Support Center > Search Results > SecureKnowledge Details
CloudGuard Network Security for AWS - Cloud WAN Integration, Overview, and Best Practices Technical Level
Solution

Overview

AWS Cloud WAN is a managed wide-area network (WAN) service that lets customers easily connect and route their data centers, remote sites, and cloud applications over the AWS global network.

Cloud WAN enables customers to create and operate their wide-area networks with simple network policies, removing the necessity to stitch together different networking, security, and third-party services.

Cloud WAN improves network security with built-in network segmentation capabilities, making it easier for customers to manage network isolation across their AWS or on-premises locations.

Cloud WAN provides the control plane for how customer traffic flows through the AWS global network for their geographically dispersed use-cases, making it possible to create high-performance, scalable, and secure wide-area networks in minutes.


Check Point CloudGuard Network Security integrates with Cloud WAN through the existing Gateway Load Balancer (GWLB) integration. This integration simplifies creating equivalent but complex architecture with Transit Gateways + GWLB.

Cloud WAN Feature Details

Cloud WAN is a good selection for customers who want to operate in multiple regions, provide connectivity between sites through AWS's backbone, or prefer AWS-managed routing and automation.

The policy language in Cloud WAN makes it simple to manage security policies between connectivity methods across regions in one declarative document.

Cloud WAN operates primarily on layer 3 (routing) security. Cloud WAN uses policy to send selective traffic through a certain attachment where a firewall is (VPC or TGW Connect) or use attachment-level tags to determine which segment an attachment must map to - new or existing. For Check Point customers, integration with Cloud WAN offers a simpler L3 insertion of firewalls through policy language.
  • AWS Network Manager - The user interface in the AWS Management Console and related APIs to manage your global network centrally.
  • Global Network - A private network that acts as the root-level container for your network objects. A global network can contain both Transit Gateways and a Core Network.
  • Core Network - The part of your global network managed by AWS.
  • Core Network Policy - One versioned policy document that defines all aspects of your core network.
  • Attachments - Connections or resources you want to add to your core network. Supported attachments include VPCs, VPNs, and Connect attachments.
  • Core Network Edge (CNE) - A Regional connection point for your attachments as defined in the policy. Under the hood, Cloud WAN uses technology similar to Transit Gateway. AWS manages it, but there are differences (dynamic routing is one example).
  • Network Segments - Routing domains that by default only allow communication in a segment consistently throughout the global network. They strongly enforce layer 3 routing domains (unless you create sharing relationships in your network policy).

You can find the latest Cloud WAN Service documentation >>>  HERE  <<<

Prerequisites


Deployment Steps

  1. Create AWS Global Network
  2. Create AWS Segments
  3. Create AWS Cloud WAN Policy
  4. Deploy CloudGuard for AWS GWLB CFT in each region per traffic inspection requirements (NOTE: CloudGuard is not required to be deployed in every Cloud WAN region).
  5. Create Security VPC attachment with tag
  6. Create Spoke VPC attachments with tag > for every Spoke VPC
  7. Add Spoke VPC route to the GWLBe and NAT Gateway subnets > for each Spoke VPC
  8. Edit Spoke VPC route table > for every Spoke VPC

Deployment Templates

Description Notes Version Direct CFT Launch
Deploys and configures an AWS Cloud WAN Global Network and an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC for Transit Gateway. This CFT deploys:
  • An AWS Cloud WAN Global Network and Core Network with 3 segments, basic policy and a Security VPC with Gateway Load Balancer
  • Check Point CloudGuard Network Security Gateway Auto Scaling Group
  • An optional Security Management Server
  • AWS Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in a new VPC for Cloud WAN
R80.40
This CFT deploys:
  • An AWS Cloud WAN Global Network and Core Network with 3 segments, basic policy and a Gateway Load Balancer
  • Check Point CloudGuard Network Security Gateway Auto Scaling Group
  • An optional Security Management Server
  • AWS Gateway Load Balancer Endpoints, and NAT Gateways for each AZ, in an existing VPC for Cloud WAN
R80.40


Description Notes Version Direct CFT Launch
Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer and Cloud WAN Core network attachment. This CFT deploys:
  • AWS Gateway Load Balancer
  • Check Point CloudGuard Network Security Gateway Auto Scaling Group
  • An optional Security Management Server
  • AWS Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in a new VPC for Cloud WAN, and attaches the VPC to an existing Cloud WAN Core Network.
R80.40
This CFT deploys:
  • AWS Gateway Load Balancer
  • Check Point CloudGuard Network Security Gateway Auto Scaling Group
  • An optional Security Management Server
  • AWS Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in an existing VPC for Cloud WAN, and attaches the VPC to an existing Cloud WAN Core Network.
R80.40



Reference Architecture

  • Use one security VPC for each region to prevent cross-region charges.
  • The region's CGNS GWLB/ASG pool inspects the inbound traffic without traversing through the Cloud WAN segments.
  • Outbound traffic egresses from the same region the traffic originated from.


Example Flows

EAST/WEST(cross region only, cross AZ support is on the roadmap)

1.) EC2 instance in VPC #1 sends all traffic to the Cloud WAN Core Network
2.) First hop sends traffic to the Dev segment
3.) Dev segment route table sends traffic to the Security segment
4.) Traffic then is directed to the Cloud WAN attachment subnet
5.) Which default routes to the Gateway Load Balancer endpoint(GWLBe)
6.) From the GWLBe traffic goes to the Gateway Load Balancer(GWLB)
7.) GWLB encapsulates the traffic with GENEVE and sends it to the Check Point 
CloudGuard Auto-Scaling Group(ASG) where the traffic is inspected
8.) After the traffic is inspected it is sent back to the GWLB for GENEVE
decapsulation
9.) The GWLB sends the traffic back to the original GWLBe
10.) The GWLBe returns it to the Dev segment in Cloud WAN
11.) The Cloud WAN route table sends the traffic to the destination EC2 instance
in VPC #2



EGRESS

1.) Default route for all egress traffic is the Cloud WAN Core Network
2.) Traffic hits the Prod segment which then progresses to the Security segment
3.) From the Security segment, traffic flows to the Cloud WAN attachment subnet
4.) From the Cloud WAN attachment subnet, traffic progresses to the GWLBe
5.) GWLBe passes traffic to the GWLB
6.) The GWLB encapsulates the traffic with GENEVE and passes it to the
CloudGuard ASG
7.) CloudGuard inspects the traffic and allows or drops it
8.) If it is allowed traffic is directed back to the GWLB where it is
decapsulated and sent back to the original GWLBe
9.) The GWLBe sees that it is destined for the internet and passes it to 
the NAT Gateway
10.) The NAT Gateway passes the traffic to the Internet Gateway(IGW)
11.) The IGW sends the traffic on to its destination



INGRESS

1.) For Ingress traffic, traffic arrives at the Internet Gateway(IGW)
2.) Traffic is passed to the GWLBe
3.) From the GWLBe traffic sent to the GWLB for GENEVE encapsulation and then
passed to the CloudGuard ASG
4.) CloudGuard ASG inspects the traffic and allows or drops it
5.) If accepted traffic is passed back to the GWLB for decapsulation and traffic
sent back to the original GWLBe
6.) The GWLBe sends the traffic to the destination External Load Balancer(ELB)
7.) The ELB distributes the traffic to the backend EC2 instance pool
8.) Traffic arrives at App subnet EC2 instances



Additional Information

  • Maximum bandwidth for each VPC attachment: Up to 50 Gbps
  • MTU:


Related Solution:
sk174447 - CloudGuard Network Security for AWS Gateway Load Balancer Architecture Options

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment