Support Center > Search Results > SecureKnowledge Details
Supporting internal Elastic Load Balancers (ELB) in Amazon Web Services (AWS)
Solution

Table of Contents

  • Prerequisites
  • Overview
  • Method of Operations
  • Configuration and Setup
  • Troubleshooting

 

Prerequisites

It is assumed that you are familiar with general Amazon Web Services (AWS) concepts and services like:

  • EC2
  • VPC
  • ELB

 

Overview

Elastic Load Balancers (ELBs) are load balancers provided by AWS. ELBs operate either as Internet facing or internal ELBs.
An external ELB is normally accessible from the Internet and distributes traffic as it enters a VPC.
An internal ELB has similar capabilities but is only accessible within a VPC.

This article explains how to deploy a Check Point Security Gateway in VPC in front of an internal ELB.
The Check Point Security Gateway will:

  • Receive incoming traffic
  • Screen the traffic based on its Security Policy
  • Forward the traffic to an internal ELB

The internal ELB would then forward the traffic to actual instances, such as web servers.

This feature is available starting from Check Point R77.10 Take 36.

 

Method of Operations

Amazon Web Services (AWS) assigns each ELB with a DNS Name. According to AWS, the set of IP addresses associated with this DNS Name can change over time.

To forward the traffic to the internal ELB, we will be using a logical server object.

In a regular Check Point environment, a logical server is a special Check Point object tying together an IP address with a group of predefined physical servers behind the firewall.
Traffic arriving on the gateway matching a rule with the logical server in the rule's destination cell, would be distributed among the group of physical servers.

When the Check Point Security gateway is running in AWS the semantics of this logical server is changed.

Instead of distributing traffic to a static list of IP addresses, the gateway will periodically resolve this list using DNS and would use a round robin algorithm to distribute the traffic between the set of IP addresses associated with the DNS Name of the ELB.

Note: this change in behavior only affects Check Point Security Gateways running in AWS and only when the Logical Servers are configured to use the "Domain" Balance Method as described below.

 

Configuration and Setup

We assume that you have already deployed a Check Point Security Gateway in AWS VPC. For more details refer to the Getting Started Guide

Note: The internal ELB name as defined in AWS, must follow certain restrictions to ensure that the vSEC Gateway for AWS will be able to resolve it properly. For more details, refer to sk116653 - Restrictions for Internal ELB names in Amazon Web Services (AWS).

Create an internal ELB by following Create a Basic Internal Load Balancer in Amazon VPC document.

When you are done, note the DNS Name provided by AWS for this internal ELB:


In the SmartDashboard:

  1. Right-click on Network Objects, go to Node menu -> select Host...



  2. In the Name field, enter dummyHost

  3. In the IPv4 Address field, enter any private IP address, such as 192.168.1.1



  4. Right-click on Network Objects -> go to Groups menu -> select Simple Group...



  5. In the Name field, enter: dummyGroup

  6. Add dummyHost to the group



  7. Right-click on Network Objects, go to Others menu -> select Logical Server...



  8. In the Name field, enter the DNS name provided by AWS
    (e.g., internal-InternalELB-1087819072.us-east-1.elb.amazonaws.com)

  9. In the IPv4 Address field, enter a private IP address associated with the gateway instance.

  10. In the Server's type, select Other (select "Other" even if you are working with HTTP traffic).

  11. In the Servers group field, select the dummyGroup object you created previously.

  12. Check the box Persistent server mode and leave the default option Persistency by service.

  13. In the Balance Method section, select Domain.



  14. At the top, go to the Firewall tab -> click on Policy.

  15. Add a following network security rule:

    • Source: Any
    • Destination: The Logical Server object you have created above
    • Service: Any service or services that are provided by this ELB (e.g., HTTP)
    • Install On: The Check Point Security Gateway in AWS



  16. If the Check Point Security Gateway is not designated as the default route in the relevant VPC subnets, you should follow the steps below to set up a NAT (Network Address Translation) to source-NAT these connections.

    Create a Host object with the following attribute:

    • Name: gateway-elb-external (or any other descriptive name)
    • IPv4 Address: The private IP address assigned to the external interface of the gateway that handles this traffic (10.0.0.30 in this example)



    Create a Host object with the following attribute:
    • Name: gateway-internal (or any other descriptive name)
    • IPv4 Address: The private IP address assigned to the internal interface of the gateway (10.0.1.20 in this example)



    Add a NAT (Network Address Translation) rule with the following attributes:

    Original Packet Translated Packet Install On
    Source Destination Service Source Destination Service
    All_Internet gateway-elb-external Any service, or services
    that are provided by
    this ELB (e.g., HTTP))
    H gateway-internal (Hiding Address) = Original = Original Policy Targets

    Example:



  17. Install the Security policy on the gateway.

Note: If you need to forward traffic arriving at different private IP addresses to the same ELB, create multiple Logical Server objects. Since two objects cannot have the same name (in this case, the DNS name of the ELB), make the Logical Server name unique by appending the underscore character "_" to the name.
For example, to create two Logical servers, both associated with an ELB, whose name is internal-InternalELB-123.us-east-1.elb.amazonaws.com, but with different private IP addresses create the following objects:

Object Name
Object #1 internal-InternalELB-123.us-east-1.elb.amazonaws.com_1
Object #2 internal-InternalELB-123.us-east-1.elb.amazonaws.com_2

 

Also see: What Is Elastic Load Balancing?

Troubleshooting

For this feature to work properly, the Security Gateway should be configured with at least one DNS server that can resolve the DNS Name of the ELB.

To verify that DNS is set properly, log in to the Security Gateway in Expert mode and run: dig <ELB_DNS_Name>

You should get at least one "A" record in the "ANSWER SECTION:"

You can also see the list of currently resolved addresses by running (in Expert mode) the command:

[Expert@HostName:0]# fw tab -t logical_servers_list_table

 

The output should consist of entries, one entry for each logical server and rule in which it is used in.
For example, consider the following entry:

-------- logical_servers_list_table --------
dynamic, id 166, attributes: , hashsize 512, limit 25000
<0a0a0a0a, 00000002; 00000084, c6336405, c6336406>

This indicates that a logical server, whose private IP address is 10.10.10.10 (represented in hexadecimal as 0a0a0a0a) is used in rule 2 (00000002) was resolved to IP 198.51.100.5 (0xc6336405) and IP 198.51.100.6 (0xc6336406)

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment