diff --git a/china/aws/images/launch.png b/china/aws/images/launch.png
new file mode 100755
index 00000000..b16d779c
Binary files /dev/null and b/china/aws/images/launch.png differ
diff --git a/china/aws/images/step1_aws.png b/china/aws/images/step1_aws.png
new file mode 100755
index 00000000..a626c705
Binary files /dev/null and b/china/aws/images/step1_aws.png differ
diff --git a/china/aws/images/step2_aws.png b/china/aws/images/step2_aws.png
new file mode 100755
index 00000000..aeebc82a
Binary files /dev/null and b/china/aws/images/step2_aws.png differ
diff --git a/china/aws/templates/README.md b/china/aws/templates/README.md
new file mode 100644
index 00000000..ca3d533b
--- /dev/null
+++ b/china/aws/templates/README.md
@@ -0,0 +1,454 @@
+<h1 class="css-245gzq">中国AWS云的CloudGuard CloudFormation集群部署模板</h1></a>&nbsp;</strong></p>
+<p>The table below lists CloudFormation templates provided and maintained by Check Point that simplify the deployment of Check Point security solutions in AWS.</p>
+<p>You can use these templates as-is or as building blocks for customizing your own templates.</p>
+<p><strong>Notes:</strong></p>
+<ul>
+<li>
+<p>You must accept the Software Terms of the relevant Check Point Product AMI in the <a href="https://awsmarketplace.amazonaws.cn/marketplace/">AWS Marketplace</a> at least once prior to launching the CloudFormation templates. It is not required to actually launch the instance from the Marketplace, but the agreement must be accepted from this location.</p>
+<p>此模板中的镜像使用“西云数据”发布的最新版本镜像文件，使用此模板前请先在AWS中国镜像市场订阅相关镜像，使用西云数据镜像部署的产品需要联系Check Point与AWS的销售已得到正确的许可证</p>
+</li>
+<li>
+<p>国际版AWS使用的CloudFormation Templates请直接访问Check Point官网SK111013 <a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk111013&partition=Basic&product=CloudGuard">Check Point SK111013</a>
+</p>
+</li>
+<li>
+<p>For R81.20 and higher versions, Gateway Load Balancer (GWLB) and Gateway images are unified. They use <strong>the same</strong> Product AMI in the AWS Marketplace.</p>
+</li>
+<li>Some stacks may "roll back" automatically after 1 hour, with an error "<em>WaitCondition timed out</em>". If this happens, please check Internet access is working, either through AWS (Internet Gateway (IGW) assigned to the VPC, routetables with a default route and assigned to the relevant subnet(s), and Elastic IP (EIP) assigned, etc), or through another method like external proxy, or route to on-prem, for example.&nbsp;<br><br>&nbsp;</li>
+</ul>
+<p><strong>Table of Contents</strong></p>
+<!-- TOC-start -->
+<ul type="disc">
+<li>
+<div class="checkpoint_navigate" targetid="Auto Scaling Group">Security Gateways Auto Scaling Group for Gateway Load Balancer (GWLB)</div>
+</li>
+<li>
+<div class="checkpoint_navigate" targetid="Security Gateway">Security Gateway</div>
+</li>
+<li>
+<div class="checkpoint_navigate" targetid="Security Cluster">Single Availability Zone Cluster</div>
+</li>
+<li>
+<div class="checkpoint_navigate" targetid="Security Gateway Auto Scaling">Security Gateways Auto Scaling Group</div>
+</li>
+<li>
+<div class="checkpoint_navigate" targetid="Transit Gateway Auto Scaling Group">Security Gateways Auto Scaling Group for Transit Gateway</div>
+</li>
+<li>
+<div class="checkpoint_navigate" targetid="Cross Availability Zone Cluster">Cross Availability Zone Cluster</div>
+</li>
+<li>
+<div class="checkpoint_navigate" targetid="Transit Gateway Cross Availability Zone Cluster">Cross Availability Zone Cluster for Transit Gateway</div>
+</li>
+<li>
+<div class="checkpoint_navigate" targetid="Security Management Server">Security Management Server</div>
+</li>
+<li>
+<div class="checkpoint_navigate" targetid="Multi-Domain Management Server">Multi-Domain Management Server</div>
+</li>
+<li>
+<div class="checkpoint_navigate" targetid="Standalone Deployment">Security Management Server &amp; Security Gateway (Standalone Deployment)</div>
+</li>
+<li>
+<div class="checkpoint_navigate" targetid="CloudGuard Infinity Next Gateway">CloudGuard AppSec （Not in China AWS）&nbsp;</div>
+</li>
+<li>
+<div class="checkpoint_navigate" targetid="CloudGuard Infinity Next Gateway Auto Scaling Group">CloudGuard AppSec Auto Scaling Group （Not in China AWS）</div>
+</li>
+<li>
+<div class="checkpoint_navigate" targetid="General">General</div>
+</li>
+</ul>
+<!-- TOC-end -->
+<h3 id="Auto Scaling Group"><br>Security Gateways Auto Scaling Group for Gateway Load Balancer (GWLB)</h3>
+<div class="table-wrapper"><table class="footnote" style="table-layout: fixed;" width="100%" cellspacing="2" cellpadding="4" border="1">
+<tbody>
+<tr class="SubTitle" style="text-align: center;" bgcolor="#d6dff0">
+<td style="width: 35%;">Description</td>
+<td style="width: 25%;">Notes</td>
+<td style="width: 6%;">Version</td>
+<td style="width: 6%;">Terraform Template</td>
+<td style="width: 10%;">CloudFormation Template Download</td>
+<td style="width: 18%;">Direct Launch</td>
+</tr>
+<tr>
+<td style="vertical-align: top; width: 35%;" rowspan="2">Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC.<br><br>For more details, refer to <a href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Centralized_Gateway_Load_Balancer/Default.htm">CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide</a></td>
+<td style="width: 25%;">Creates a <strong>new VPC</strong> and deploys into it a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server.</td>
+<td style="text-align: center; width: 6%;" rowspan="2">R81.20<br>R82</td>
+<td style="text-align: center; width: 10%;"><a href="https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/aws/gwlb-master" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" width="16" height="16"></a></td>
+<td style="text-align: center; width: 10%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gwlb/gwlb-master.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" width="16" height="16"></a></td>
+<td style="text-align: center; width: 18%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gwlb/gwlb-master.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt="" width="144" height="27"></a></td>
+</tr>
+<tr>
+<td style="width: 25%;">Deploys a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server into an <strong>existing VPC</strong>.</td>
+<td style="text-align: center; width: 10%;"><a href="https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/aws/gwlb" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" width="16" height="16"></a></td>
+<td style="text-align: center; width: 10%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gwlb/gwlb.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" width="16" height="16"></a></td>
+<td style="text-align: center; width: 18%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gwlb/gwlb.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt="" width="144" height="27"></a></td>
+</tr>
+<tr>
+<td style="vertical-align: top; width: 35%;" rowspan="2">Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC for Transit Gateway.<br><br>For more details, refer to <a href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Gateway_Load_Balancer_Security_VPC_for_Transit_Gateway/Default.htm">CloudGuard Network for AWS Gateway Load Balancer Security VPC for Transit Gateway R80.40 Deployment Guide</a></td>
+<td style="width: 25%;">Creates a <strong>new VPC</strong> and deploys into it a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, for Transit Gateway.</td>
+<td style="text-align: center; width: 6%;" rowspan="2">R81.20<br>R82</td>
+<td style="text-align: center; width: 10%;"><a href="https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/aws/tgw-gwlb-master" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" width="16" height="16"></a></td>
+<td style="text-align: center; width: 10%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gwlb/tgw-gwlb-master.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" width="16" height="16"></a></td>
+<td style="text-align: center; width: 18%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gwlb/tgw-gwlb-master.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt="" width="144" height="27"></a></td>
+</tr>
+<tr>
+<td style="width: 25%;">Deploys a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, for Transit Gateway into an <strong>existing VPC</strong>.</td>
+<td style="text-align: center; width: 10%;"><a href="https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/aws/tgw-gwlb" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" width="16" height="16"></a></td>
+<td style="text-align: center; width: 10%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gwlb/tgw-gwlb.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" width="16" height="16"></a></td>
+<td style="text-align: center; width: 18%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gwlb/tgw-gwlb.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt="" width="144" height="27"></a></td>
+</tr>
+</tbody>
+</table></div>
+<h3 id="Security Gateway"><br><br>Security Gateway</h3>
+<div class="table-wrapper"><table class="footnote" style="table-layout: fixed; width: 100%;" width="100%" cellspacing="2" cellpadding="4" border="1">
+<tbody>
+<tr class="SubTitle" style="text-align: center;" bgcolor="#d6dff0">
+<td style="width: 35%;">Description</td>
+<td style="width: 25%;">Notes</td>
+<td style="width: 6%;">Version</td>
+<td style="width: 6%;">Terraform Template</td>
+<td style="width: 10%;">CloudFormation Template Download</td>
+<td style="width: 18%;">Direct Launch</td>
+</tr>
+<tr>
+<td rowspan="2" style="width: 35%;">Deploys and configures a Security Gateway.<br><br>To deploy the Security Gateway so that it will be automatically provisioned, refer to <a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk131434" target="_blank" rel="noopener">sk131434</a>.</td>
+<td style="width: 25%;">Creates a <strong>new VPC</strong> and deploys a Security Gateway into it.</td>
+<td style="text-align: center; width: 6%;" rowspan="2">R81.20<br>R81.10<br>R82</td>
+<td style="text-align: center; width: 6%;"><a href="https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/aws/gateway-master" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" style="display: block; margin-left: auto; margin-right: auto;" border="0"></a></td>
+<td style="width: 10%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gateway/gateway-master.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" style="display: block; margin-left: auto; margin-right: auto;" border="0"></a></td>
+<td style="text-align: center; width: 18%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gateway/gateway-master.yaml&amp;stackName=Check-Point-Gateway" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt=""></a></td>
+</tr>
+<tr>
+<td style="width: 25%;">Deploys a Security Gateway into an <strong>existing VPC</strong>.</td>
+<td style="text-align: center; width: 6%;"><a href="https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/aws/gateway" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" style="display: block; margin-left: auto; margin-right: auto;" border="0"></a></td>
+<td style="text-align: center; width: 10%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gateway/gateway.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" border="0"></a></td>
+<td style="text-align: center; width: 18%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gateway/gateway.yaml&amp;stackName=Check-Point-Gateway" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt=""></a></td>
+</tr>
+</tbody>
+</table></div>
+<p>&nbsp;</p>
+<h3 id="Security Cluster">Single Availability Zone Cluster</h3>
+<div class="table-wrapper"><table class="footnote" style="table-layout: fixed; width: 100%;" width="100%" cellspacing="2" cellpadding="4" border="1">
