This repository provides a structured set of Terraform modules for deploying Check Point CloudGuard Network Security in Microsoft Azure. These modules automate the creation of Virtual Networks, Security Gateways, High-Availability architectures, and more, enabling secure and scalable cloud deployments.
Submodules: Contains modular, reusable, production-grade Terraform components, each with its own documentation.
Examples: Demonstrates how to use the modules.
Submodules:
high-availability- Deploys CloudGuard High Availability solution.management- Deploys CloudGuard Management solution.mds- Deploys CloudGuard Multi-Domain Security Management solution.nva- Deploys CloudGuard Virtual WAN NVA solution.single-gateway- Deploys CloudGuard Single Gateway solution.vmss- Deploys CloudGuard VMSS solution.
Internal Submodules:
common- Contains shared configurations and reusable components for all modules.custom-image- Manages custom image configurations.network-security-group- Manages Network Security Groups (NSGs) with CloudGuard-specific rules.storage-account- Manages storage account configurations.vnet- Simplifies Virtual Network and subnet configurations.vwan- Manages Virtual WAN configurations.
Some modules in this repository include default security rules configured for "allow all inbound traffic." These rules are provided for ease of deployment but are not intended for production use without further customization. Add security rule to override the default "allow all traffic" configuration.
Example: To restrict inbound traffic, update the security_rules attribute in the submodule configuration:
security_rules = [
{
name = "AllowSSH"
priority = "100"
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_ranges = "*"
destination_port_ranges = "22"
description = "Allow SSH inbound connections"
source_address_prefix = "10.0.0.0/8"
destination_address_prefix = "*"
}
]Check Point Recommendation: Always follow the principle of least privilege when configuring security rules to reduce exposure to threats.
- Terraform version 1.9 or higher
- Azure Service Principal with required permissions (see Required Permissions below)
Create a main.tf file with the required module and mandatory authentication variables:
provider "azurerm" {
features {}
}
module "example_module" {
source = "CheckPointSW/cloudguard-network-security/azure//modules/{module_name}"
version = "~> 1.0"
# Authentication Variables (Required)
client_secret = "<your-client-secret>"
client_id = "<your-client-id>"
tenant_id = "<your-tenant-id>"
subscription_id = "<your-subscription-id>"
# Add additional module-specific variables here
}Important: All four authentication variables (client_secret, client_id, tenant_id, subscription_id) are mandatory for all modules.
Run the following Terraform commands to deploy your resources:
# Initialize Terraform and download providers
terraform init
# Preview the changes
terraform plan
# Apply the configuration
terraform applyThe Azure Service Principal used for authentication must have the following permissions:
- Contributor role - for creating and managing Azure resources
- User Access Administrator role - for role assignments (required for VMSS deployments)
- For additional roles and permissions, see Azure Built-in Roles
For detailed information on creating a Service Principal and assigning roles, refer to:
- Azure Service Principal Documentation
- Azure RBAC Role Assignments
- Terraform Azure Provider Authentication