Check Point Moves 90% of Production Workloads to AWS Fargate Spot, Cuts Costs by 58%

Check Point Software Technologies is a leading provider of cybersecurity solutions to corporate enterprises and governments globally. The company’s solutions are designed to protect customers from fifth-generation cyberattacks, which are multi-vector attacks that can infect multiple parts of an IT infrastructure. “We continuously analyze the threat landscape and how it is evolving, and then design our cloud security solutions to address these changes,” says TJ Gonen, head of cloud security programs for Check Point. “Right now, we’re especially focused on Gen6 attacks and are therefore building solutions that prevent them from happening to our customers.”

One of its solutions is the CloudGuard Dome9 platform, which enables businesses to visualize and automate their security and compliance environments. Check Point has run CloudGuard Dome9 on Amazon Web Services (AWS) since the platform’s launch. “When we started, AWS was the cloud vendor that offered the right services and APIs for our needs,” says Cfir Carmeli, DevOps and site reliability engineering (SRE) group manager for Check Point. “Now, as we’re moving more to containerized applications and a serverless architecture, AWS again offers the right technology for our requirements.” Specifically, Check Point uses AWS Fargate as a serverless compute engine to support its containerized applications, which run on an Amazon Elastic Container Service (Amazon ECS) cluster with more than 170 services and thousands of tasks at peak times.

Check Point sought new ways to deliver cost-effective security features to customers faster. “Each time we wanted to roll out new CloudGuard Dome9 features, our developers had to depend on our DevOps engineers for assistance,” Carmeli says. “That took time and resources and prevented us from getting features to customers quickly. Additionally, we had thousands of tasks, and our business kept growing. We wanted to control our AWS costs as we tried to meet that growth.”

To reduce costs, Check Point chose to use AWS Fargate Spot, a new capability in AWS Fargate that runs Amazon ECS tasks at a lower cost. Running Amazon ECS tasks on AWS Fargate Spot leverages spare compute capacity that is available in the AWS Cloud. “We see AWS Fargate Spot as the right choice for us because we can easily manage our containers while taking advantage of cost optimization,” says Carmeli.

The Check Point SRE team created a design focused on deploying AWS Fargate Spot tasks without downtime, tracking Spot task termination and maintaining reliability.

Check Point now runs its full compliance product suite on AWS Fargate Spot. “We are running CloudGuard Dome9 in production on AWS Fargate Spot, and we plan to move additional workloads there in the coming months,” says Carmeli.

Check Point migrated its full CloudGuard Dome9 production environment to AWS Fargate Spot quickly. “Migrating our CloudGuard Dome9 workloads to production on AWS Fargate Spot was a very simple process that only took two days,” Carmeli says. “And the design and implementation of our containers on Fargate Spot was easier than we expected.” Check Point now has more than 2,000 AWS Fargate Spot tasks in production.

Check Point immediately saw a decrease in container costs. “We reduced our application container costs by 58 percent by moving 90 percent of our CloudGuard Dome9 production workloads to AWS Fargate Spot,” says Carmeli. “That was one of the primary reasons for our migration, and the cost savings will enable us to invest more in our development.”

With the agility gained from using AWS, Check Point developers can create new services and features without requiring help from the DevOps team. “Our developers can easily create an application environment and start and run any workload without needing technical support,” says Carmeli. As a result, the company has increased the number of microservices. “We have 100 more weeks of services per asset than we had before, simply because it is so much easier and faster to develop using this environment.”

Check Point can be proactive about its customers’ security and compliance needs by relying on AWS serverless technologies. “By using AWS Lambda to drive a serverless model and centralize visibility, we can update our compliance rules that are running in CloudGuard Dome9 to address compliance requirements,” says Carmeli. “This helps us stay ahead of our customers’ security needs.”

Check Point will continue to explore new AWS services as it creates new applications and software features. “We are always evaluating AWS services,” Carmeli says. “As we grow our business, we know AWS will provide services that fit our specific business requirements.”

To learn more, visit aws.amazon.com/fargate.