How To Use Private and Nested Cloudspaces to Deploy a Custom Virtual Firewall with Check Point Image

Introduction

Starting from version 2.5.3 of the OpenvCloud software, the GIG Edge Cloud introduces private and nested cloudspaces to unlock more advanced networking within one or several Virtual Data Centers. A short overview:

  • Public cloudspaces, the only cloudspaces that were available until now and still are the default option, have a public Internet routable IP address and can expose services from Virtual Machines (VMs) via portforwards. The virtual firewall of the public cloudspace also takes care of
    • handing out IP addresses to the VMs via dhcp
    • bootstrapping VMs at first boot through cloudinit
    • acts as the default gateway for the VMs inside the cloudspace
  • Private cloudspace, does the same as the public cloudspace except that it does not have a public Internet routable IP address. Hence it will not provide portforwards nor will it act as a default gateway for the VMs inside the cloudspace. However, just like the public cloudspace, it does hand out IP addresses to the VMs and bootstraps VMs via cloudinit.
  • Nested cloudspace, also does the same as the public cloudspace with the difference that the "public" interface of its virtual firewall is in the private network from its parent cloudspace rather than publicly exposed to the Internet.

This makes it possible for users of the GIG Edge Cloud to introduce a virtual network appliance of their choice to implement the security (anti-ddos, ids, virus scanning, etc.) levels needed, apply advanced firewall configurations and specific routing policies. A user now can deploy a virtual firewall from an image of choice and gain full access to the appliance.

This tutorial shows how to use the new networking features to deploy a virtual datacenter using a private cloudspace and/or a nested cloudspace with a custom virtual firewall. We choose to use Checkpoint Point R80.10.

Further the tutorial explains steps how to setup the cloudspaces with a custom virtual gateway using Terraform and to configure the Checkpoint Point R80.10 VM to route external traffic to the other components.

Prerequisites

Terraform version used in this tutorial: 0.11.14, OVC provider version: 1.3.1.

To deploy the infrastructure on the GIG Edge Cloud with Terraform you will need to ensure access to an account, install Terraform and install OVC Terraform Provider. Make sure to use compatible versions of the provider and Terraform. For detailed information on installation, generating access token and creating configurations with Terraform see this tutorial.

Note that currently cloud-init for CheckPoint template images is not supported on OpenvCloud. The recommended way is to to install the checkpoint software from ISO image.

If needed contact the administrator of your account to ensure that all required images are accessible:

  • CD-ROM image of Check Point R80.10 to deploy the security appliance (iso)
  • Template image of choice to deploy the machines on the nested cloudspace (qcow2)

Architecture

picture

We choose the following design to implement the checkpoint VM as the virtual firewall for our virtual datacenter.

The Checkpoint machine is a virtual machine deployed from a Check Point image and attached to an external network. The machine is set as a default gateway of the private cloudspace, acts as a firewall and forwards traffic from the outside to the other components of the deployment.

The Private cloudspace is a cloudspace without a public interface, created to host the checkpoint machine and in our case a nested cloudspace within its private network. Additional services can run in VMs deployed on private cloudspace.

The Nested cloudspace is a cloudspace with the private cloudspace as its parent. This cloudspace manages its own private network and its virtual firewall has an IP address on the parent network (the private cloudspace). Machines of the nested cloudspace gain access to the Internet via the virtual firewall of the nested cloudspace. The virtual firewall on its own turn forwards the traffic from the Internet to its own default gateway which is set to the private IP address of the checkpoint machine. The VMs in the nested cloudspace are meant to run the actual services and applications delivered by this virtual datacenter.

To provide Internet access for the machines in the nested cloudspace a source NAT rule is configured in the checkpoint software that forwards incoming Internet traffic from one of the external public ips added on the checkpoint VM towards the IP address of the nested cloudspace in the private cloudspace. The configuration of the checkpoint is covered in Configure Check Point section.

Example

For the sake of illustration lets consider a practical example with the following components:

  • Private cloudspace with its private network deployed behind the virtual gateway
  • Custom network appliance VM based on Check Point OS
  • One or several VMs on the private cloudspace in DMZ network
  • Nested cloudspace
  • One or several server VMs on the nested cloudspace

Configuration requirements:

  • Internet traffic is forwarded to the machines on the network of the nested cloudspaces by checkpoint machine via destination NAT
  • VMs on private and nested cloudspaces are reachable via SSH

picture

Below we provide steps how to deploy and configure such an infrastructure.