+<tbody>
+<tr class="SubTitle" style="text-align: center;" bgcolor="#d6dff0">
+<td style="width: 35%;">Description</td>
+<td style="width: 25%;">Notes</td>
+<td style="width: 6%;">Version</td>
+<td style="width: 6%;">Terraform Template</td>
+<td style="width: 10%;">CloudFormation Template&nbsp; Download</td>
+<td style="width: 18%;">Direct Launch</td>
+</tr>
+<tr>
+<td rowspan="2" style="width: 35%;">Deploys and configures two Security Gateways as a Cluster.<br><br>For more details, refer to the <a href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CloudGuard_Network_for_AWS_Cluster_DeploymentGuide/Default.htm" target="_blank" rel="noopener">CloudGuard Network for AWS Security Cluster R80.20 and Higher Deployment Guide</a>.</td>
+<td style="width: 25%;">Creates a <strong>new VPC</strong> and deploys a Cluster into it.</td>
+<td style="text-align: center;" rowspan="2">R81.20<br>R81.10<br>R82</td>
+<td style="text-align: center; width: 6%;"><a href="https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/aws/cluster-master" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" style="display: block; margin-left: auto; margin-right: auto;" border="0"></a></td>
+<td style="text-align: center;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/cluster-master.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" border="0"></a></td>
+<td style="text-align: center;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/cluster-master.yaml&amp;stackName=Check-Point-Cluster" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt=""></a></td>
+</tr>
+<tr>
+<td style="width: 25%;">Deploys a Cluster into an <strong>existing VPC</strong>.</td>
+<td style="width: 6%; text-align: center;"><a href="https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/aws/cluster" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" style="display: block; margin-left: auto; margin-right: auto;" border="0"></a></td>
+<td style="text-align: center; width: 10%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/cluster.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" border="0"></a></td>
+<td style="text-align: center; width: 18%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/cluster.yaml&amp;stackName=Check-Point-Cluster" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt=""></a></td>
+</tr>
+</tbody>
+</table></div>
+<p>&nbsp;</p>
+<h3 id="Security Gateway Auto Scaling">Security Gateways Auto Scaling Group</h3>
+<div class="table-wrapper"><table class="footnote" style="table-layout: fixed; width: 100%;" width="100%" cellspacing="2" cellpadding="4" border="1">
+<tbody>
+<tr class="SubTitle" style="text-align: center;" bgcolor="#d6dff0">
+<td style="width: 35%;">Description</td>
+<td style="width: 25%;">Notes</td>
+<td style="width: 6%;">Version</td>
+<td style="width: 6%;">Terraform Template</td>
+<td style="width: 10%;">CloudFormation Template Download</td>
+<td style="width: 18%;">Direct Launch</td>
+</tr>
+<tr>
+<td style="width: 35%;">Deploys and configures the Security Gateways as an AWS Auto Scaling group.<br><br>For more details, refer to the <a href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CloudGuard_Network_for_AWS_AutoScaling_DeploymentGuide/Default.htm" target="_blank" rel="noopener">CloudGuard Network Auto Scaling for AWS R80.20 and Higher Deployment Guide.</a></td>
+<td style="width: 25%;">Deploys an Auto Scaling group of Security Gateways into an <strong>existing VPC</strong>.</td>
+<td style="width: 6%; text-align: center;">R81.20<br>R81.10<br>R82</td>
+<td style="width: 6%; text-align: center;"><a href="https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/aws/autoscale" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" style="display: block; margin-left: auto; margin-right: auto;" border="0"></a></td>
+<td style="text-align: center; width: 10%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/autoscale/autoscale.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" border="0"></a></td>
+<td style="text-align: center; width: 18%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/autoscale/autoscale.yaml&amp;stackName=Check-Point-Security-Gateway-AutoScaling" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt=""></a></td>
+</tr>
+</tbody>
+</table></div>
+<p>&nbsp;</p>
+<h3 id="Transit Gateway Auto Scaling Group">Security Gateways Auto Scaling Group for Transit Gateway</h3>
+<div class="table-wrapper"><table class="footnote" style="table-layout: fixed; width: 100%;" width="100%" cellspacing="2" cellpadding="4" border="1">
+<tbody>
+<tr class="SubTitle" style="text-align: center;" bgcolor="#d6dff0">
+<td style="width: 35%;">Description</td>
+<td style="width: 25%;">Notes</td>
+<td style="width: 6%;">Version</td>
+<td style="width: 6%;">Terraform Template</td>
+<td style="width: 10%;">CloudFormation Template Download</td>
+<td style="width: 18%;">Direct Launch</td>
+</tr>
+<tr>
+<td rowspan="2" style="width: 35%;">Deploys and configured the Security Gateways as an AWS Auto Scaling group configured for Transit Gateway.<br><br>For more details, refer to <a href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_AWS_Transit_Gateway/Default.htm" target="_blank" rel="noopener">AWS Transit Gateway R80.10 and above Deployment Guide</a>.</td>
+<td style="width: 25%;">Creates a <strong>new VPC</strong> and deploys an Auto Scaling group of Security Gateways configured for Transit Gateway into it, and an optional, preconfigured Security Management Server to manage them.</td>
+<td style="width: 6%; text-align: center;" rowspan="2">R81.20<br>R81.10<br>R82</td>
+<td style="width: 6%; text-align: center;"><a href="https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/aws/tgw-asg-master" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" style="display: block; margin-left: auto; margin-right: auto;" border="0"></a></td>
+<td style="text-align: center; width: 10%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/autoscale/tgw-asg-master.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" border="0"></a></td>
+<td style="text-align: center; width: 18%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/autoscale/tgw-asg-master.yaml&amp;stackName=Check-Point-TGW-AutoScaling" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt=""></a></td>
+</tr>
+<tr>
+<td style="width: 25%;">Deploys an Auto Scaling group of Security Gateways configured for Transit Gateway into an <strong>existing VPC</strong>, and an optional, preconfigured Security Management Server to manage them.</td>
+<td style="width: 6%; text-align: center;"><a href="https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/aws/tgw-asg" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" style="display: block; margin-left: auto; margin-right: auto;" border="0"></a></td>
+<td style="text-align: center; width: 10%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/autoscale/tgw-asg.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" border="0"></a></td>
+<td style="text-align: center; width: 18%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/autoscale/tgw-asg.yaml&amp;stackName=Check-Point-TGW-AutoScaling" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt=""></a></td>
+</tr>
+</tbody>
+</table></div>
+<p></p>
+<h3 id="Cross Availability Zone Cluster"><br>Cross Availability Zone Cluster</h3>
+<div class="table-wrapper"><table class="footnote" style="table-layout: fixed; width: 100%;" width="100%" cellspacing="2" cellpadding="4" border="1">
+<tbody>
+<tr class="SubTitle" style="text-align: center;" bgcolor="#d6dff0">
+<td style="width: 35%;">Description</td>
+<td style="width: 25%;">Notes</td>
+<td style="width: 6%;">Version</td>
+<td style="width: 6%;">Terraform Template</td>
+<td style="width: 10%;">CloudFormation Template Download</td>
+<td style="width: 18%;">Direct Launch</td>
+</tr>
+<tr>
+<td style="width: 35%;" rowspan="2">
+<p>Deploys two Security Gateways, each in a different Availability Zone.<br><br>For more details, refer to <a href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Default.htm" target="_blank" rel="noopener">Cross Availability Zone Cluster for AWS R81.20 Administration Guide</a></p>
+</td>
+<td style="width: 25%;">Creates a <strong>new VPC</strong> and deploys a Cross Availability Zone Cluster of Security Gateways into it.</td>
+<td style="width: 6%; text-align: center;" rowspan="2">R81.20<br>R82</td>
+<td style="width: 6%; text-align: center;"><a href="https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/aws/cross-az-cluster-master" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" style="display: block; margin-left: auto; margin-right: auto;" border="0"></a></td>
+<td style="text-align: center; width: 10%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/cross-az-cluster-master.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" border="0"></a></td>
+<td style="text-align: center; width: 18%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/cross-az-cluster-master.yaml&amp;stackName=Check-Point-XAZ-Cluster" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt=""></a></td>
+</tr>
+<tr>
+<td style="vertical-align: top; width: 25%;">Deploys a Cross Availability Zone Cluster of Security Gateways into an <strong>existing VPC</strong>.</td>
+<td style="width: 6%; text-align: center;"><a href="https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/aws/cross-az-cluster" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" style="display: block; margin-left: auto; margin-right: auto;" border="0"></a></td>
+<td style="text-align: center; width: 10%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/cross-az-cluster.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" border="0"></a></td>
+<td style="text-align: center; width: 18%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/cross-az-cluster.yaml&amp;stackName=Check-Point-XAZ-cluster" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt=""></a></td>
+</tr>
+<tr>
+<td style="width: 35%;" rowspan="2">
+<p>Deploys two Security Gateways, each in a different Availability Zone.<br><br>For more details, refer to <a href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Transit_Gateway_High_Availability/Default.htm">CloudGuard Transit Gateway High Availability for AWS R80.40 Administration Guide</a></p>
+</td>
+<td style="width: 25%;">Creates a <strong>new VPC</strong> and deploys a Cross Availability Zone Cluster of Security Gateways into it.</td>
+<td style="width: 6%; text-align: center;" rowspan="2">R81.10<br>R81<br>R80.40</td>
+<td style="width: 6%; text-align: center;" rowspan="2"></td>
+<td style="text-align: center; width: 10%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/geo-cluster-master.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" border="0"></a></td>
+<td style="text-align: center; width: 18%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/geo-cluster-master.yaml&amp;stackName=Check-Point-geo-cluster" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt=""></a></td>
+</tr>
+<tr>
+<td style="vertical-align: top; width: 25%;">Deploys a Cross Availability Zone Cluster of Security Gateways into an <strong>existing VPC</strong>.</td>
+<td style="text-align: center; width: 10%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/geo-cluster.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" border="0"></a></td>
+<td style="text-align: center; width: 18%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/geo-cluster.yaml&amp;stackName=Check-Point-geo-cluster" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt=""></a></td>
+</tr>
+</tbody>
+</table></div>
+<p></p>
+<h3 id="Transit Gateway Cross Availability Zone Cluster"><br>Cross Availability Zone Cluster for Transit Gateway</h3>
+<div class="table-wrapper"><table class="footnote" style="table-layout: fixed; width: 100%;" width="100%" cellspacing="2" cellpadding="4" border="1">
+<tbody>
+<tr class="SubTitle" style="text-align: center;" bgcolor="#d6dff0">
+<td style="width: 35%;">Description</td>
+<td style="width: 25%;">Notes</td>
+<td style="width: 6%;">Version</td>
+<td style="width: 6%;">Terraform Template</td>
+<td style="width: 10%;">CloudFormation Template Download</td>
+<td style="width: 18%;">Direct Launch</td>
+</tr>
+<tr>
+<td rowspan="2" style="width: 35%;">
+<p>Deploys two Security Gateways, each in a different Availability Zone, configured for Transit Gateway.</p>
+<p>For more details, refer to <a href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Default.htm" target="_blank" rel="noopener">Cross Availability Zone Cluster for AWS R81.20 Administration Guide</a></p>
+</td>
+<td style="width: 25%;">Creates a <strong>new VPC</strong> and deploys a Cross Availability Zone Cluster of Security Gateways configured for Transit Gateway into it.</td>
+<td style="text-align: center; width: 6%;" rowspan="2">R81.20<br>R82</td>
+<td style="width: 6%; text-align: center;"><a href="https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/aws/tgw-cross-az-cluster-master" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" style="display: block; margin-left: auto; margin-right: auto;" border="0"></a></td>
+<td style="text-align: center; width: 10%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/tgw-cross-az-cluster-master.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" border="0"></a></td>
+<td style="text-align: center; width: 18%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/tgw-cross-az-cluster-master.yaml&amp;stackName=Check-Point-TGW-XAZ-Cluster" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt=""></a></td>
+</tr>
+<tr>
+<td style="width: 25%;">Deploys a Cross Availability Zone Cluster of Security Gateways configured for Transit Gateway into an <strong>existing VPC</strong>.</td>
+<td style="width: 6%; text-align: center;"><a href="https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/aws/tgw-cross-az-cluster" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" style="display: block; margin-left: auto; margin-right: auto;" border="0"></a></td>
+<td style="text-align: center; width: 10%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/tgw-cross-az-cluster.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" border="0"></a></td>
+<td style="text-align: center; width: 18%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/tgw-cross-az-cluster.yaml&amp;stackName=Check-Point-TGW-XAZ-Cluster" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt=""></a></td>
+</tr>
+<tr>
+<td rowspan="2" style="width: 35%;">
+<p>Deploys two Security Gateways, each in a different Availability Zone, configured for Transit Gateway.</p>
+<p>For more details, refer to <a href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Transit_Gateway_High_Availability/Default.htm">CloudGuard Transit Gateway High Availability for AWS R80.40 Administration Guide</a></p>
+</td>
+<td style="width: 25%;">Creates a <strong>new VPC</strong> and deploys a Cross Availability Zone Cluster of Security Gateways configured for Transit Gateway into it.</td>
+<td style="text-align: center; width: 6%;" rowspan="2">R81.10<br>R81<br>R80.40</td>
+<td style="text-align: center; width: 6%;" rowspan="2"></td>
+<td style="text-align: center; width: 10%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/tgw-ha-master.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" border="0"></a></td>
+<td style="text-align: center; width: 18%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/tgw-ha-master.yaml&amp;stackName=Check-Point-TGW-HA" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt=""></a></td>
+</tr>
+<tr>
+<td style="width: 25%;">Deploys a Cross Availability Zone Cluster of Security Gateways configured for Transit Gateway into an <strong>existing VPC</strong>.</td>
+<td style="text-align: center; width: 10%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/tgw-ha.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" border="0"></a></td>
+<td style="text-align: center; width: 18%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/tgw-ha.yaml&amp;stackName=Check-Point-TGW-HA" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt=""></a></td>
+</tr>
+</tbody>
+</table></div>
+<p></p>
+<h3 id="Security Management Server"><br>Security Management Server</h3>
+<div class="table-wrapper"><table class="footnote" style="table-layout: fixed; width: 100%;" width="100%" cellspacing="2" cellpadding="4" border="1">
+<tbody>
+<tr class="SubTitle" style="text-align: center;" bgcolor="#d6dff0">
+<td style="width: 35%;">Description</td>
+<td style="width: 25%;">Notes</td>
+<td style="width: 6%;">Version</td>
+<td style="width: 6%;">Terraform Template</td>
+<td style="width: 10%;">CloudFormation Template&nbsp; Download</td>
+<td style="width: 18%;">Direct Launch</td>
+</tr>
+<tr>
+<td style="width: 35%;">Deploys and configures a Security Management Server.<br><br>For more details, refer to <a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk130372" target="_blank" rel="noopener">sk130372</a>.</td>
+<td style="width: 25%;">Deploys a Security Management Server into an <strong>existing VPC</strong>.</td>
+<td style="width: 6%; text-align: center;">R81.20<br>R81.10<br>R82</td>
+<td style="width: 6%; text-align: center;"><a href="https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/aws/management" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" style="display: block; margin-left: auto; margin-right: auto;" border="0"></a></td>
+<td style="text-align: center; width: 10%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/management/management.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" border="0"></a></td>
+<td style="text-align: center; width: 18%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/management/management.yaml&amp;stackName=Check-Point-Management" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt=""></a></td>
+</tr>
+</tbody>
+</table></div>
+<p>&nbsp;</p>
+<h3 id="Multi-Domain Management Server">Multi-Domain Management Server</h3>
+<div class="table-wrapper"><table class="footnote" style="table-layout: fixed; width: 100%;" width="100%" cellspacing="2" cellpadding="4" border="1">
+<tbody>
+<tr class="SubTitle" style="text-align: center;" bgcolor="#d6dff0">
+<td style="width: 35%;">Description</td>
+<td style="width: 25%;">Notes</td>
+<td style="width: 6%;">Version</td>
+<td style="width: 6%;">Terraform Template</td>
+<td style="width: 10%;">CloudFormation Template&nbsp; Download</td>
+<td style="width: 18%;">Direct Launch</td>
+</tr>
+<tr>
+<td style="width: 35%;">Deploys and configures&nbsp;a Multi-Domain Security Management Server.
+<p>For more details, refer to <a href="https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk143213" target="_blank" rel="noopener">sk143213</a>.</p>
+</td>
+<td style="width: 25%;">Deploys a Multi-Domain Security Management Server into an <strong>existing VPC</strong>.</td>
+<td style="text-align: center; width: 6%;">R81.20<br>R81.10<br>R82</td>
+<td style="text-align: center; width: 6%;"><a href="https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/aws/mds" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" style="display: block; margin-left: auto; margin-right: auto;" border="0"></a></td>
+<td style="text-align: center; width: 10%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/management/mds.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" border="0"></a></td>
+<td style="text-align: center; width: 18%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/management/mds.yaml&amp;stackName=Check-Point-MDS" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt=""></a></td>
+</tr>
+</tbody>
+</table></div>
+<p></p>
+<h3 id="Standalone Deployment"><br>Security Management Server &amp; Security Gateway (Standalone Deployment)</h3>
+<div class="table-wrapper"><table class="footnote" style="table-layout: fixed; width: 100%;" width="100%" cellspacing="2" cellpadding="4" border="1">
+<tbody>
+<tr class="SubTitle" style="text-align: center;" bgcolor="#d6dff0">
+<td style="width: 35%;">Description</td>
+<td style="width: 25%;">Notes</td>
+<td style="width: 6%;">Version</td>
+<td style="width: 6%;">Terraform Template</td>
+<td style="width: 10%;">CloudFormation Template&nbsp; Download</td>
+<td style="width: 18%;">Direct Launch</td>
+</tr>
+<tr>
+<td rowspan="2" style="width: 35%;">
+<p>Deploys and configures Standalone or a manually configurable instance.</p>
+</td>
+<td style="width: 25%;">Creates a <strong>new VPC</strong> and deploys a Standalone or a manually configurable instance into it.</td>
+<td style="text-align: center; width: 6%;" rowspan="2">R81.20<br>R81.10<br>R82</td>
+<td style="text-align: center; width: 6%;"><a href="https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/aws/standalone-master" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" style="display: block; margin-left: auto; margin-right: auto;" border="0"></a></td>
+<td style="text-align: center; width: 10%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gateway/standalone-master.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" border="0"></a></td>
+<td style="text-align: center; width: 18%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gateway/standalone-master.yaml&amp;stackName=Check-Point-Standalone" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt=""></a></td>
+</tr>
+<tr>
+<td style="width: 25%;">Deploys a Standalone or a manually configurable instance into an <strong>existing VPC</strong>.</td>
+<td style="text-align: center; width: 6%;"><a href="https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/aws/standalone" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" style="display: block; margin-left: auto; margin-right: auto;" border="0"></a></td>
+<td style="text-align: center; width: 10%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gateway/standalone.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" border="0"></a></td>
+<td style="text-align: center; width: 18%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gateway/standalone.yaml&amp;stackName=Check-Point-Standalone" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt=""></a></td>
+</tr>
+</tbody>
+</table></div>
+<p></p>
+<h3 id="CloudGuard Infinity Next Gateway"><br>CloudGuard AppSec （Not in China AWS）不支持中国AWS请勿使用</h3>
+<div class="table-wrapper"><table class="footnote" style="table-layout: fixed; width: 100%;" width="100%" cellspacing="2" cellpadding="4" border="1">
+<tbody>
+<tr class="SubTitle" style="text-align: center;" bgcolor="#d6dff0">
+<td style="width: 25.0235%;" width="N">Description</td>
+<td style="width: 28.3824%;">Notes</td>
+<td style="width: 11.5422%;" width="75">CloudFormation Template&nbsp; Download</td>
+<td style="width: 22.9196%;" width="160">Direct Launch</td>
+</tr>
+<tr>
+<td style="vertical-align: top; width: 25.0235%;" rowspan="2">Deploys and configures a CloudGuard Infinity Next Gateway</td>
+<td style="vertical-align: top; width: 28.3824%;">Creates a <strong>new VPC</strong> and deploys a CloudGuard Infinity Next Gateway into it.</td>
+<td style="text-align: center; width: 11.5422%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/waap/waap-gateway-master.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" border="0"></a></td>
+<td style="text-align: center; width: 22.9196%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/waap/waap-gateway-master.yaml&amp;stackName=Check-Point-Infinity-Next-Gateway" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt=""></a></td>
