Exam 156-561 Topic 2 Question 58 Discussion

In Azure, double NAT is traditionally avoided (especially in CloudGuard deployments) because native Azure NAT Gateway or instance-level SNAT would create a second NAT hop after the Check Point gateway — breaking stateful inspection, connection tracking, and visibility.
The official Check Point and Microsoft recommended alternative to double NAT is to use User-Defined Routes (UDR):

Route 0.0.0.0/0 (Internet-bound traffic) from spoke/workload subnets → Next Hop = Check Point gateway (or Internal Load Balancer in front of the CloudGuard cluster/scale-set).
The Check Point gateway performs Hide NAT (source NAT) itself using its own public IPs/EIPs on the external interface.
No Azure NAT Gateway or instance-level public IPs are used on the workloads → only one NAT translation occurs (on the Check Point gateway).

This gives full visibility, proper return path symmetry, and stateful firewalling.
Why the other options are wrong

























OptionStatementWhy incorrectASystem RoutesSystem routes send traffic to the Internet directly (or via NAT Gateway if attached) → causes double NAT or bypasses the gateway entirelyBPeeringVNet peering only connects VNets; it does not replace NAT or routing for Internet egressCScalingScaling (horizontal/vertical) has nothing to do with avoiding NAT
Official references (still valid 2025):

Check Point Azure deployment guides (Transit VNet design)
Microsoft + Check Point joint reference architecture
SK109360, sk173925, and Azure CloudGuard templates all explicitly state: use UDR with 0.0.0.0/0 pointing to CloudGuard as the method to avoid double NAT.