feat(CGNSPC-1324): AWS | CFT | IPv6 Support | Autoscale. (#556)

Co-authored-by: Aviv Meydan <avivm@checkpoint.com>
Co-authored-by: michaeltz <michaeltz@checkpoint.com>
Co-authored-by: liavb <liavb@checkpoint.com>

Author: 4 people

aws/templates/asg/README.md

@@ -1,5 +1,5 @@
-
 ## Security Gateway Auto Scaling
+
 <table>
     <thead>
         <tr>
@@ -19,4 +19,29 @@
     </tbody>
 </table>
 <br/>
-<br/>
+<br/>
+
+## Revision History
+
+In order to check the template version, please refer to [sk125252](https://support.checkpoint.com/results/sk/sk125252#ToggleR8120gateway)
+
+| Template Version | Description                                                                                                                         |
+| ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| 20260310         | Added IPv6 support via IPMode variable.                                                                                             |
+| 20260101         | Templates version 20260101 and higher support R82.10                                                                                |
+| 20250826         | Changed the default solution version to R82-BYOL                                                                                    |
+| 20250821         | Added new Auto Scale Group and Management templates for deployments with new VPC                                                    |
+| 20241225         | Add references to Administration Guides in the description of templates                                                             |
+| 20241204         | Add support for instance types C7i, M7a, R7a                                                                                        |
+| 20241027         | Templates version 20241027 and higher support R82                                                                                   |
+| 20240519         | Add support for requiring use instance metadata service version 2 (IMDSv2) only                                                     |
+| 20240414         | Add support for Elastic Load Balancer Health Checks                                                                                 |
+| 20240131         | Network Load Balancer Health Check configuration change for higher than R81 version. New Health Check Port is 8117 and Protocol TCP |
+| 20230923         | Add support for C5d instance type                                                                                                   |
+| 20230521         | Change default shell for the admin user to /etc/cli.sh                                                                              |
+| 20221226         | Support ASG Launch Template instead of Launch Configuration                                                                         |
+| 20221123         | Templates version 20221123 and higher support R81.20                                                                                |
+| 20220606         | New instance type support                                                                                                           |
+| 20210329         | Stability fixes                                                                                                                     |
+| 20210309         | AWS Terraform modules refactor                                                                                                      |
+| 20200318         | First release of Check Point Auto Scaling Terraform module for AWS                                                                  |

aws/templates/asg/autoscale-master.yaml

@@ -1,7 +1,7 @@
 ---
 AWSTemplateFormatVersion: 2010-09-09
 Description: |
-  Create an Auto Scaling group of Check Point gateways into a new VPC (20260302)
+  Create an Auto Scaling group of Check Point gateways into a new VPC (20260310)
   See CloudGuard Network for AWS Auto Scale Group deployment guide for detailed deployment and configuration steps.
 Metadata:
   AWS::CloudFormation::Interface:
@@ -32,6 +32,7 @@ Metadata:
           - PrivateSubnet4CIDR
           - AutoScaleGroupName
           - GatewayName
+          - IPMode
           - VolumeSize
           - VolumeType
           - EnableVolumeEncryption
@@ -50,9 +51,6 @@ Metadata:
           - ControlGatewayOverPrivateOrPublicAddress
           - ManagementServer
           - ConfigurationTemplate
-          - ELBType
-          - ELBPort
-          - ELBClients
     ParameterLabels:
       AvailabilityZones:
         default: Availability Zones
@@ -82,6 +80,8 @@ Metadata:
         default: Gateways Instance type
       KeyName:
         default: Key name
+      IPMode:
+        default: IP Configuration Mode
       VolumeSize:
         default: Root volume size (GB)
       VolumeType:
@@ -122,12 +122,6 @@ Metadata:
         default: Management Server Settings - Management Name
       ConfigurationTemplate:
         default: Management Server Settings - Configuration template
-      ELBType:
-        default: Proxy Settings - Proxy type
-      ELBPort:
-        default: Proxy Settings - Proxy port
-      ELBClients:
-        default: Proxy Settings - Allowed proxy clients
       AutoScaleGroupName:
         default: Auto Scale Group name
 Parameters:
@@ -431,6 +425,14 @@ Parameters:
     Type: AWS::EC2::KeyPair::KeyName
     MinLength: 1
     ConstraintDescription: Must be the name of an existing EC2 KeyPair.
+  IPMode:
+    Description: Specifies the IP mode for the Autoscale Group and AWS resources.
+    Type: String
+    AllowedValues:
+      - IPv4
+      # - IPv6
+      - DualStack
+    Default: IPv4
   VolumeSize:
     Type: Number
     Default: 200
@@ -568,20 +570,6 @@ Parameters:
     Default: ASG-configuration
     MinLength: 1
     MaxLength: 30
-  ELBType:
-    Type: String
-    Default: none
-    AllowedValues:
-      - none
-      - internal
-      - internet-facing
-  ELBPort:
-    Type: Number
-    Default: 8080
-  ELBClients:
-    Type: String
-    Default: 0.0.0.0/0
-    AllowedPattern: '^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})$'
   AutoScaleGroupName:
     Description: The Name of the Auto Scaling Group. (optional)
     Type: String
@@ -590,12 +578,13 @@ Parameters:
 Conditions:
   4AZs: !Equals [!Ref NumberOfAZs, 4]
   3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs]
-  CreateELB: !Not [!Equals [!Ref ELBType, none]]
+  IsIPv6Enabled: !Not [!Equals [!Ref IPMode, "IPv4"]]
 Resources:
   VPCStack:
     Type: AWS::CloudFormation::Stack
     Properties:
-      TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml
+      TemplateURL:
+        !If [IsIPv6Enabled, https://cgi-cfts.s3.amazonaws.com/utils/vpc-ipv6.yaml, https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml]
       Parameters:
         AvailabilityZones: !Join [',', !Ref AvailabilityZones]
         NumberOfAZs: !Ref NumberOfAZs
@@ -608,6 +597,7 @@ Resources:
         PrivateSubnet2CIDR: !Ref PrivateSubnet2CIDR
         PrivateSubnet3CIDR: !Ref PrivateSubnet3CIDR
         PrivateSubnet4CIDR: !Ref PrivateSubnet4CIDR
+        IPMode: !Ref IPMode
   AutoScaleStack:
     Type: AWS::CloudFormation::Stack
     Properties:
@@ -643,15 +633,9 @@ Resources:
         ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress
         ManagementServer: !Ref ManagementServer
         ConfigurationTemplate: !Ref ConfigurationTemplate
-        ELBType: !Ref ELBType
-        ELBPort: !Ref ELBPort
-        ELBClients: !Ref ELBClients
         AutoScaleGroupName: !Ref AutoScaleGroupName
+        IPMode: !Ref IPMode
 Outputs:
-  URL:
-    Description: The URL of the Proxy.
-    Condition: CreateELB
-    Value: !GetAtt AutoScaleStack.Outputs.URL
   SecurityGroup:
     Description: The Security Group of the Auto Scaling group.
     Value: !GetAtt AutoScaleStack.Outputs.SecurityGroup

aws/templates/asg/autoscale.yaml

@@ -1,7 +1,7 @@
 ---
 AWSTemplateFormatVersion: 2010-09-09
 Description: |
-  Create an Auto Scaling group of Check Point gateways into an existing VPC (20260302)
+  Create an Auto Scaling group of Check Point gateways into an existing VPC (20260310)
   See CloudGuard Network for AWS Auto Scale Group deployment guide for detailed deployment and configuration steps
 Metadata:
   AWS::CloudFormation::Interface:
@@ -22,6 +22,7 @@ Metadata:
           default: Advanced Settings
         Parameters:
           - GatewayName
+          - IPMode
           - VolumeSize
           - VolumeType
           - EnableVolumeEncryption
@@ -41,9 +42,6 @@ Metadata:
           - ControlGatewayOverPrivateOrPublicAddress
           - ManagementServer
           - ConfigurationTemplate
-          - ELBType
-          - ELBPort
-          - ELBClients
     ParameterLabels:
       VPC:
         default: VPC
@@ -55,6 +53,8 @@ Metadata:
         default: Gateways Instance type
       KeyName:
         default: Key name
+      IPMode:
+        default: IP Configuration Mode
       VolumeSize:
         default: Root volume size (GB)
       VolumeType:
@@ -95,12 +95,6 @@ Metadata:
         default: Management Server Settings - Server
       ConfigurationTemplate:
         default: Management Server Settings - Configuration template
-      ELBType:
-        default: Proxy Settings - Proxy type
-      ELBPort:
-        default: Proxy Settings - Proxy port
-      ELBClients:
-        default: Proxy Settings - Allowed proxy clients
       AutoScaleGroupName:
         default: Auto Scale Group name
 Parameters:
@@ -346,6 +340,14 @@ Parameters:
     Type: AWS::EC2::KeyPair::KeyName
     MinLength: 1
     ConstraintDescription: Must be the name of an existing EC2 KeyPair.
+  IPMode:
+    Description: Specifies the IP mode for the Autoscale Group and AWS resources.
+    Type: String
+    AllowedValues:
+      - IPv4
+      # - IPv6
+      - DualStack
+    Default: IPv4
   VolumeSize:
     Type: Number
     Default: 200
@@ -483,33 +485,19 @@ Parameters:
     Default: ASG-configuration
     MinLength: 1
     MaxLength: 30
-  ELBType:
-    Type: String
-    Default: none
-    AllowedValues:
-      - none
-      - internal
-      - internet-facing
-  ELBPort:
-    Type: Number
-    Default: 8080
-  ELBClients:
-    Type: String
-    Default: 0.0.0.0/0
-    AllowedPattern: '^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})$'
   AutoScaleGroupName:
     Description: The Name of the Auto Scaling Group. (optional)
     Type: String
     Default: ""
     MaxLength: 100
-
 Conditions:
   ProvidedAdminEmail: !Not [!Equals [!Ref AdminEmail, '']]
   ProvidedTargetGroups: !Not [!Equals [!Ref GatewaysTargetGroups, '']]
   EnableCloudWatch: !Equals [!Ref CloudWatch, true]
-  CreateELB: !Not [!Equals [!Ref ELBType, none]]
   EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
   GenerateAutoScalingName: !Equals [!Ref AutoScaleGroupName, ""]
+  IsIPv6Enabled: !Not [!Equals [!Ref IPMode, "IPv4"]]
+  IsIPv4Enabled: !Not [!Equals [!Ref IPMode, "IPv6"]]
 Resources:
   ChkpGatewayRole:
     Type: AWS::IAM::Role
@@ -553,33 +541,6 @@ Resources:
       Subscription:
         - Endpoint: !Ref AdminEmail
           Protocol: email
-  ElasticLoadBalancer:
-    Type: AWS::ElasticLoadBalancing::LoadBalancer
-    Condition: CreateELB
-    Properties:
-      CrossZone: true
-      Listeners:
-        - LoadBalancerPort: !Ref ELBPort
-          InstancePort: !Ref ELBPort
-          Protocol: TCP
-      HealthCheck:
-        Target: !Join [':', [TCP, !Ref ELBPort]]
-        HealthyThreshold: 3
-        UnhealthyThreshold: 5
-        Interval: 30
-        Timeout: 5
-      Scheme: !Ref ELBType
-      Subnets: !Ref GatewaysSubnets
-      Policies:
-        - PolicyName: EnableProxyProtocol
-          PolicyType: ProxyProtocolPolicyType
-          Attributes:
-            - Name: ProxyProtocol
-              Value: true
-          InstancePorts:
-            - !Ref ELBPort
-      SecurityGroups:
-        - !Ref ELBSecurityGroup
   PermissiveSecurityGroup:
     Type: AWS::EC2::SecurityGroup
     Properties:
@@ -589,8 +550,16 @@ Resources:
       GroupDescription: Permissive security group.
       VpcId: !Ref VPC
       SecurityGroupIngress:
-        - IpProtocol: -1
-          CidrIp: 0.0.0.0/0
+        - !If
+          - IsIPv4Enabled
+          - IpProtocol: -1
+            CidrIp: 0.0.0.0/0
+          - !Ref "AWS::NoValue"
+        - !If
+          - IsIPv6Enabled
+          - IpProtocol: -1
+            CidrIpv6: ::/0
+          - !Ref "AWS::NoValue"
   GatewayGroup:
     Type: AWS::AutoScaling::AutoScalingGroup
     Properties:
@@ -601,7 +570,6 @@ Resources:
       AutoScalingGroupName: !If [GenerateAutoScalingName, !Join ["-", [!Ref 'AWS::StackName', GatewayGroup]], !Ref AutoScaleGroupName]
       MinSize: !Ref GatewaysMinSize
       MaxSize: !Ref GatewaysMaxSize
-      LoadBalancerNames: !If [CreateELB, [!Ref ElasticLoadBalancer], !Ref 'AWS::NoValue']
       TargetGroupARNs: !If [ProvidedTargetGroups, !Split [',', !Ref GatewaysTargetGroups], !Ref 'AWS::NoValue']
       HealthCheckGracePeriod: 3600
       HealthCheckType: ELB
@@ -631,7 +599,8 @@ Resources:
       LaunchTemplateData:
         NetworkInterfaces:
           - DeviceIndex: 0
-            AssociatePublicIpAddress: true
+            AssociatePublicIpAddress: !If [IsIPv4Enabled, true, false]
+            Ipv6AddressCount: !If [IsIPv6Enabled, 1, !Ref "AWS::NoValue"]
             Groups:
               - !Ref PermissiveSecurityGroup
         Monitoring:
@@ -668,7 +637,7 @@ Resources:
               - !Join ['', ['    maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']]
               - !Join ['', ['    bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
               - !Sub ['    version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
-              - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" sicKey=\"${sic}\" installationType=\"autoscale\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20260302\" templateName=\"${template_name}\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" bootstrapScript64=\"${bootstrap}\"'
+              - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" sicKey=\"${sic}\" installationType=\"autoscale\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20260310\" templateName=\"${template_name}\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" bootstrapScript64=\"${bootstrap}\"'
       VersionDescription: Initial template version
   GatewayScaleUpPolicy:
     Type: AWS::AutoScaling::ScalingPolicy
@@ -716,23 +685,7 @@ Resources:
         - Name: AutoScalingGroupName
           Value: !Ref GatewayGroup
       ComparisonOperator: LessThanThreshold
-  ELBSecurityGroup:
-    Type: AWS::EC2::SecurityGroup
-    Condition: CreateELB
-    Properties:
-      GroupDescription: ELB security group.
-      VpcId: !Ref VPC
-      SecurityGroupIngress:
-        - IpProtocol: tcp
-          CidrIp: !Ref ELBClients
-          FromPort: !Ref ELBPort
-          ToPort: !Ref ELBPort
 Outputs:
-  URL:
-    Description: The URL of the Proxy.
-    Condition: CreateELB
-    Value: !Join ['', ['http://', !GetAtt ElasticLoadBalancer.DNSName]]
   SecurityGroup:
     Description: The Security Group of the Auto Scaling group.
     Value: !GetAtt PermissiveSecurityGroup.GroupId
-