+</tr>
+<tr>
+<td style="vertical-align: top; width: 28.3824%;">Deploys a CloudGuard Infinity Next Gateway into an <strong>existing VPC</strong>.</td>
+<td style="text-align: center; width: 11.5422%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/waap/waap-gateway.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" border="0"></a></td>
+<td style="text-align: center; width: 22.9196%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/waap/waap-gateway.yaml&amp;stackName=Check-Point-Infinity-Next-Gateway" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt=""></a></td>
+</tr>
+</tbody>
+</table></div>
+<h3 id="CloudGuard Infinity Next Gateway Auto Scaling Group"><br>CloudGuard AppSec Auto Scaling Group （Not in China AWS）不支持中国AWS请勿使用</h3>
+<div class="table-wrapper"><table class="footnote" style="table-layout: fixed; width: 100%;" width="100%" cellspacing="2" cellpadding="4" border="1">
+<tbody>
+<tr class="SubTitle" style="text-align: center;" bgcolor="#d6dff0">
+<td style="width: 25.0235%;" width="N">Description</td>
+<td style="width: 28.3824%;">Notes</td>
+<td style="width: 11.5422%;" width="75">CloudFormation Template&nbsp; Download</td>
+<td style="width: 22.9196%;" width="160">Direct Launch</td>
+</tr>
+<tr>
+<td style="vertical-align: top; width: 25.0235%;" rowspan="2">Deploys and configures a CloudGuard Infinity Next Gateway as an AWS Auto Scaling Group</td>
+<td style="vertical-align: top; width: 28.3824%;">Creates a <strong>new VPC </strong>and deploys the Auto Scaling Group into it.</td>
+<td style="text-align: center; width: 11.5422%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/waap/waap-autoscale-master.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" border="0"></a></td>
+<td style="text-align: center; width: 22.9196%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/quickcreate?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/waap/waap-autoscale-master.yaml&amp;stackName=Check-Point-Infinity-Next-Gateway-Asg" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt=""></a></td>
+</tr>
+<tr>
+<td style="vertical-align: top; width: 28.3824%;">Deploys the Auto Scaling Group into an <strong>existing VPC</strong>.</td>
+<td style="text-align: center; width: 11.5422%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/waap/waap-autoscale.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" border="0"></a></td>
+<td style="text-align: center; width: 22.9196%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/quickcreate?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/waap/waap-autoscale.yaml&amp;stackName=Check-Point-Infinity-Next-Gateway-Asg" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt=""></a></td>
+</tr>
+</tbody>
+</table></div>
+<h3 id="General"><br>General</h3>
+<div class="table-wrapper"><table class="footnote" style="table-layout: fixed;" width="100%" cellspacing="2" cellpadding="4" border="1">
+<tbody>
+<tr class="SubTitle" style="text-align: center;" bgcolor="#d6dff0">
+<td style="width: 50.0317%;" width="N">Description</td>
+<td style="width: 20.43697%;" width="75">CloudFormation Template&nbsp; Download</td>
+<td style="width: 17%;">Terraform Template</td>
+<td style="width: 23.0752%;" width="160">Direct Launch</td>
+</tr>
+<tr>
+<td style="vertical-align: top; width: 60.0317%;"><strong>Create an Instance profile for Security Management Server</strong><br>
+<p>Creates an Instance profile in your account preconfigured with permissions to manage resources.</p>
+<p>For more details, refer to <a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk122074" target="_blank" rel="noopener">sk122074</a>.</p>
+</td>
+<td style="text-align: center; width: 7.43697%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cme-iam-role.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" border="0"></a></td>
+<td style="text-align: center; width: 3.31933%;"><a href="https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/aws/cme-iam-role" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" style="display: block; margin-left: auto; margin-right: auto;" border="0"></a></td>
+<td style="text-align: center; width: 23.0752%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cme-iam-role.yaml&amp;stackName=Check-Point-IAM-Role" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt=""></a></td>
+</tr>
+<tr>
+<td style="width: 60.0317%;"><span><strong>Current Check Point AMIs</strong></span>
+<p>A helper template that returns the latest Check Point AMIs in a given region.</p>
+</td>
+<td style="text-align: center; width: 7.43697%;"><a href="https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/images/download-m.png" alt="" border="0"></a></td>
+<td style="text-align: center; width: 3.31933%;"></td>
+<td style="text-align: center; width: 23.0752%;"><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml&amp;stackName=Check-Point-AMIs" target="_blank" rel="noopener"><img src="https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1460631718185/launch1604140412.png" alt=""></a></td>
+</tr>
+</tbody>
+</table></div>
+<p>CloudFormation templates for previous versions can be found in the <a href="https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/deprecated/aws/templates" target="_blank" rel="noopener">CloudGuard Network Security GitHub repository</a>.</p>
+<p><strong>Notes:</strong></p>
+<ul>
+<li>CloudFormation Templates are often called CFT by customers and partners.<br><br></li>
+<li>Check Point Recommended version for all deployments is <a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk170416#Installation" target="_blank" rel="noopener">R81.10 Take 335</a> with its Recommended <a href="https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.10/Default.htm" target="_blank" rel="noopener">Jumbo Hotfix Accumulator</a> Take. R81.10 is initially recommended for customers who are interested in implementing the new features described at the formal announcement.</li>
diff --git a/china/aws/templates/asg/README.md b/china/aws/templates/asg/README.md
new file mode 100644
index 00000000..fa77f06f
--- /dev/null
+++ b/china/aws/templates/asg/README.md
@@ -0,0 +1,22 @@
+
+## Security Gateway Auto Scaling
+<table>
+    <thead>
+        <tr>
+            <th>Description</th>
+            <th>Notes</th>
+            <th>Direct Launch</th>
+        </tr>
+    </thead>
+    <tbody>
+        <tr>
+            <td width="40%">
+           Deploys and configures the Security Gateways as an AWS Auto Scaling group. <br/><br/> For more details, refer to the <a href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CloudGuard_Network_for_AWS_AutoScaling_DeploymentGuide/Default.htm" >CloudGuard Network Auto Scaling for AWS R80.20 and Higher Deployment Guide </a>. 
+            </td>
+            <td width="40%">Deploys an Auto Scaling group of Security Gateways into an existing VPC.</td>
+            <td><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/autoscale/autoscale.yaml&stackName=Check-Point-Security-Gateway-AutoScaling"><img src="../../images/launch.png"/></a></td>
+        </tr>
+    </tbody>
+</table>
+<br/>
+<br/>
\ No newline at end of file
diff --git a/china/aws/templates/asg/autoscale-master.yaml b/china/aws/templates/asg/autoscale-master.yaml
new file mode 100755
index 00000000..7f31be26
--- /dev/null
+++ b/china/aws/templates/asg/autoscale-master.yaml
@@ -0,0 +1,735 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: |
+  Create an Auto Scaling group of Check Point gateways into a new VPC (20250617)
+  See CloudGuard Network for AWS Auto Scale Group deployment guide for detailed deployment and configuration steps.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: VPC Network Configuration
+        Parameters:
+          - AvailabilityZones
+          - NumberOfAZs
+          - VPCCIDR
+          - PublicSubnet1CIDR
+          - PublicSubnet2CIDR
+          - PublicSubnet3CIDR
+          - PublicSubnet4CIDR
+          - PrivateSubnet1CIDR
+          - PrivateSubnet2CIDR
+          - PrivateSubnet3CIDR
+          - PrivateSubnet4CIDR
+      - Label:
+          default: EC2 Instances Configuration
+        Parameters:
+          - AutoScaleGroupName
+          - GatewayName
+          - GatewayInstanceType
+          - KeyName
+          - VolumeSize
+          - VolumeType
+          - EnableVolumeEncryption
+          - EnableInstanceConnect
+          - MetaDataToken
+      - Label:
+          default: Auto Scaling Configuration
+        Parameters:
+          - GatewaysMinSize
+          - GatewaysMaxSize
+          - AdminEmail
+          - GatewaysTargetGroups
+      - Label:
+          default: Check Point Settings
+        Parameters:
+          - GatewayVersion
+          - Shell
+          - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
+          - GatewaySICKey
+          - AllowUploadDownload
+          - CloudWatch
+          - GatewayBootstrapScript
+      - Label:
+          default: Automatic Provisioning with Security Management Server Settings
+        Parameters:
+          - ControlGatewayOverPrivateOrPublicAddress
+          - ManagementServer
+          - ConfigurationTemplate
+      - Label:
+          default: Proxy Configuration (optional)
+        Parameters:
+          - ELBType
+          - ELBPort
+          - ELBClients
+    ParameterLabels:
+      AvailabilityZones:
+        default: Availability Zones
+      NumberOfAZs:
+        default: Number of AZs
+      VPCCIDR:
+        default: VPC CIDR
+      PublicSubnet1CIDR:
+        default: Public Subnet 1
+      PublicSubnet2CIDR:
+        default: Public Subnet 2
+      PublicSubnet3CIDR:
+        default: Public Subnet 3
+      PublicSubnet4CIDR:
+        default: Public Subnet 4
+      PrivateSubnet1CIDR:
+        default: Private Subnet 1
+      PrivateSubnet2CIDR:
+        default: Private Subnet 2
+      PrivateSubnet3CIDR:
+        default: Private Subnet 3
+      PrivateSubnet4CIDR:
+        default: Private Subnet 4
+      GatewayName:
+        default: Gateways name
+      GatewayInstanceType:
+        default: Gateways instance type
+      KeyName:
+        default: Key name
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeType:
+        default: Volume Type
+      EnableVolumeEncryption:
+        default: Enable volume encryption
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      MetaDataToken:
+        default: Metadata HTTP token
+      GatewaysMinSize:
+        default: Minimum Gateway group size
+      GatewaysMaxSize:
+        default: Maximum Gateway group size
+      AdminEmail:
+        default: Email address
+      GatewaysTargetGroups:
+        default: Gateways target groups
+      GatewayVersion:
+        default: Gateways version & license
+      Shell:
+        default: Admin shell
+      GatewayPasswordHash:
+        default: Gateways Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
+      GatewaySICKey:
+        default: Gateways SIC key
+      AllowUploadDownload:
+        default: Allow upload & download
+      CloudWatch:
+        default: CloudWatch metrics
+      GatewayBootstrapScript:
+        default: Gateways bootstrap script
+      ControlGatewayOverPrivateOrPublicAddress:
+        default: Gateways addresses
+      ManagementServer:
+        default: Management Server
+      ConfigurationTemplate:
+        default: Configuration template
+      ELBType:
+        default: Proxy type
+      ELBPort:
+        default: Proxy port
+      ELBClients:
+        default: Allowed proxy clients
+      AutoScaleGroupName:
+        default: Auto Scale Group name
+Parameters:
+  AvailabilityZones:
+    Description: List of Availability Zones (AZs) to use for the subnets in the VPC. Select at least two.
+    Type: List<AWS::EC2::AvailabilityZone::Name>
+    AllowedPattern: '.+'
+  NumberOfAZs:
+    Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter.
+    Type: Number
+    Default: 2
+    AllowedValues:
+      - 2
+      - 3
+      - 4
+  VPCCIDR:
+    Description: CIDR block for the VPC.
+    Type: String
+    Default: 10.0.0.0/16
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet1CIDR:
+    Description: CIDR block for public subnet 1 located in the 1st Availability Zone.
+    Type: String
+    Default: 10.0.10.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet2CIDR:
+    Description: CIDR block for public subnet 2 located in the 2nd Availability Zone.
+    Type: String
+    Default: 10.0.20.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet3CIDR:
+    Description: CIDR block for public subnet 3 located in the 3rd Availability Zone.
+    Type: String
+    Default: 10.0.30.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet4CIDR:
+    Description: CIDR block for public subnet 4 located in the 4th Availability Zone.
+    Type: String
+    Default: 10.0.40.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PrivateSubnet1CIDR:
+    Description: CIDR block for private subnet 1 located in the 1st Availability Zone.
+    Type: String
+    Default: 10.0.11.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PrivateSubnet2CIDR:
+    Description: CIDR block for private subnet 2 located in the 2nd Availability Zone.
+    Type: String
+    Default: 10.0.21.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PrivateSubnet3CIDR:
+    Description: CIDR block for private subnet 3 located in the 3rd Availability Zone.
+    Type: String
+    Default: 10.0.31.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PrivateSubnet4CIDR:
+    Description: CIDR block for private subnet 4 located in the 4th Availability Zone.
+    Type: String
+    Default: 10.0.41.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  GatewayName:
+    Description: The name tag of the Security Gateway instances. (optional)
+    Type: String
+    Default: Check-Point-Gateway
+  GatewayInstanceType:
+    Description: The instance type of the Secutiry Gateways.
+    Type: String
+    Default: c6i.xlarge
+    AllowedValues:
+      - c4.large
+      - c4.xlarge
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - c6in.large
+      - c6in.xlarge
+      - c6in.2xlarge
+      - c6in.4xlarge
+      - c6in.8xlarge
+      - c6in.12xlarge
+      - c6in.16xlarge
+      - c6in.24xlarge
+      - c6in.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: must be a valid EC2 instance type.
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the instances.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+    ConstraintDescription: Must be the name of an existing EC2 KeyPair.
+  VolumeSize:
+    Type: Number
+    Default: 100
+    MinValue: 100
+  VolumeType:
+    Description: General Purpose SSD Volume Type
+    Type: String
+    Default: gp3
+    AllowedValues:
+      - gp3
+      - gp2
+  EnableVolumeEncryption:
+    Description: Encrypt Auto Scaling instances volume with default AWS KMS key.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  EnableInstanceConnect:
+    Description: Enable SSH connection over AWS web console.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  GatewaysMinSize:
+    Description: The minimal number of gateways in the Auto Scaling group.
+    Type: Number
+    Default: 2
+    MinValue: 1
+  GatewaysMaxSize:
+    Description: The maximal number of gateways in the Auto Scaling group.
+    Type: Number
+    Default: 10
+    MinValue: 1
+  AdminEmail:
+    Description: Notifications about scaling events will be sent to this email address. (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$'
+    ConstraintDescription: Must be a valid email address.
+  GatewaysTargetGroups:
+    Description: A list of Target Groups to associate with the Auto Scaling.
+      group (comma separated list of ARNs, without spaces) (optional)
+    Type: String
+    Default: ''
+  GatewayVersion:
+    Type: String
+    Default: R81.20-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  Shell:
+    Description: Change the admin shell to enable advanced command line configuration.
+    Type: String
+    Default: /etc/cli.sh
+    AllowedValues:
+      - /etc/cli.sh
+      - /bin/bash
+      - /bin/csh
+      - /bin/tcsh
+  GatewayPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD".
+      to get the PASSWORD's hash) (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+    NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  GatewaySICKey:
+    Description: The Secure Internal Communication key creates trusted connections.
+      between Check Point components. Choose a random string consisting of at least
+      8 alphanumeric characters.
+    Type: String
+    AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+    ConstraintDescription: At least 8 alpha numeric characters.
+    NoEcho: true
+  AllowUploadDownload:
+    Description: Automatically download updates and share statistical data for product improvement purpose.
+      Improve product experience by sending data to Check Point
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  CloudWatch:
+    Description: Report Check Point specific CloudWatch metrics.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  GatewayBootstrapScript:
+    Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+    Type: String
+    Default: ''
+    NoEcho: true
+  ControlGatewayOverPrivateOrPublicAddress:
+    Description: Determines if the gateways are provisioned using their private or public address.
+    Type: String
+    Default: private
+    AllowedValues:
+      - private
+      - public
+  ManagementServer:
+    Description: The name that represents the Security Management Server in the automatic provisioning configuration.
+    Type: String
+    Default: management-server
+    MinLength: 1
+  ConfigurationTemplate:
+    Description: A name of a gateway configuration template in the automatic provisioning configuration.
+    Type: String
+    Default: ASG-configuration
+    MinLength: 1
+    MaxLength: 30
+  ELBType:
+    Type: String
+    Default: none
+    AllowedValues:
+      - none
+      - internal
+      - internet-facing
+  ELBPort:
+    Type: Number
+    Default: 8080
+  ELBClients:
+    Type: String
+    Default: 0.0.0.0/0
+    AllowedPattern: '^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})$'
+  AutoScaleGroupName:
+    Description: The Name of the Auto Scaling Group. (optional)
+    Type: String
+    Default: ""
+    MaxLength: 100
+Conditions:
+  ProvidedAdminEmail: !Not [!Equals [!Ref AdminEmail, '']]
+  ProvidedTargetGroups: !Not [!Equals [!Ref GatewaysTargetGroups, '']]
+  EnableCloudWatch: !Equals [!Ref CloudWatch, true]
+  CreateELB: !Not [!Equals [!Ref ELBType, none]]
+  EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+  4AZs: !Equals [ !Ref NumberOfAZs, 4 ]
+  3AZs: !Or [ !Equals [ !Ref NumberOfAZs, 3 ], !Condition 4AZs ]
+  GenerateAutoScalingName: !Equals [!Ref AutoScaleGroupName, ""]
+Resources:
+  VPCStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc.yaml
+      Parameters:
+        AvailabilityZones: !Join [ ',' , !Ref AvailabilityZones ]
+        NumberOfAZs: !Ref NumberOfAZs
+        VPCCIDR: !Ref VPCCIDR
+        PublicSubnet1CIDR: !Ref PublicSubnet1CIDR
+        PublicSubnet2CIDR: !Ref PublicSubnet2CIDR
+        PublicSubnet3CIDR: !Ref PublicSubnet3CIDR
+        PublicSubnet4CIDR: !Ref PublicSubnet4CIDR
+        PrivateSubnet1CIDR: !Ref PrivateSubnet1CIDR
+        PrivateSubnet2CIDR: !Ref PrivateSubnet2CIDR
+        PrivateSubnet3CIDR: !Ref PrivateSubnet3CIDR
+        PrivateSubnet4CIDR: !Ref PrivateSubnet4CIDR
+  ChkpGatewayRole:
+    Type: AWS::IAM::Role
+    Condition: EnableCloudWatch
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - ec2.amazonaws.com.cn
+            Action:
+              - sts:AssumeRole
+      Path: /
+  CloudwatchPolicy:
+    Condition: EnableCloudWatch
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cloudwatch-policy.yaml
+      Parameters:
+        PolicyName: ChkpGatewayPolicy
+        PolicyRole: !Ref ChkpGatewayRole
+  InstanceProfile:
+    Type: AWS::IAM::InstanceProfile
+    Condition: EnableCloudWatch
+    Properties:
+      Path: /
+      Roles:
+        - !Ref ChkpGatewayRole
+  AMI:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml
+      Parameters:
+        Version: !Join ['-', [!Ref GatewayVersion, GW]]
+  NotificationTopic:
+    Type: AWS::SNS::Topic
+    Condition: ProvidedAdminEmail
+    Properties:
+      Subscription:
+        - Endpoint: !Ref AdminEmail
+          Protocol: email
+  ElasticLoadBalancer:
+    Type: AWS::ElasticLoadBalancing::LoadBalancer
+    Condition: CreateELB
+    Properties:
+      CrossZone: true
+      Listeners:
+        - LoadBalancerPort: !Ref ELBPort
+          InstancePort: !Ref ELBPort
+          Protocol: TCP
+      HealthCheck:
+        Target: !Join [':', [TCP, !Ref ELBPort]]
+        HealthyThreshold: 3
+        UnhealthyThreshold: 5
+        Interval: 30
+        Timeout: 5
+      Scheme: !Ref ELBType
+      Subnets:
+        - !GetAtt VPCStack.Outputs.PublicSubnet1ID
+        - !GetAtt VPCStack.Outputs.PublicSubnet2ID
+        - !If [3AZs, !GetAtt VPCStack.Outputs.PublicSubnet3ID, !Ref 'AWS::NoValue']
+        - !If [4AZs, !GetAtt VPCStack.Outputs.PublicSubnet4ID, !Ref 'AWS::NoValue']
+      Policies:
+        - PolicyName: EnableProxyProtocol
+          PolicyType: ProxyProtocolPolicyType
+          Attributes:
+            - Name: ProxyProtocol
+              Value: true
+          InstancePorts:
+            - !Ref ELBPort
+      SecurityGroups:
+        - !Ref ELBSecurityGroup
+  PermissiveSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      Tags:
+        - Key: Name
+          Value: !Join ['_', [!Ref 'AWS::StackName', PermissiveSecurityGroup]]
+      GroupDescription: Permissive security group.
+      VpcId: !GetAtt VPCStack.Outputs.VPCID
+      SecurityGroupIngress:
+        - IpProtocol: -1
+          CidrIp: 0.0.0.0/0
+  GatewayGroup:
+    Type: AWS::AutoScaling::AutoScalingGroup
+    DependsOn: GatewayLaunchTemplate
+    Properties:
+      VPCZoneIdentifier:
+        - !GetAtt VPCStack.Outputs.PublicSubnet1ID
+        - !GetAtt VPCStack.Outputs.PublicSubnet2ID
+        - !If [3AZs, !GetAtt VPCStack.Outputs.PublicSubnet3ID, !Ref 'AWS::NoValue']
+        - !If [4AZs, !GetAtt VPCStack.Outputs.PublicSubnet4ID, !Ref 'AWS::NoValue']
+      LaunchTemplate:
+        LaunchTemplateId: !Ref GatewayLaunchTemplate
+        Version: !GetAtt GatewayLaunchTemplate.LatestVersionNumber
+      AutoScalingGroupName: !If [GenerateAutoScalingName, !Join ["-", [!Ref 'AWS::StackName', GatewayGroup]], !Ref AutoScaleGroupName]
+      MinSize: !Ref GatewaysMinSize
+      MaxSize: !Ref GatewaysMaxSize
+      LoadBalancerNames: !If [CreateELB, [!Ref ElasticLoadBalancer], !Ref 'AWS::NoValue']
+      TargetGroupARNs: !If [ProvidedTargetGroups, !Split [',', !Ref GatewaysTargetGroups], !Ref 'AWS::NoValue']
+      HealthCheckType: ELB
+      HealthCheckGracePeriod: 3600
+      NotificationConfiguration: !If
+        - ProvidedAdminEmail
+        - TopicARN: !Ref NotificationTopic
+          NotificationTypes:
+            - autoscaling:EC2_INSTANCE_LAUNCH
+            - autoscaling:EC2_INSTANCE_LAUNCH_ERROR
+            - autoscaling:EC2_INSTANCE_TERMINATE
+            - autoscaling:EC2_INSTANCE_TERMINATE_ERROR
+        - !Ref 'AWS::NoValue'
+      Tags:
+        - Key: Name
+          Value: !Ref GatewayName
+          PropagateAtLaunch: true
+        - Key: x-chkp-tags
+          Value: !Join
+            - ':'
+            - - !Join ['=', [management, !Ref ManagementServer]]
+              - !Join ['=', [template, !Ref ConfigurationTemplate]]
+              - !Join ['=', [ip-address, !Ref ControlGatewayOverPrivateOrPublicAddress]]
+          PropagateAtLaunch: true
+  GatewayLaunchTemplate:
+    Type: AWS::EC2::LaunchTemplate
+    Properties:
+      LaunchTemplateData:
+        NetworkInterfaces:
+          - DeviceIndex: 0
+            AssociatePublicIpAddress: true
+            Groups:
+              - !Ref PermissiveSecurityGroup
+        Monitoring:
+          Enabled: true
+        KeyName: !Ref KeyName
+        ImageId: !GetAtt AMI.Outputs.ImageId
+        InstanceType: !Ref GatewayInstanceType
+        MetadataOptions:
+           HttpTokens: !If [EnableMetaDataToken, required, optional]
+        BlockDeviceMappings:
+          - DeviceName: '/dev/xvda'
+            Ebs:
+              Encrypted: !Ref EnableVolumeEncryption
+              VolumeType: !Ref VolumeType
+              VolumeSize: !Ref VolumeSize
+        IamInstanceProfile:
+          Name: !If [EnableCloudWatch, !Ref InstanceProfile, !Ref 'AWS::NoValue']
+        UserData:
+          'Fn::Base64':
+            !Join
+            - |+
+
+            - - '#cloud-config'
+              - 'runcmd:'
+              - '  - |'
+              - '    set -e'
+              - !Sub '    admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect}'
+              - !Join ['', ['    sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
+              - !Join ['', ['    pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+              - !Join ['', ['    maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']]
+              - !Join ['', ['    bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
+              - !Sub ['    version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+              - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" sicKey=\"${sic}\" installationType=\"autoscale\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"autoscale\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" bootstrapScript64=\"${bootstrap}\"'
+      VersionDescription: Initial template version
+  GatewayScaleUpPolicy:
+    Type: AWS::AutoScaling::ScalingPolicy
+    Properties:
+      AdjustmentType: ChangeInCapacity
+      AutoScalingGroupName: !Ref GatewayGroup
+      Cooldown: 300
+      ScalingAdjustment: 1
+  GatewayScaleDownPolicy:
+    Type: AWS::AutoScaling::ScalingPolicy
+    Properties:
+      AdjustmentType: ChangeInCapacity
+      AutoScalingGroupName: !Ref GatewayGroup
+      Cooldown: 300
+      ScalingAdjustment: -1
+  CPUAlarmHigh:
+    Type: AWS::CloudWatch::Alarm
+    Properties:
+      AlarmDescription: Scale-up if CPU > 80% for 10 minutes.
+      MetricName: CPUUtilization
+      Namespace: AWS/EC2
+      Statistic: Average
+      Period: 300
+      EvaluationPeriods: 2
+      Threshold: 80
+      AlarmActions:
+        - !Ref GatewayScaleUpPolicy
+      Dimensions:
+        - Name: AutoScalingGroupName
+          Value: !Ref GatewayGroup
+      ComparisonOperator: GreaterThanThreshold
+  CPUAlarmLow:
+    Type: AWS::CloudWatch::Alarm
+    Properties:
+      AlarmDescription: Scale-down if CPU < 60% for 10 minutes.
+      MetricName: CPUUtilization
+      Namespace: AWS/EC2
+      Statistic: Average
+      Period: 300
+      EvaluationPeriods: 2
+      Threshold: 60
+      AlarmActions:
+        - !Ref GatewayScaleDownPolicy
+      Dimensions:
+        - Name: AutoScalingGroupName
+          Value: !Ref GatewayGroup
+      ComparisonOperator: LessThanThreshold
+  ELBSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Condition: CreateELB
+    Properties:
+      GroupDescription: ELB security group.
+      VpcId: !GetAtt VPCStack.Outputs.VPCID
+      SecurityGroupIngress:
+        - IpProtocol: tcp
+          CidrIp: !Ref ELBClients
+          FromPort: !Ref ELBPort
+          ToPort: !Ref ELBPort
+Outputs:
+  URL:
+    Description: The URL of the Proxy.
+    Condition: CreateELB
+    Value: !Join ['', ['http://', !GetAtt ElasticLoadBalancer.DNSName]]
+  SecurityGroup:
+    Description: The Security Group of the Auto Scaling group.
+    Value: !GetAtt PermissiveSecurityGroup.GroupId
\ No newline at end of file
diff --git a/china/aws/templates/asg/autoscale.yaml b/china/aws/templates/asg/autoscale.yaml
new file mode 100644
index 00000000..951eae08
--- /dev/null
+++ b/china/aws/templates/asg/autoscale.yaml
@@ -0,0 +1,626 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: |
+  Create an Auto Scaling group of Check Point gateways into an existing VPC (20250617). 
+  See CloudGuard Network for AWS Auto Scale Group deployment guide for detailed deployment and configuration steps
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: VPC Network Configuration
+        Parameters:
+          - VPC
+          - GatewaysSubnets
+      - Label:
+          default: EC2 Instances Configuration
+        Parameters:
+          - GatewayName
+          - GatewayInstanceType
+          - KeyName
+          - VolumeSize
+          - VolumeType
+          - EnableVolumeEncryption
+          - EnableInstanceConnect
+          - MetaDataToken
+      - Label:
+          default: Auto Scaling Configuration
+        Parameters:
+          - AutoScaleGroupName
+          - GatewaysMinSize
+          - GatewaysMaxSize
+          - AdminEmail
+          - GatewaysTargetGroups
+      - Label:
+          default: Check Point Settings
+        Parameters:
+          - GatewayVersion
+          - Shell
+          - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
+          - GatewaySICKey
+          - AllowUploadDownload
+          - CloudWatch
+          - GatewayBootstrapScript
+      - Label:
+          default: Automatic Provisioning with Security Management Server Settings
+        Parameters:
+          - ControlGatewayOverPrivateOrPublicAddress
+          - ManagementServer
+          - ConfigurationTemplate
+      - Label:
+          default: Proxy Configuration (optional)
+        Parameters:
+          - ELBType
+          - ELBPort
+          - ELBClients
+    ParameterLabels:
+      VPC:
+        default: VPC
+      GatewaysSubnets:
+        default: Gateways subnets
+      GatewayName:
+        default: Gateways name
+      GatewayInstanceType:
+        default: Gateways instance type
+      KeyName:
+        default: Key name
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeType:
+        default: Volume Type
+      EnableVolumeEncryption:
+        default: Enable volume encryption
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      MetaDataToken:
+        default: Metadata HTTP token
+      GatewaysMinSize:
+        default: Minimum Gateway group size
+      GatewaysMaxSize:
+        default: Maximum Gateway group size
+      AdminEmail:
+        default: Email address
+      GatewaysTargetGroups:
+        default: Gateways target groups
+      GatewayVersion:
+        default: Gateways version & license
+      Shell:
+        default: Admin shell
+      GatewayPasswordHash:
+        default: Gateways Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
+      GatewaySICKey:
+        default: Gateways SIC key
+      AllowUploadDownload:
+        default: Allow upload & download
+      CloudWatch:
+        default: CloudWatch metrics
+      GatewayBootstrapScript:
+        default: Gateways bootstrap script
+      ControlGatewayOverPrivateOrPublicAddress:
+        default: Gateways addresses
+      ManagementServer:
+        default: Management Server
+      ConfigurationTemplate:
+        default: Configuration template
+      ELBType:
+        default: Proxy type
+      ELBPort:
+        default: Proxy port
+      ELBClients:
+        default: Allowed proxy clients
+      AutoScaleGroupName:
+        default: Auto Scale Group name
+Parameters:
+  VPC:
+    Description: Select an existing VPC.
+    Type: AWS::EC2::VPC::Id
+    MinLength: 1
+  GatewaysSubnets:
+    Description: Select at least 2 public subnets in the VPC.
+    Type: List<AWS::EC2::Subnet::Id>
+    MinLength: 2
+  GatewayName:
+    Description: The name tag of the Security Gateway instances. (optional)
+    Type: String
+    Default: Check-Point-Gateway
+  GatewayInstanceType:
+    Description: The instance type of the Secutiry Gateways.
+    Type: String
+    Default: c6i.xlarge
+    AllowedValues:
+      - c4.large
+      - c4.xlarge
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - c6in.large
+      - c6in.xlarge
+      - c6in.2xlarge
+      - c6in.4xlarge
+      - c6in.8xlarge
+      - c6in.12xlarge
+      - c6in.16xlarge
+      - c6in.24xlarge
+      - c6in.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: must be a valid EC2 instance type.
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the instances.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+    ConstraintDescription: Must be the name of an existing EC2 KeyPair.
+  VolumeSize:
+    Type: Number
+    Default: 100
+    MinValue: 100
+  VolumeType:
+    Description: General Purpose SSD Volume Type
+    Type: String
+    Default: gp3
+    AllowedValues:
+      - gp3
+      - gp2
+  EnableVolumeEncryption:
+    Description: Encrypt Auto Scaling instances volume with default AWS KMS key.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  EnableInstanceConnect:
+    Description: Enable SSH connection over AWS web console.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  GatewaysMinSize:
+    Description: The minimal number of gateways in the Auto Scaling group.
+    Type: Number
+    Default: 2
+    MinValue: 1
+  GatewaysMaxSize:
+    Description: The maximal number of gateways in the Auto Scaling group.
+    Type: Number
+    Default: 10
+    MinValue: 1
+  AdminEmail:
+    Description: Notifications about scaling events will be sent to this email address. (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$'
+    ConstraintDescription: Must be a valid email address.
+  GatewaysTargetGroups:
+    Description: A list of Target Groups to associate with the Auto Scaling.
+      group (comma separated list of ARNs, without spaces) (optional)
+    Type: String
+    Default: ''
+  GatewayVersion:
+    Type: String
+    Default: R81.20-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  Shell:
+    Description: Change the admin shell to enable advanced command line configuration.
+    Type: String
+    Default: /etc/cli.sh
+    AllowedValues:
+      - /etc/cli.sh
+      - /bin/bash
+      - /bin/csh
+      - /bin/tcsh
+  GatewayPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD".
+      to get the PASSWORD's hash) (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+    NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  GatewaySICKey:
+    Description: The Secure Internal Communication key creates trusted connections.
+      between Check Point components. Choose a random string consisting of at least
+      8 alphanumeric characters.
+    Type: String
+    AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+    ConstraintDescription: At least 8 alpha numeric characters.
+    NoEcho: true
+  AllowUploadDownload:
+    Description: Automatically download updates and share statistical data for product improvement purpose.
+      Improve product experience by sending data to Check Point
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  CloudWatch:
+    Description: Report Check Point specific CloudWatch metrics.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  GatewayBootstrapScript:
+    Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+    Type: String
+    Default: ''
+    NoEcho: true
+  ControlGatewayOverPrivateOrPublicAddress:
+    Description: Determines if the gateways are provisioned using their private or public address.
+    Type: String
+    Default: private
+    AllowedValues:
+      - private
+      - public
+  ManagementServer:
+    Description: The name that represents the Security Management Server in the automatic provisioning configuration.
+    Type: String
+    Default: management-server
+    MinLength: 1
+  ConfigurationTemplate:
+    Description: A name of a gateway configuration template in the automatic provisioning configuration.
+    Type: String
+    Default: ASG-configuration
+    MinLength: 1
+    MaxLength: 30
+  ELBType:
+    Type: String
+    Default: none
+    AllowedValues:
+      - none
+      - internal
+      - internet-facing
+  ELBPort:
+    Type: Number
+    Default: 8080
+  ELBClients:
+    Type: String
+    Default: 0.0.0.0/0
+    AllowedPattern: '^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})$'
+  AutoScaleGroupName:
+    Description: The Name of the Auto Scaling Group. (optional)
+    Type: String
+    Default: ""
+    MaxLength: 100
+
+Conditions:
+  ProvidedAdminEmail: !Not [!Equals [!Ref AdminEmail, '']]
+  ProvidedTargetGroups: !Not [!Equals [!Ref GatewaysTargetGroups, '']]
+  EnableCloudWatch: !Equals [!Ref CloudWatch, true]
+  CreateELB: !Not [!Equals [!Ref ELBType, none]]
+  EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+  GenerateAutoScalingName: !Equals [!Ref AutoScaleGroupName, ""]
+Resources:
+  ChkpGatewayRole:
+    Type: AWS::IAM::Role
+    Condition: EnableCloudWatch
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - ec2.amazonaws.com.cn
+            Action:
+              - sts:AssumeRole
+      Path: /
+  CloudwatchPolicy:
+    Condition: EnableCloudWatch
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cloudwatch-policy.yaml
+      Parameters:
+        PolicyName: ChkpGatewayPolicy
+        PolicyRole: !Ref ChkpGatewayRole
+  InstanceProfile:
+    Type: AWS::IAM::InstanceProfile
+    Condition: EnableCloudWatch
+    Properties:
+      Path: /
+      Roles:
+        - !Ref ChkpGatewayRole
+  AMI:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml
+      Parameters:
+        Version: !Join ['-', [!Ref GatewayVersion, GW]]
+  NotificationTopic:
+    Type: AWS::SNS::Topic
+    Condition: ProvidedAdminEmail
+    Properties:
+      Subscription:
+        - Endpoint: !Ref AdminEmail
+          Protocol: email
+  ElasticLoadBalancer:
+    Type: AWS::ElasticLoadBalancing::LoadBalancer
+    Condition: CreateELB
+    Properties:
+      CrossZone: true
+      Listeners:
+        - LoadBalancerPort: !Ref ELBPort
+          InstancePort: !Ref ELBPort
+          Protocol: TCP
+      HealthCheck:
+        Target: !Join [':', [TCP, !Ref ELBPort]]
+        HealthyThreshold: 3
+        UnhealthyThreshold: 5
+        Interval: 30
+        Timeout: 5
+      Scheme: !Ref ELBType
+      Subnets: !Ref GatewaysSubnets
+      Policies:
+        - PolicyName: EnableProxyProtocol
+          PolicyType: ProxyProtocolPolicyType
+          Attributes:
+            - Name: ProxyProtocol
+              Value: true
+          InstancePorts:
+            - !Ref ELBPort
+      SecurityGroups:
+        - !Ref ELBSecurityGroup
+  PermissiveSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      Tags:
+        - Key: Name
+          Value: !Join ['_', [!Ref 'AWS::StackName', PermissiveSecurityGroup]]
+      GroupDescription: Permissive security group.
