Scalable remote access with VMSS enhances Azure security, while working from home

By Hezi Bahry, CloudGuard Product Manager, published December 30, 2020

In the early stages of the Coronavirus pandemic, many customers contacted us with concerns about how to support their drastically changing security needs. One of the major challenges large organizations and enterprises face is workforce connectivity using remote access from outside the office into cloud data centers. From providing support for up to tens of concurrent remote access connections, companies were required to support hundreds, thousands and often tens of thousands of concurrent remote access connections. Working from home changed from a job perk to a necessity almost overnight.

These challenges provide another opportunity for cloud technology to demonstrate the advantages of the Pay As You Go model (sometimes referred to as Pay As You Grow), the never-ending availability and the scalability of cloud infrastructures. The immediate solution to the increase in demand for secure remote access was to deploy larger-capacity security solutions, either by:

  • Adding more processing power to each cloud security instance (also called “Scaling Up”)
  • Deploying additional parallel cloud security instances, redirecting different remote access connections to different instances (also called “Scaling Out”)

Two ways to support increased cloud security demand

Both solutions are viable; however, both have disadvantages including:

  • Inefficient use of computing resources by employing large virtual machines to support the load only during peak times
  • Manual work to deploy the solution

(Note that in the case of physical appliances, customers would have the additional challenges of procurement, delivery, installation and configuration of this additional equipment.)

Check Point CloudGuard is one of the most popular cloud security solutions for securing the cloud perimeter with advanced threat prevention and cloud network security. It also enables secure remote access connectivity for employees. But how can CloudGuard support dynamic and automatic scaling of CloudGuard instances to enable an almost-unlimited number of remote VPN connections?

Check Point recently announced availability of Scalable Remote Access using Azure Virtual Machine Scale Sets (VMSS). The new solution uses a simple cloud-native architecture, which we nicknamed “sandwich” because it deploys a VMSS sandwiched between two load balancers.

 

 

Architecture of Scalable Remote Access using VMSS

The architecture uses Azure internet facing and Internal Load Balancers that forward traffic to security gateways. The internet facing Load Balancer forwards ingress traffic from the Internet to the CloudGuard scale set. The Internal Load Balancer with high availability ports serves as a next-hop for all traffic that travels from the internal vNets to the Internet.

Thanks to these components, a single VMSS solution “sandwiched” between load balancers can be used for ingress, egress and East-West traffic inspection and advanced threat prevention.

The diagram below shows how a remote client establishes a Remote Access VPN connection with the appropriate VMSS instance.

 

Scalable Remote Access using VMSS

  1. Azure function gets Public IPs of VMSS instances whose provision process is finished.
  2. Azure function creates (in case it does not exist) or updates a DNS Zone Record Set with the VMSS Instances’ public IPs.
  3. Remote Access VPN client runs a DNS query to resolve the current active IP addresses.
  4. Azure DNS returns the current active IP addresses.
  5. Client performs a load-sharing mechanism on the resolved IP list and establishes a Remote Access VPN connection with the appropriate VMSS instance. It then gets access to internal resources.

Benefits of using CloudGuard to provide Scalable Remote Access for Azure:

  • Scalable and dynamic: Using Azure VMSS, the solution supports a large (theoretically infinite) number of concurrent connections.
  • Automatically managed connectivity: Using an Azure function, the solution updates the DNS server, directing clients to the available security gateways for establishing a secured connection.
  • Load sharing: Using Azure Traffic Manager, you can deploy multiple scale sets globally and redirect the remote access client to the closest scale set region.
  • Scale-out triggered by number of concurrent connections: A configurable threshold triggers a scale-out to ensure resilience, stability, user experience and performance.

This solution is easily deployed using the CloudGuard offering in the Azure Marketplace.

Using CloudGuard, employees can seamlessly, efficiently, and securely connect from anywhere, at any time, to any environment and data center in their organization. The new VMSS solution has a high adoption rate by Azure customers and the feedback is excellent.

About CloudGuard

Check Point CloudGuard delivers industry-leading advanced threat prevention together with automated and elastic cloud network security at the speed of DevOps, for Azure, Azure Stack, multi-cloud and hybrid-cloud deployments.

Organizations with on-premises environments and in the process of migrating to Azure receive unified and consistent security management of all their on-prem and cloud environments and experience the easiest, quickest and most secure Azure migration with lowest total cost of ownership.

What’s next?

If you’d like to learn more about CloudGuard Network Security on Azure, please speak with your Check Point channel partner, your account Security Engineer or contact us.

If you are in the process of planning your migration to Azure or you are already using Azure, please contact us to schedule a demo, and a cloud security expert will help to understand your needs.

If you are ready for a 30-day free trial of CloudGuard, or if you are ready to purchase CloudGuard, you can deploy this via the Azure Marketplace.

How secure is your Azure vNet?

The Check Point Cloud Security CheckMe performs a quick and easy high-level analysis of your Azure vNet and sends you a report of your vulnerabilities against advanced threats.

Do you want to read more about cloud security?

Download the Check Point cloud security blueprint documents:

  • This document introduces the cloud security blueprint and describes key architectural principles and cloud security concepts.
  • This document explains the blueprint architecture, describes how Check Point’s cloud security solutions enable you implement the blueprint, and how these address the cloud security challenges and architectural principles that were outlined in the first document.

If you have any questions, please contact your local Check Point account representative or partner, or contact us here.

Follow and join the conversations about Check Point and CloudGuard on TwitterFacebookLinkedIn and Instagram.