Deploy infrastructure with Terraform

Terraform configuration

Find below an example of the Terraform configuration for a cloudspace with a custom virtual gateway. The configuration consists of three files:

  • main.tf describes all the resources that will be deployed and data sources that will be fetched to provide the necessary information like image IDs, external network ID.
  • variables.tf describes all variables used in main.tf
  • terraform.tfvars sets values for all variables. Instead of setting variables in a file, you can set them as environmental variables passed to the terraform process. For example use environmental variable TF_VAR_machine_name to set variable machine_name
main.tf
    provider "ovc" {
  server_url = "${var.server_url}"
  client_jwt = "${var.client_jwt}"
}
# Data source of checkpoint CD-ROM image
data "ovc_disk" "checkpoint"{
    account = "${var.account}"
    name = "${var.checkpoint}"
    type = "C"
}
# Data source of server image
data "ovc_image" "default" {
  account = "${var.account}"
  most_recent = true
  name_regex = "(?i).*\\.?ubuntu.*16"
}
# Data source of external network
data "ovc_external_network" "net" {
  name = "${var.external_network}"
}
# Resource definition for the private cloudspace
resource "ovc_cloudspace" "private" {
  account = "${var.account}"
  private_network = "192.168.22.0/24"
  name = "${var.private_cs_name}"
  mode = "private"
}
# Resource definition for the nested cloudspace
resource "ovc_cloudspace" "nested" {
  account = "${var.account}"
  name = "${var.nested_cs_name}"
  mode = "nested"
  private_network = "192.168.2.0/24"
  external_network_id = "${ovc_cloudspace.private.id}"
}
# Resource definition for the checkpoint machine
resource "ovc_machine" "checkpoint" {
  cloudspace_id = "${ovc_cloudspace.private.id}"
  image_id      = "${data.ovc_image.default.image_id}" # image used for the first boot
  disk_id       = "${data.ovc_disk.checkpoint.id}"           # cd-rom with checkpoint image
  memory        = "${var.checkpoint_memory}"
  vcpus         = "${var.checkpoint_vcpus}"
  disksize      = "${var.checkpoint_disksize}"
  name          = "${var.checkpoint_machine_name}"
  description   = "Checkpoint machine deployed with Terraform"
  userdata      = "${var.userdata}"
  act_as_default_gateway = true
  interfaces = [
    {
      "network_id" = "${data.ovc_external_network.net.id}"
    }
  ] 
}
# Resource definition for a machine on the nested private cloudspace
resource "ovc_machine" "vm_in_dmz" {
  cloudspace_id = "${ovc_cloudspace.private.id}"
  image_id = "${data.ovc_image.default.id}"
  memory = "${var.server_memory}"
  vcpus = "${var.server_vcpus}"
  disksize = "${var.server_disksize}"
  name = "VM-in-DMZ"
  description = "machine deployed on private CS in DMZ network"
}
# Resource definition for a server machine on the nested cloudspace
resource "ovc_machine" "server" {
  cloudspace_id = "${ovc_cloudspace.nested.id}"
  image_id      = "${data.ovc_image.default.image_id}"
  memory        = "${var.server_memory}"
  vcpus         = "${var.server_vcpus}"
  disksize      = "${var.server_disksize}"
  name          = "${var.server_machine_name}"
  description   = "Server machine deployed with Terraform"
  userdata      = "${var.userdata}"
}
# Resource definition for port forward
resource "ovc_port_forwarding" "port_forward_server" {
  cloudspace_id = "${ovc_cloudspace.nested.id}"
  public_ip = "${ovc_cloudspace.nested.external_network_ip}"
  public_port = 2201
  machine_id = "${ovc_machine.server.id}"
  local_port = 22
  protocol = "tcp"
}
output "checkpoint-nics" {
  value = "${ovc_machine.checkpoint.interfaces}"
}
output "checkpoint-internal-ip" {
  value = "${ovc_machine.checkpoint.ip_address}"
}
output "private-network-private-cs" {
  value = "${ovc_cloudspace.private.private_network}"
}
output "external-network-gateway" {
  value = "${data.ovc_external_network.net.gateway}"
}
  
variables.tf
    variable "server_url" {
  description = "API server URL"
}
variable "client_jwt" {
  description = "itsyouonline jwt token"
}
variable "account" {
  description = "account"
}
variable "external_network" {
  description = "external network name"
}
variable "private_cs_name" {
  description = "name of private cloudspace"
  default = "PRIVATE-CS"
}
variable "nested_cs_name" {
  description = "name of nested cloudspace"
  default = "NESTED-CS"
}
variable "server_disksize" {
  description = "data disk size"
  default = 10
}
variable "server_machine_name" {
  description = "server machine memory"
  default = "SERVER-VM"
}
variable "server_memory" {
  description = "server machine memory"
  default = 2048
}
variable "server_vcpus" {
  description = "number of virtual CPUs on the server machine"
  default = 2
}
variable "checkpoint" {
  description = "CheckPoint CD-ROM image name"
}
variable "checkpoint_disksize" {
  description = "data disk size"
  default = 100
}
variable "checkpoint_machine_name" {
  description = "server machine memory"
  default = "CHECK-POINT-VM"
}variable "checkpoint_memory" {
  description = "checkpoint machine memory"
  default = 8192
}
variable "checkpoint_vcpus" {
  description = "number of virtual CPUs on the checkpoint machine"
  default = 4
}
variable "userdata" {
  description = "user info"
  default = "users: [{name: root, shell: /bin/bash, ssh-authorized-keys: []}]"
}
  
terraform.tfvars
    # OVC Account name, your IYO account must have access to it.
account = ""
# G8 api url
server_url= ""
external_network = ""
# checkpoint disk name
checkpoint = ""
# User data to be added to the VM 
userdata = "users: [{name: user, shell: /bin/bash, ssh-authorized-keys:[]},{name: root, shell: /bin/bash, ssh-authorized-keys: []}]"
    
