By Jonathan Maresky, Cloud Product Marketing Manager, published June 21, 2021
The three pillars of CloudGuard are “Security · Automated · Everywhere”. You can see this in the CloudGuard pages in the Check Point website, in our marketing material and all through our presentations. This is also an easy way to remember our vision as well as the value to our customers.
This blog post will refer to the “Automated” pillar which is vital because without good automation, every cloud solution is destined to fail because of the dynamic and agile nature of the cloud.
A key component of CloudGuard’s automation capabilties is the support for, and encouragement of Infrastructure as Code (IaC), which automates the provisioning and management of cloud and other IT resources.
The Amazon Web Services (AWS) implementation of IaC is called AWS CloudFormation.
Today AWS announced a new capability, called AWS CloudFormation Public Registry, and CloudGuard integrates with this new capability at launch in order to enable Check Point cloud security users to benefit from the added functionality.
This blog post will briefly explain AWS Cloudformation Public Registry and the value to our customers. I will also explain how you can use the CloudGuard Quick Start to become familiar with the new capability and deploy CloudGuard Network Security into your AWS environment as a reference deployment.
What is AWS CloudFormation?
AWS CloudFormation is “a service that gives developers and businesses an easy way to create a collection of related AWS and third-party resources, and provision and manage them in an orderly and predictable fashion”, according to the AWS CloudFormation FAQ. In other words, Cloudformation enables AWS users to deploy resources on AWS via IaC.
Check Point integrates with CloudFormation to enable and encourage customer automation, and provides users with a broad and deep collection of CloudFormation templates to support all CloudGuard capabilities.
What is CloudFormation Public Registry?
CloudFormation includes a registry that lists private and public extensions that are available for use in an AWS user’s CloudFormation account. (An extension is a customized entity stored in the registry that augments the functionality of CloudFormation, and can be used in the same way as any other CloudFormation resource.
Before this new functionality, CloudFormation users could only register private extensions (for their own use) and only AWS could register public extensions for use publicly.
CloudFormation Public Registry allows all CloudFormation users who are verified through AWS Marketplace, GitHub, or BitBucket to register extensions publicly. In other words, it allows publishers like Check Point to register extensions into a searchable catalog, to enable third part resource types.
How does CloudFormation Public Registry help our users?
AWS customers will have access to complex and persistent extensions in the registry. For the purposes of this blog post, the relevant example for Check Point CloudGuard users is a reference deployment: a web service secured by an Auto Scaling group of CloudGuard Network Security gateways.
Before the launch of this functionality, CloudGuard users could build a CloudGuard Network Security gateway as a complex registry extension from multiple smaller publicly-available building blocks with multiple layers (including EC2 instances, IPs, etc.) but these could not be registered and shared publicly.
Alternatively, CloudGuard users could use one of the many Check Point-created CloudFormation templates (CFTs) to simplify the deployment of Check Point security solutions in AWS. The templates can be used “as-is” or as building blocks for customizing their own templates. However, if the template does not fit the user’s requirements exactly, it is not a trivial process to extract the CloudGuard portion out of the existing set of nested CFT stacks.
Using a 3rd-party public extension is easier, quicker, less error-prone and the user does not need to know what is happening “under the hood” of the extension. All of the discreet multiple entities included inside the extension are provisioned automatically and seamlessly.
According to AWS, “users can use CloudFormation capabilities to create, provision, and manage the extensions you provide in a safe and repeatable manner, just as they would any AWS resource. This includes CloudFormation management capabilities such as change sets, drift detection, and resource import.”
After an extension is publicly available by in the CloudFormation registry, the new public extension is then visible in the AWS region/s in which it is published.
Using AWSQS::CheckPoint::CloudGuardQS::MODULE as a public extension, users can reuse it wherever needed and create customized infrastructure tailored to their needs.
As an analogy, consider building multiple model airplanes by purchasing each component (wheels, engine, ailerons, etc.) separately and then putting the different components together, time after time. The new functionality allows you to get a new model airplane each time, that has been built properly and in the exact same way each time.
It is a lot less interesting of course, but takes much less time and effort, is scalable and minimizes configuration errors.
Architecture of the CloudGuard Quick Start
Something practical: Try the CloudGuard Quick Start!
Here is a good way to gain some practical experience with CloudFormation Public Registry, by using the CloudGuard Registry Module to deploy CloudGuard Network Security into your AWS environment as a reference deployment.
As part of the launch of CloudFormation Public Registry, AWS published the CloudGuard Quick Start into the registry as a module under the “AWSQS” publisher (see the screen shot below). The module includes a CHKP CGNS GW object (the CloudGuard Network Security gateway) as well as the load balancing, auto-scaling groups, target group and sample web servers.
CloudGuard Quick Start module registered in the CloudFormation Public Registry
A typical workflow for a user to consume the module would be:
- Activate the module in the CloudFormation registry
- Once the module is activated, the user can now build templates that reference the Check Point module
- The Check Point module will create a VPC, LB, ASG, etc.
If you are migrating to the cloud and evaluating cloud network security solutions, download the Buyer’s Guide to Cloud Network Security to understand:
- The top 10 considerations when evaluating and choosing a cloud network security solution
- An overview of Check Point CloudGuard and how it answers the top 10 considerations
- The relative benefits of the solutions provided by leading cloud providers and third-party security vendors
To see a deep-dive tech-talk about enterprise-scale deployment of CloudGuard Network Security in an AWS environment, click here.
For a similar deep-dive tech-talk about using CloudGuard with AWS GWLB, click here.
If you’d like to learn more about CloudGuard Network Security, please speak with your Check Point channel partner, your account Security Engineer or contact us.
To read the Forrester Total Economic Impact of CloudGuard Network Security, where Forrester interviewed a $10B+ US-based healthcare company who uses CloudGuard to secure their hybrid-cloud deployment and generated a 169% ROI, click here.
If you are in the process of planning your migration to the cloud, please contact us to schedule a demo, and a cloud security expert will help to understand your needs.
Do you want to read more about cloud security?
Download the Check Point cloud security blueprint documents:
- This document introduces the cloud security blueprint and describes key architectural principles and cloud security concepts.
- This document explains the blueprint architecture, describes how Check Point’s cloud security solutions enable you implement the blueprint, and how these address the cloud security challenges and architectural principles that were outlined in the first document.
- This document provides reference architectures for implementing the cloud security blueprint.
If you have any questions, please contact your local Check Point account representative or partner, or contact us here.