By Jonathan Maresky, Cloud Product Marketing Manager, published November 2, 2021
This blog post explains Azure Gateway Load Balancer (recently announced by Microsoft in Public Preview), and how it simplifies and improves the design of secure Azure deployments with Check Point CloudGuard Network Security.
Cloud security is not a trivial exercise.
This is why Check Point recommends designing security into your clouds before deploying cloud resources, instead of retrofitting security after your cloud is already deployed. This is one way to “shift-left” cloud security and ensure security issues are discovered earlier in the process. The earlier that an issue is discovered, the lower the risk to the organization and the lower the cost to fix or mitigate the issue.
A well-defined cloud architecture encourages and enables security. It is also efficient (in terms of cost and effort), scalable, intuitive to the developers and often elegant.
Conversely, a cloud architecture where security is added after-the-fact is often inefficient, difficult to understand, kludgy and feels like it is held together with duct tape. What is worse, it adds risk to the organization because a badly designed deployment often has gaping holes that are easily exposed by cloud security threat actors.
Check Point and Microsoft
The best partnerships include a strategic business alignment, product and technology coordination and a similar vision of how best to serve customers. Check Point is Microsoft’s #1 security partner and is a trusted security advisor to thousands of Microsoft customers worldwide.
The technology and product teams meet regularly to plan and coordinate; in this case, the relevant teams from Check Point and Microsoft have been working closely on the integration between CloudGuard Network Security and Azure Gateway Load Balancer for the last few months.
(For more information about CloudGuard Network Security (CGNS), see below.)
What is Azure Gateway Load Balancer?
What is this new capability and what benefit does it provide customers and partners?
Gateway LB is a type of load balancer, which enables high performance and high availability scenarios for a network virtual appliance (NVA) like a next generation firewall or security gateway. It allows Azure customers to deploy, scale, and manage NVAs quickly and easily. Additionally, it enables transparent NVA insertion in a network path.
Gateway LB uses a technology called VXLAN, “a network virtualization technology that attempts to address the scalability problems associated with large cloud computing deployments”, for the communication between the Load Balancer and the cloud network security gateway.
A Standard Azure LB forwards the traffic via a VXLAN tunnel to the new Gateway LB. Gateway LB encapsulates the traffic thus there is no change to the original traffic, and the security gateway decapsulates it. As a result, the security gateway is able to see the original source of the traffic. The source and destination function without any knowledge of having a Gateway LB in the path – making service chaining a reality.
On the way back, the Standard LB removes the VXLAN encapsulation and forwards this onwards as normal.
The main benefits of Gateway LB are the ease and speed of deployment, the cost efficiency while scaling NVAs up and down, improved network availability and flow symmetry, removing the need for complex and often manual route configurations and making the original source visible to destination applications.
How Azure GWLB benefits CloudGuard customers
Let’s look at the difference in design with and without using Gateway LB. The figure below shows ingress flow using a Standard Load Balancer.
Note how the CloudGuard security gateways are required to be deployed in the same VNet as the web server and how the source IP is changed to ensure the traffic will be returned to the same CloudGuard instance that inspected it originally.
The diagram below shows the simplified design using Gateway LB.
Note how the CloudGuard security gateways are now deployed in a Security VNet. The original source IP is visible to applications in the Services VNet.
The first significant benefit of Gateway LB is removing the need for source NAT.
A Standard Load Balancer needs to source NAT the traffic (i.e. changing the traffic’s source IP address) to ensure it is returned to the same CloudGuard security gateway that processed the traffic connection originally. However, hiding the original IP of the traffic by source NAT removes valuable context from the traffic, which is often important for applications that are performing big data analytics on this traffic. Many applications monitor the location of users in a country or region; Gateway LB allows having the original IP address allows applications to track usage and extract this valuable information, and restores a lot of the value to the application owner.
Dmitry Gornushkin, Check Point’s R&D manager for CloudGuard Network Security, calls this “transparent security”.
Another benefit of the Gateway LB is the simplicity of the cloud architecture. Previously, the security gateways needed to be in the same environment or VNet as the servers. The new capability allows the security gateways to be located in another VNet, thus customers can keep their original architecture without concern for changing their design because all security can be easily moved aside. There is also no need for VNet peering between the VNets.
Previous architectures required significant routing overhead that was often configured manually. The Gateway LB capability allows cloud security engineers to simply point their Load Balancers to CloudGuard for traffic inspection and advanced threat prevention. This also allows easier addition of cloud network security for existing applications without the need for drastic architecture changes (also known as “retrofitting security”, see above).
The new capability also simplifies how applications are inspected and how new applications are deployed in a more intuitive way and without worrying about the routing complexity: simply define which traffic will be inspected by the CloudGuard Network Security gateways.
Check Point CloudGuard Network Security is a launch partner of Azure Gateway Load Balancer. The integration enables CloudGuard customers to simplify the deployment connectivity of their Azure security, and design secure cloud architectures in a more efficient and intuitive way.
- For a demo of CloudGuard Network Security using Azure Gateway LB, click here.
- You can read the administration guide for using Azure Gateway LB with CloudGuard Network Security here.
- You can deploy the Public Preview Azure Gateway Load Balancer template, from Check Point’s GitHub repository, here.
- If you’d like to learn more about CloudGuard Network Security, please speak with your Check Point channel partner, your account Security Engineer or contact us.
What is CloudGuard Network Security?
Check Point has been the market leader in network security since 1993, when Gil Shwed, Check Point’s CEO and co-founder, invented and patented stateful inspection, which is still widely used in network security today.
CloudGuard Network Security is the cloud-based version of Check Point’s award-winning network security solutions. Simply put, the deep and broad threat-prevention software technologies integrate with all public and private cloud vendor offerings and are super-powered by cloud capabilities of agility, scalability, reliability, automation and multi/hybrid-cloud security management from a single-pane-of-glass.
The diagram below shows a multilayered cloud security platform that organizations should implement to protect their cloud deployments. Not surprisingly, a recent Forrester study indicated that cloud security confidence enables organizations to migrate more workloads to the cloud, quicker.
Cloud network security enables organizations to deploy virtual security gateways to provide advanced threat prevention, traffic inspection and micro-segmentation. Threat prevention is provided via multiple layered security technologies including Firewall, IPS, Application Control, DLP and others.
Industry analysts recommend that organizations implement cloud network security as a foundational layer to provide broad risk mitigation with high ROI.
Check Point customers moving to the cloud consistently confirm that CloudGuard Network Security is the easiest, quickest and most secure migration path, with lowest organizational risk and greatest value:
- Most secure: CGNS uses the same leading advanced threat prevention technologies (also called “blades”) as on-prem gateways
- Quickest: There is no need for new training or integrations – CGNS works the same way in the cloud as it does in organizations’ data centers
- Easiest: CGNS uses the same unified management and policies as on-prem
- Lowest risk: Check Point customers trust Check Point security. Using another cloud security solution increases the customer’s risk so they greatly prefer a trusted security advisor.
- Greatest value: Total cost of ownership is reduced due to less need for new and additional engineering staff, and a significantly reduced learning curve to become familiar with cloud network security
CloudGuard has an additional significant advantage owing to its native integrations with the broadest range of public and private cloud vendors, as well as its ability to manage multi- and hybrid-cloud security consistently and efficiently. Considering that 92% of organizations have a multi-cloud or hybrid-cloud strategy, using a cloud security solution that supports only one cloud vendor is risky and will probably be expensive and painful in the future.
CloudGuard Network Security and Azure
In general, Check Point products and solutions are deeply integration with Microsoft products and services. Specifically, CloudGuard Network Security is deeply integrated with Microsoft Azure, Azure Stack, Azure Sentinel, Azure VMSS and other key Azure services.
CloudGuard Network Security is available for trial or deployment on Azure Marketplace and can be consumed via PAYG or BYOL.
If you are migrating to the cloud and evaluating cloud network security solutions, download the Buyer’s Guide to Cloud Network Security to understand:
- The top 10 considerations when evaluating and choosing a cloud network security solution in more detail
- An overview of Check Point CloudGuard and how it answers these top 10 considerations
- The relative benefits of the solutions provided by leading cloud providers and third-party security vendors
Another fascinating document is the Forrester Total Economic Impact of CloudGuard Network Security:
Forrester Research interviewed a $10B+ US-based healthcare company who uses CloudGuard to secure their hybrid-cloud deployment and generated a 169% ROI. To read this document, click here.
If you are in the process of planning your migration to the cloud, please fill in the form to schedule a demo, and a cloud security expert will help to understand your needs.
Do you want to read more about cloud security?
Download the Check Point cloud security blueprint documents:
- Introduction to Cloud Security Blueprint introduces the cloud security blueprint and describes key architectural principles and cloud security concepts.
- Cloud Security Blueprint: Architecture and Solutions explains the blueprint architecture, describes how Check Point’s cloud security solutions enable you implement the blueprint, and how these address the cloud security challenges and architectural principles that were outlined in the first document.
- This document provides reference architectures for implementing the cloud security blueprint.
If you are ready to trial CloudGuard Network Security in your public or private cloud, contact us to ask if there is a 3 hour deep-dive technical workshop in your region/country and even in local languages. If you have any other questions, please contact your local Check Point account representative or partner using the same contact us link.