As Azure Virtual WAN continues to gain popularity among enterprise customers with distributed and complex IT environments, the need for a comprehensive, consolidated, and collaborative security solution to protect these deployments becomes even more crucial.
Check Point CloudGuard provides customers with industry-leading cloud network security for their Virtual WAN deployments, secured connectivity for heterogeneous and distributed IT environments. The Check Point solution enables unified and consistent security management for hybrid-clouds and on-prem deployments with maximum operational efficiency.
Microsoft recently announced that the new Direct Ingress functionality (also called internet inbound or internet ingress) is now in public preview. Check Point and Microsoft have partnered to enable CloudGuard to natively support Direct Ingress, thus streamlining Azure Virtual WAN security, providing added value and improved functionality.
This article explains the business use case for the new functionality and how it works, and the benefits to customers. At the end of the article are details about how to use the Direct Ingress functionality to improve the operational efficiency of your Azure Virtual WAN security.
Use case: Securing ingress into the Azure Virtual WAN
Organizations develop services in the cloud for various purposes. Many of these services are exposed to the Internet (for example, e-commerce allows consumers to purchase goods from your organization). “Ingress” refers to this inbound flow of traffic from the Internet into the organization’s cloud deployment. Securing this ingress traffic is a critical layer of a modern defense-in-depth cloud security strategy.
Check Point CloudGuard Network Security for Azure Virtual WAN
What is the best way to secure this inbound traffic?
Organizations have many considerations when choosing a cloud network security solution, as explained in this document. As a trusted cloud security advisor to thousands of cloud customers, we recommend CloudGuard Network Security for Azure Virtual WAN. Organizations who already use Check Point network security on-premises can easily extend their security policies to Azure Virtual WAN (and most public and private clouds) and manage all their cloud network security from a single pane-of-glass.
CloudGuard enhances and complements Azure security and is chosen by organizations who require industry-leading threat prevention for their business-critical applications, workloads, and data in Azure Virtual WAN. Industry accolades include the Gartner® Critical Capabilities for Network Firewalls in May 2023, where Check Point scored highest for Public Cloud Security Use Case. A more recent proof point is GigaOm’s Radar for Cloud Network Security, where Check Point was ranked as the Leader.
You can read more about CloudGuard Network Security for Azure Virtual WAN here.
Support for Direct Ingress
Up until now, this capability was not natively available inside the Virtual WAN hub.
Previously, securing ingress traffic required the user to deploy a separate security cluster outside the Virtual WAN hub, as can be seen on the right side of the diagram below. This required separate deployment of a separate cluster of CloudGuard security gateways inside a separate vNet, which is then peered with the Virtual WAN hub. Traffic is routed to this cluster for deep packet inspection and advanced threat prevention, and from there, routed into the Virtual WAN.
The new functionality can be thought of as a natural evolution or enhancement to the Azure Virtual WAN security functionality: Microsoft built an external load balancer (ELB) into the Virtual WAN hub, as can be seen in the diagram below. The ELB allows users to attach one or more public IP addresses (because multiple applications require multiple public IPs). This enables the security functionality on ingress traffic to take place inside the Virtual WAN hub, not outside the hub like in the previous diagram – before the new functionality.
Check Point is integrated with this new functionality via APIs between CloudGuard and the ELB. The integration enables CloudGuard to communicate directly with the ELB – when the user publishes an application, relevant traffic is directed to the Check Point CloudGuard Network Security gateway as the next hop. The gateway performs deep packet inspection, manages the NAT rules and access control rules, and allows access into the environment.
In the flow diagram below, ingress traffic coming from the Internet will hit the public IP address and the ELB will direct it to a CloudGuard gateway, which will perform source NAT, and the traffic will go directly to the application.
If the customer has an internal load balancer (ILB) for the application, traffic will go directly to the ILB as the next hop. Alternatively, if the customer uses an Application Gateway, the CloudGuard gateway directs the traffic to the app gateway internal IP, which will route traffic to the application.
For Azure customers who are not familiar with the integration between CloudGuard and Azure Virtual WAN, it is important to note that explicit routing is not needed and there are no route updates – it is all managed by the Azure Virtual WAN. All the user needs to do is configure access control and NAT policy.
For a technical deep dive into the new integration, please see here.
Bring your own IP
Organizations with public-facing applications may want to keep their application’s public IP address instead of using the cloud vendor’s IP addresses. One reason is to ensure consistency in their online presence, which is crucial for maintaining brand identity and customer trust. This also helps avoid potential disruptions that can occur when changing IP addresses.
The new functionality supports Bring Your Own IP, aligning with the strategic goals of businesses looking to optimize their digital infrastructure for long-term success. Specifically, it can use custom IP ranges that the organization brings to Azure, or it can use an IP range already inside Azure.
Benefits to customers
The new functionality provides a more efficient and elegant solution for securing ingress traffic, increases ease-of-use and simplifies tasks for cloud security teams, thus reducing complexity and operational overhead.
By replacing a manual and external component with a cloud-native, automated functionality that is inside the Virtual WAN hub, you can streamline your traffic flow and even reduce security team time and effort.
A large number of Check Point customers already using CloudGuard for Virtual WAN security have been asking for the Direct Ingress functionality and have joined the Early Availability program to test how it works in their Virtual WAN deployments. Check Point’s Early Availability program will continue until Microsoft moves their Direct Ingress functionality from public preview to general availability.
Summary
This article explained Direct Ingress, Microsoft’s new functionality for Azure Virtual WAN, and the cloud-native integration between Check Point CloudGuard Network Security and Azure Virtual WAN which allows Check Point customers to benefit from the new functionality. We reviewed how this business use case was implemented before, how it is now implemented with the new functionality, and explained the new traffic flow.
Next Steps
Join an exciting technical deep dive into everything you need to know about CloudGuard’s new Direct Ingress functionality for Azure Virtual WAN. Our Technical Community Leader Shay Levin will cover step-by-step guidelines and configuration requirements, and host a thorough Q&A with the R&D team.
Schedule a demo today and see Direct Ingress in Check Point’s Azure Virtual WAN security solution, and get personalized expert guidance on meeting your organization’s cloud security needs.
If you would like to schedule a personalized technical workshop around CloudGuard Network Security, Azure Virtual WAN, or best practices for secure migration, please fill in this form and a cloud security architect will contact you to discuss your needs and schedule next steps.
If you would like to read the latest recognition from a cloud security analyst, the GigaOm Radar for Cloud Network Security ranked Check Point as the Leader as well as a Fast Mover. Check Point’s position is closest to the center of the Radar chart and thus judged to be of highest overall value.
Don’t forget about CPX 2024!
CPX is the industry’s premier cybersecurity summit, and it is the perfect opportunity to explore the latest solutions and strategies that protect organizations in today’s complex threat landscape. Read more here, and we hope to see you at the event!
If you have any other questions, please contact your local Check Point account representative or channel partner using the contact us link.
Follow and join the conversations about Check Point and CloudGuard on X (formerly Twitter), Facebook, LinkedIn, and Instagram.