  

After applying the configuration, Terraform will print the interfaces of the checkpoint machine in the cli output:

checkpoint-internal-ip = <Internal IP>
private-network-private-cs = <Private Network IP range>/<Private Network mask length>
external-network-gateway = <External Network Gateway IP>
checkpoint-nics = [
    {
        ip_address = <External IP>/<External Network mask length>
        network_id = <External Network ID>
    }
]

The internal and external IP addresses are needed for the next step.

Configure Check Point

Install Check Point OS

Once the infrastructure is deployed, access the checkpoint machine via VNC console on the user portal. Since in this example installation has to be performed from an ISO disk, a few manual steps are needed. If machine did not boot correctly from the first time, please reset the machine from the portal. Once you will see the installation wizard of the CheckPoint CD-ROM, follow steps to install CheckPoint OS. The wizard is mainly used to set up the login and password for the Checkpoint machine, the rest of the settings will be configured after the installation.

After install is complete, the machine will be rebooted. In order to switch off boot from ISO and boot the machine normally, you need in terraform configuration main.tf update checkpoint machine resource ovc_machine.checkpoint by simply removing disk_id entry

main.tf
    ...
# Resource definition for the checkpoint machine
resource "ovc_machine" "checkpoint" {
  cloudspace_id = "${ovc_cloudspace.private.id}"
  image_id      = "${data.ovc_image.default.image_id}" # image used for the first boot
  memory        = "${var.checkpoint_memory}"
  vcpus         = "${var.checkpoint_vcpus}"
  disksize      = "${var.checkpoint_disksize}"
  name          = "${var.checkpoint_machine_name}"
  description   = "Checkpoint machine deployed with Terraform"
  userdata      = "${var.userdata}"
  act_as_default_gateway = true
  interfaces = [
    {
      "network_id" = "${data.ovc_external_network.net.id}"
    }
  ] 
}
...

To reboot the machine reapply the Terraform config

terraform apply --auto-approve

After the reboot again access the machine via VNC console and login with credentials chosen during the installation.

picture

Enable Internet Access on the Nested Cloudspaces

In the steps below replace the IPs with the ones you got from the Terraform output.

Configure internal and public interface in the console:

set interface eth0 ipv4-address <Internal IP> mask-length <Private Network mask length>
  set interface eth1 ipv4-address <External IP> mask-length <External Network mask length>
  set interface eth1 state on

Set default gateway to the public IP address. Gateway IP is the first IP in the network range

set static-route default nexthop gateway address <External Network Gateway IP> on

Now that checkpoint VM is connected to the Internet, you can access Check Point UI via browser https://<External IP> and proceed with First Time Configuration Wizard

picture

No changes are required during the steps, just let the wizard complete the installation.

Download Smart Console and connect to the Check Point. Note that Smart Console can only run on Windows machines.

picture

In Smart Console create a new network

picture

Choose name of the network, for example local net, set IP range and mask of the network, matching those of the private cloudspace

picture

Choose option to hide network behind the gateway

picture

In order to forward external traffic to the local net network add policy to allow icmp-requests services, specify action Accept.

picture

Press Install Policy button, proceed to publish and install policy. Now the machine deployed in the nested cloudspace has access to the Internet.

Allow SSH connection

On Checkpoint machine we need to add a policy allowing SSH connection to the machines on the private network. Start by adding required TCP policies

picture

To allow SSH to range of machines in nested cloudspace specify range

picture

To allow ssh connection the VM deployed in private cloudspace, create a new policy and add the machine port

picture

Next add Nested VGW Network object and private machine Network Object: Object → Host

picture picture

Add NAT rules

picture

picture

Install and publish policy. Now the machine deployed in Private space and machines deployed in the nested cloudspace can be accessed via SSH.

Conclusion

This tutorial describes how to exploit private and nested cloudspaces to deploy a private network behind a fully customizable virtual firewall. The firewall configuration is illustrated by the example of the Check Point OS. The configuration example shows how to enable the Internet access and to allow SSH connection on the virtual machines on both private and nested cloudspaces. Using architectural principles described in this tutorial, users can create various complex network architectures, by adding more nested cloudspaces on a private cloudspace or leveraging from double nested cloudspaces. Check Point os was used as an example, while any other virtual firewall software can be installed and configured in this setup.