reference deployment

Check Point CloudGuard Auto Scaling on AWS

For automatically scaled and dynamically secured web services in the AWS Cloud

This Quick Start deploys an Auto Scaling group of Check Point CloudGuard Security Gateways to protect a web service.

Check Point CloudGuard for AWS extends comprehensive enterprise-grade security, including zero-day threat protection, deep packet HTTPS inspection, intrusion prevention system (IPS), and complete application and identity awareness, to the AWS Cloud. It protects assets in the cloud from attacks while enabling secure connectivity, and lets you enforce consistent security policies across your entire organization.

When you deploy the Quick Start, you can choose to include load balancers, web servers, and a preconfigured Security Management Server to manage the Security Gateways. The deployment is automated by AWS CloudFormation templates and takes about 30 minutes.  



This Quick Start was developed by Check Point Software Technologies in collaboration with AWS. Check Point Software Technologies is an AWS Partner.

AWS Service Catalog administrators can add this architecture to their own catalog.  

  •  What you'll build
  •  How to deploy
  •  Cost and licenses
  •  What you'll build
  • Use this Quick Start to automatically set up the following Check Point CloudGuard Auto Scaling environment on AWS:

    • A highly available architecture that spans at least two Availability Zones.*
    • A virtual private cloud (VPC) configured with public and private subnets according to AWS best practices, to provide you with your own virtual network on AWS.*
    • An internet gateway to allow access to the internet. This gateway is used by the CloudGuard Security Gateways to send and receive traffic.*
    • In the public subnets, CloudGuard Security Gateways in an Auto Scaling group.
    • Either an external Application Load Balancer that operates at the application layer or a Network Load Balancer that operates at the transport level, to route traffic from the internet to the CloudGuard Security Gateways.
    • (Optional) In a public subnet, a preconfigured CloudGuard Security Management Server, to manage the Security Gateways.
    • (Optional) In the private subnets, an Auto Scaling group of web servers.
    • If you choose to deploy your workload of web servers, an internal Application Load Balancer, to route traffic from the Security Gateways to your workload.

    *  The template that deploys the Quick Start into an existing VPC skips the tasks marked by asterisks and prompts you for your existing VPC configuration.

  •  How to deploy
  • To build your Check Point CloudGuard Auto Scaling environment on AWS, follow the instructions in the deployment guide. The deployment process includes these steps:

    1. If you don't already have an AWS account, sign up at
    2. Subscribe to the Amazon Machine Image (AMI) for Check Point CloudGuard Security Gateway and (optionally) CloudGuard Security Management Server in AWS Marketplace. You can choose from several licensing options that are detailed in the deployment guide.
    3. Launch the Quick Start. Each deployment takes about 30 minutes. You can choose from two options:
    4. Review and test the deployment by verifying that your web service is accessible via the external Application or Network Load Balancer DNS address.

    To customize your deployment, you can configure your VPC, subnets, and Check Point CloudGuard settings. You can also include Security Management Server and web servers in your deployment.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

    The AWS CloudFormation templates for this Quick Start include configuration parameters that you can customize. Some of these settings, such as instance type, will affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you will be using. Prices are subject to change.

    This Quick Start requires subscriptions to the Amazon Machine Images (AMIs) for Check Point CloudGuard Security Gateway and (optionally) Security Management Server. These subscriptions are available from AWS Marketplace, and additional pricing, terms, and conditions may apply.

    You can choose one of the following licensing options for CloudGuard Security Gateway:

    You can choose one of the following licensing options for CloudGuard Security Management Server:

    To manage more than 25 Security Gateways, you must purchase a BYOL license by contacting Check Point Sales. If you already have a BYOL license and you’d like to use it for this deployment, visit the Licensing section in Check Point's Auto Scaling in Amazon Web Services (AWS) documentation.