Xylos brands

Implement a secure Azure environment with Check Point CloudGuard

Thanks to the flexibility of cloud platforms, businesses are steadily moving towards a network design that includes a cloud resource – be it for testing, high availability, regulatory requirements or other purposes. As you can imagine, it’s crucial to secure cloud environments properly, but all too often, the security of these publicly available resources in the architecture remains just an afterthought. How do we remedy this?

1. Introducing Check Point CloudGuard

Most built-in security tools are insufficient:

  • They don’t provide any advanced security features to protect against threats.
  • Logging visibility is nearly nonexistent.
  • They don’t provide a clear overview of the security of your IT processes.

This is where Check Point CloudGuard comes in. In Azure, the use of a Check Point CloudGuard gateway allows the customer to:

  • Protect company websites on the Internet.
  • Secure internal traffic with microsegmentation and between spokes.
  • Secure outgoing communication with advanced next-gen features.
  • Protect traffic between the cloud and the on-site data centre.

2. Did you know…

… that Azure deployments can be automated to include a CloudGuard gateway?

Most engineers today will be familiar with Azure Marketplace and know how to install a resource by clicking through the installation wizard’s steps. More advanced consultants use ARM templates or PowerShell scripts for deployment and fine-tuning. The most effective installation would be deploying a complete Virtual Datacenter, including a CloudGuard gateway, via an automated procedure.

At Xylos, deployment of a standard vNet including a CloudGuard gateway and controller is fully automated.

… that a Check Point CloudGuard gateway can be further automated?

After deploying a new CloudGuard gateway, you’ll need to configure some typical settings, such as firewall rules and security settings. This leaves some room for improving installation efficiency.

There are several ways to make the Network Security Admin’s life easier:

  • Check Point’s Gaia REST API allows the Admin to script adding new objects and rules.
  • Using tags in Azure objects causes these objects to be correctly created and added into Check Point object groups, securing applications instantly – the security policy automatically adapts to Azure changes.
  • Centrally setting up the configuration in Ansible. This orchestration tool uses an inventory which contains machines and groups in a yaml “playbook”. To fine-tune the execution of these playbooks, you can include variables, roles and dependencies.

… that CloudGuard adapts to your needs?

With Azure Virtual Machine Scale Sets, the number of Check Point CloudGuard gateways is adapted to your needs. As the amount of resources you protect is scaled up or down, the number of Security Gateways that provide protection follows suit.



Inbound reply


3. Secure and flexible

Now that the CloudGuard gateway is protecting your cloud environment and your resources are secure, what comes next?

The CloudGuard Controller is integrated with Azure. When DevOps decides to deploy a new web or database server and uses a tag that has previously been added to the Controller, this new resource will automatically be added to the configured object groups and the rules they are used in.

Additionally, Check Point’s SmartConsole software enables you to visually follow up on logs, threats and configuration for all your physical and virtual Check Point devices.

If you’d like to take things a step further, AWS and Google Cloud are also supported. Check Point’s management plugin Dome9 lets you audit and change your multi-cloud environment.


Do you need more information on how Xylos deploys Azure Virtual Datacenters? Take a look at our website and my colleague’s blog. Christof explains in-depth how to automatically deploy a VDC set-up.

Share this blogpost

Leave a reply

Your email address will not be published. Required fields are marked.