How Well Does CloudGuard IaaS Support Azure Security?
Jun 12, 2019 / Checkpoint
Check Point CloudGuard IaaS provides support for Microsoft Azure and hybrid cloud deployments, and thereby improves Azure security. This isn’t surprising, considering that Azure is a leading public cloud vendor and is trusted by 95% of Fortune 500 companies, most of which are also Check Point customers.
But how well does CloudGuard IaaS support Azure?
One way to answer this question is to refer back to Microsoft itself:
Reshmi Yandapalli, Principal Program Manager of Azure Networking, published a blog in February outlining considerations when building or choosing Azure security and networking services.
The blog is titled “Best practices to consider before deploying a network virtual appliance”. In the blog, Dr. Yandapalli defines a network virtual appliance (NVA) and outlines four best practices for networking and security ISVs like Check Point to improve the cloud experience for Microsoft Azure customers.
I reviewed the blog’s four best practices with the Check Point R&D team which is responsible for CloudGuard IaaS development and future roadmap. And this is what I learned:
Azure accelerated networking support:
The blog recommends that the ISV’s Azure security solution is available on one or more Azure VM types which support Azure’s accelerated networking capability, in order to improve networking performance.
The following picture shows communication between two VMs with and without accelerated networking:
According to Amir Kaushansky, Product Manager of CloudGuard IaaS, Check Point was the first vendor to be certified as compliant with Azure accelerated networking. Accelerated networking can be used to significantly improve performance and reduce latency, jitter, and CPU utilization.
Depending on workload and VM size, we have observed ~2-3X increased throughput as a direct result of Azure accelerated networking.
Each Azure VM type has one or more NICs (Network Interface Controllers). The article explains that using VMs with multiple NICs improves network traffic management via traffic isolation. For example, you can use one NIC for data plane traffic and one NIC for management plane traffic.
CloudGuard IaaS supports multi-NIC VMs, regardless of the number of NICs. Check Point recommends the use of VMs with at least 2 NICs; VMs with 1 NIC are supported but not recommended.
Depending on the customer’s deployment architecture, one NIC may be used for internal (“East-West”) traffic while the second may be used for outbound/inbound (“North-South”) traffic.
HA Port with Azure Load Balancer:
It is not surprising that the article states that Azure security and networking services should be reliable and highly available.
Dr. Yandapalli recommends using a High Availability (HA) port load balancing rule.
Kaushansky updates that CloudGuard IaaS supports this functionality with a standard load balancer via Azure Resource Manager deployment templates, which customers can use to deploy CloudGuard easily in High Availability mode.
Support for Virtual Machine Scale Sets (VMSS):
The article’s last best-practice recommendation is to use Azure Virtual Machine Scale Sets to provide high availability as well as the management and automation layers for Azure security, networking and other applications. This cloud-native functionality provides the right amount of IaaS resources depending on application needs at any given time.
Similarly to the previous best practice, customers can use a Azure Resource Manager deployment template to deploy CloudGuard in VMSS mode. Check Point recommends the use of VMSS for traffic inspection of inbound/outbound and East-West traffic.
Latest BlogsSee all blog posts
The Fourth Annual March Hackness Phishing Bracket
Mar 2019 / Area1
Contrast Security recognised as the only "VISIONARY" in the GARTNER MAGIC QUADRANT for application security testing for 2019
Apr 2019 / Contrast
Understanding Microsoft's OAuth2 implementation - Part 3: Using Microsoft Graph API
Apr 2019 / Swimlane