, June 2019)

CloudGuard IaaS supports multi-NIC VMs, regardless of the number of NICs. Check Point recommends the use of VMs with at least 2 NICs; VMs with 1 NIC are supported but not recommended.

Depending on the customer’s deployment architecture, one NIC may be used for internal (“East-West”) traffic while the second may be used for outbound/inbound (“North-South”) traffic.

3. HA Port with Azure Load Balancer:

It is not surprising that the article states that Azure security and networking services should be reliable and highly available.

Dr. Yandapalli recommends using a High Availability (HA) port load balancing rule.

Flowchart example of High Availability port with Azure Load Balancer (source: Microsoft blog)

Kaushansky updates that CloudGuard IaaS supports this functionality with a standard load balancer via Azure Resource Manager deployment templates, which customers can use to deploy CloudGuard easily in High Availability mode.

4. Support for Virtual Machine Scale Sets (VMSS):

The article’s last best-practice recommendation is to use Azure Virtual Machine Scale Sets to provide high availability as well as the management and automation layers for Azure security, networking and other applications. This cloud-native functionality provides the right amount of IaaS resources depending on application needs at any given time.

Similarly to the previous best practice, customers can use a Azure Resource Manager deployment template to deploy CloudGuard in VMSS mode. Check Point recommends the use of VMSS for traffic inspection of inbound/outbound and East-West traffic.

As you can see, CloudGuard IaaS is compliant with all four of Microsoft’s best practices recommendations about how to build and deploy Azure network security solutions.

So if you are in the process of evaluating Azure security solutions:

Why not take advantage of a limited-time special offer from Microsoft and Check Point?

Get a free 30-day evaluation license of CloudGuard IaaS on Azure Marketplace.

Visit http://www.checkpoint.com to learn more about how CloudGuard IaaS can help you protect your data and infrastructure in Microsoft Azure and hybrid clouds and improve Azure network security.