This Quick Start deploys an Auto Scaling group of Check Point CloudGuard Security Gateways to protect a web service.
Check Point CloudGuard for AWS extends comprehensive enterprise-grade security, including zero-day threat protection, deep packet HTTPS inspection, intrusion prevention system (IPS), and complete application and identity awareness, to the AWS Cloud. It protects assets in the cloud from attacks while enabling secure connectivity, and lets you enforce consistent security policies across your entire organization.
When you deploy the Quick Start, you can choose to include load balancers, web servers, and a preconfigured Security Management Server to manage the Security Gateways. The deployment is automated by AWS CloudFormation templates and takes about 30 minutes.
What you'll build
How to deploy
Cost and licenses
What you'll build
Use this Quick Start to automatically set up the following Check Point CloudGuard Auto Scaling environment on AWS:
- A highly available architecture that spans at least two Availability Zones.*
- A virtual private cloud (VPC) configured with public and private subnets according to AWS best practices, to provide you with your own virtual network on AWS.*
- An internet gateway to allow access to the internet. This gateway is used by the CloudGuard Security Gateways to send and receive traffic.*
- In the public subnets, CloudGuard Security Gateways in an Auto Scaling group.
- Either an external Application Load Balancer that operates at the application layer or a Network Load Balancer that operates at the transport level, to route traffic from the internet to the CloudGuard Security Gateways.
- (Optional) In a public subnet, a preconfigured CloudGuard Security Management Server, to manage the Security Gateways.
- (Optional) In the private subnets, an Auto Scaling group of web servers.
- If you choose to deploy your workload of web servers, an internal Application Load Balancer, to route traffic from the Security Gateways to your workload.
* The template that deploys the Quick Start into an existing VPC skips the tasks marked by asterisks and prompts you for your existing VPC configuration.
How to deploy
To build your Check Point CloudGuard Auto Scaling environment on AWS, follow the instructions in the deployment guide. The deployment process includes these steps:
- If you don't already have an AWS account, sign up at https://aws.amazon.com.
- Subscribe to the Amazon Machine Image (AMI) for Check Point CloudGuard Security Gateway and (optionally) CloudGuard Security Management Server in AWS Marketplace. You can choose from several licensing options that are detailed in the deployment guide.
- Launch the Quick Start. Each deployment takes about 30 minutes. You can choose from two options:
- Review and test the deployment by verifying that your web service is accessible via the external Application or Network Load Balancer DNS address.
To customize your deployment, you can configure your VPC, subnets, and Check Point CloudGuard settings. You can also include Security Management Server and web servers in your deployment.
Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.
Cost and licenses
You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.
The AWS CloudFormation templates for this Quick Start include configuration parameters that you can customize. Some of these settings, such as instance type, will affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you will be using. Prices are subject to change.
This Quick Start requires subscriptions to the Amazon Machine Images (AMIs) for Check Point CloudGuard Security Gateway and (optionally) Security Management Server. These subscriptions are available from AWS Marketplace, and additional pricing, terms, and conditions may apply.
You can choose one of the following licensing options for CloudGuard Security Gateway:
- CloudGuard IaaS Next-Gen Firewall w. Threat Prevention & SandBlast - BYOL
- CloudGuard IaaS Next-Gen Firewall with Threat Prevention - PAYG-NGTP
- CloudGuard IaaS Next-Gen Firewall with Threat Prevention and SandBlast - PAYG-NGTX
You can choose one of the following licensing options for CloudGuard Security Management Server:
- CloudGuard IaaS Security Management - BYOL
- CloudGuard IaaS Security Management for 25 Security Gateways - PAYG-MGMT
To manage more than 25 Security Gateways, you must purchase a BYOL license by contacting Check Point Sales. If you already have a BYOL license and you’d like to use it for this deployment, visit the Licensing section in Check Point's Auto Scaling in Amazon Web Services (AWS) documentation.