+      VpcId: !Ref VPC
+      SecurityGroupIngress:
+        - IpProtocol: -1
+          CidrIp: 0.0.0.0/0
+  GatewayGroup:
+    Type: AWS::AutoScaling::AutoScalingGroup
+    DependsOn: GatewayLaunchTemplate
+    Properties:
+      VPCZoneIdentifier: !Ref GatewaysSubnets
+      LaunchTemplate:
+        LaunchTemplateId: !Ref GatewayLaunchTemplate
+        Version: !GetAtt GatewayLaunchTemplate.LatestVersionNumber
+      AutoScalingGroupName: !If [GenerateAutoScalingName, !Join ["-", [!Ref 'AWS::StackName', GatewayGroup]], !Ref AutoScaleGroupName]
+      MinSize: !Ref GatewaysMinSize
+      MaxSize: !Ref GatewaysMaxSize
+      LoadBalancerNames: !If [CreateELB, [!Ref ElasticLoadBalancer], !Ref 'AWS::NoValue']
+      TargetGroupARNs: !If [ProvidedTargetGroups, !Split [',', !Ref GatewaysTargetGroups], !Ref 'AWS::NoValue']
+      HealthCheckGracePeriod: 3600
+      HealthCheckType: ELB
+      NotificationConfiguration: !If
+        - ProvidedAdminEmail
+        - TopicARN: !Ref NotificationTopic
+          NotificationTypes:
+            - autoscaling:EC2_INSTANCE_LAUNCH
+            - autoscaling:EC2_INSTANCE_LAUNCH_ERROR
+            - autoscaling:EC2_INSTANCE_TERMINATE
+            - autoscaling:EC2_INSTANCE_TERMINATE_ERROR
+        - !Ref 'AWS::NoValue'
+      Tags:
+        - Key: Name
+          Value: !Ref GatewayName
+          PropagateAtLaunch: true
+        - Key: x-chkp-tags
+          Value: !Join
+            - ':'
+            - - !Join ['=', [management, !Ref ManagementServer]]
+              - !Join ['=', [template, !Ref ConfigurationTemplate]]
+              - !Join ['=', [ip-address, !Ref ControlGatewayOverPrivateOrPublicAddress]]
+          PropagateAtLaunch: true
+  GatewayLaunchTemplate:
+    Type: AWS::EC2::LaunchTemplate
+    Properties:
+      LaunchTemplateData:
+        NetworkInterfaces:
+          - DeviceIndex: 0
+            AssociatePublicIpAddress: true
+            Groups:
+              - !Ref PermissiveSecurityGroup
+        Monitoring:
+          Enabled: true
+        KeyName: !Ref KeyName
+        ImageId: !GetAtt AMI.Outputs.ImageId
+        InstanceType: !Ref GatewayInstanceType
+        MetadataOptions:
+           HttpTokens: !If [EnableMetaDataToken, required, optional]
+        BlockDeviceMappings:
+          - DeviceName: '/dev/xvda'
+            Ebs:
+              Encrypted: !Ref EnableVolumeEncryption
+              VolumeType: !Ref VolumeType
+              VolumeSize: !Ref VolumeSize
+        IamInstanceProfile:
+          Name: !If [EnableCloudWatch, !Ref InstanceProfile, !Ref 'AWS::NoValue']
+        UserData:
+          'Fn::Base64':
+            !Join
+            - |+
+
+            - - '#cloud-config'
+              - 'runcmd:'
+              - '  - |'
+              - '    set -e'
+              - !Sub '    admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect}'
+              - !Join ['', ['    sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
+              - !Join ['', ['    pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+              - !Join ['', ['    maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']]
+              - !Join ['', ['    bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
+              - !Sub ['    version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+              - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" sicKey=\"${sic}\" installationType=\"autoscale\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"autoscale\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" bootstrapScript64=\"${bootstrap}\"'
+      VersionDescription: Initial template version
+  GatewayScaleUpPolicy:
+    Type: AWS::AutoScaling::ScalingPolicy
+    Properties:
+      AdjustmentType: ChangeInCapacity
+      AutoScalingGroupName: !Ref GatewayGroup
+      Cooldown: 300
+      ScalingAdjustment: 1
+  GatewayScaleDownPolicy:
+    Type: AWS::AutoScaling::ScalingPolicy
+    Properties:
+      AdjustmentType: ChangeInCapacity
+      AutoScalingGroupName: !Ref GatewayGroup
+      Cooldown: 300
+      ScalingAdjustment: -1
+  CPUAlarmHigh:
+    Type: AWS::CloudWatch::Alarm
+    Properties:
+      AlarmDescription: Scale-up if CPU > 80% for 10 minutes.
+      MetricName: CPUUtilization
+      Namespace: AWS/EC2
+      Statistic: Average
+      Period: 300
+      EvaluationPeriods: 2
+      Threshold: 80
+      AlarmActions:
+        - !Ref GatewayScaleUpPolicy
+      Dimensions:
+        - Name: AutoScalingGroupName
+          Value: !Ref GatewayGroup
+      ComparisonOperator: GreaterThanThreshold
+  CPUAlarmLow:
+    Type: AWS::CloudWatch::Alarm
+    Properties:
+      AlarmDescription: Scale-down if CPU < 60% for 10 minutes.
+      MetricName: CPUUtilization
+      Namespace: AWS/EC2
+      Statistic: Average
+      Period: 300
+      EvaluationPeriods: 2
+      Threshold: 60
+      AlarmActions:
+        - !Ref GatewayScaleDownPolicy
+      Dimensions:
+        - Name: AutoScalingGroupName
+          Value: !Ref GatewayGroup
+      ComparisonOperator: LessThanThreshold
+  ELBSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Condition: CreateELB
+    Properties:
+      GroupDescription: ELB security group.
+      VpcId: !Ref VPC
+      SecurityGroupIngress:
+        - IpProtocol: tcp
+          CidrIp: !Ref ELBClients
+          FromPort: !Ref ELBPort
+          ToPort: !Ref ELBPort
+Outputs:
+  URL:
+    Description: The URL of the Proxy.
+    Condition: CreateELB
+    Value: !Join ['', ['http://', !GetAtt ElasticLoadBalancer.DNSName]]
+  SecurityGroup:
+    Description: The Security Group of the Auto Scaling group.
+    Value: !GetAtt PermissiveSecurityGroup.GroupId
+
diff --git a/china/aws/templates/cluster/README.md b/china/aws/templates/cluster/README.md
new file mode 100644
index 00000000..c7a7c0f8
--- /dev/null
+++ b/china/aws/templates/cluster/README.md
@@ -0,0 +1,40 @@
+## Security Cluster
+
+<table>
+    <thead>
+        <tr>
+            <th>Description</th>
+            <th>Notes</th>
+            <th>Direct Launch</th>
+        </tr>
+    </thead>
+    <tbody>
+        <tr>
+            <td rowspan="2" width="40%">
+           Deploys and configures two Security Gateways as a Cluster.<br/><br/>For more details, refer to the <a href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CloudGuard_Network_for_AWS_Cluster_DeploymentGuide/Default.htm">CloudGuard Network for AWS Security Cluster R80.20 and Higher Deployment Guide</a>. 
+            </td>
+            <td width="40%">Creates a new VPC and deploys a Cluster into it.</td>
+            <td><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/cluster-master.yaml&stackName=Check-Point-Cluster"><img src="../../images/launch.png"/></a></td>
+        </tr>
+        <tr>
+            <td width="40%">Deploys a Cluster into an existing VPC.	</td>
+            <td><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/cluster.yaml&stackName=Check-Point-Cluster"><img src="../../images/launch.png"/></a></td>
+        </tr>
+    </tbody>
+</table>
+<br/>
+<br/>
+## Revision History
+In order to check the template version, please refer to [sk125252](https://support.checkpoint.com/results/sk/sk125252#ToggleR8120gateway)
+
+| Template Version | Description                                                                                                      |
+|------------------|------------------------------------------------------------------------------------------------------------------|
+| 20240704         | - R80.40 version deprecation.<br/>- R81 version deprecation.                                                     |
+| 20240519         | Add support for requiring use instance metadata service version 2 (IMDSv2) only                                  |
+| 20230923         | Add support for C5d instance type.                                                                               |
+| 20230521         | - Change default shell for the admin user to /etc/cli.sh<br/>- Add description for reserved words in hostname    |
+| 20230503         | Template version 20230503 and above supports Smart-1 Cloud token validation.                                     |
+| 20230411         | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud.                               |
+| 20221123         | Templates version 20221120 and above support R81.20                                                              |
+| 20220606         | New instance type support                                                                                        |
+| 20210309         | First release of Check Point Security Management Server & Security Gateway (Standalone) Terraform module for AWS |
diff --git a/china/aws/templates/cluster/cluster-master.yaml b/china/aws/templates/cluster/cluster-master.yaml
new file mode 100644
index 00000000..15e3e69b
--- /dev/null
+++ b/china/aws/templates/cluster/cluster-master.yaml
@@ -0,0 +1,505 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: |
+  Deploy a Check Point Cluster in a new VPC (20250617). 
+  See CloudGuard Network for AWS Single Availability Zone Cluster Deployment guide for detailed deployment and configuration steps.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: VPC Network Configuration
+        Parameters:
+          - AvailabilityZone
+          - VPCCIDR
+          - PublicSubnetCIDR
+          - PrivateSubnetCIDR
+      - Label:
+          default: EC2 Instance Configuration
+        Parameters:
+          - GatewayName
+          - GatewayInstanceType
+          - KeyName
+          - AllocatePublicAddress
+          - VolumeSize
+          - VolumeType
+          - VolumeEncryption
+          - EnableInstanceConnect
+          - GatewayPredefinedRole
+          - TerminationProtection
+          - MetaDataToken
+      - Label:
+          default: Check Point Settings
+        Parameters:
+          - GatewayVersion
+          - Shell
+          - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
+          - GatewaySICKey
+      - Label:
+          default: Quick connect to Smart-1 Cloud (Recommended)
+        Parameters:
+          - MemberAToken
+          - MemberBToken
+      - Label:
+          default: Advanced Settings
+        Parameters:
+          - ResourcesTagName
+          - GatewayHostname
+          - AllowUploadDownload
+          - CloudWatch
+          - GatewayBootstrapScript
+          - NTPPrimary
+          - NTPSecondary
+    ParameterLabels:
+      VPCCIDR:
+        default: VPC CIDR
+      AvailabilityZone:
+        default: Availability zone
+      PublicSubnetCIDR:
+        default: Public subnet CIDR
+      PrivateSubnetCIDR:
+        default: Private subnet CIDR
+      GatewayName:
+        default: Gateway Name
+      GatewayInstanceType:
+        default: Security Gateways instance type
+      KeyName:
+        default: Key name
+      AllocatePublicAddress:
+        default: Allocate Elastic IPs
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeType:
+        default: Volume Type
+      VolumeEncryption:
+        default: Volume encryption KMS key identifier
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      GatewayPredefinedRole:
+        default: Existing IAM role name
+      TerminationProtection:
+        default: Termination Protection
+      MetaDataToken:
+        default: Metadata HTTP token
+      GatewayVersion:
+        default: Version & license
+      Shell:
+        default: Admin shell
+      GatewayPasswordHash:
+        default: Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
+      GatewaySICKey:
+        default: SIC key
+      MemberAToken:
+        default: Smart-1 Cloud Token for member A
+      MemberBToken:
+        default: Smart-1 Cloud Token for member B
+      ResourcesTagName:
+        default: Resources prefix tag
+      GatewayHostname:
+        default: Gateway Hostname
+      AllowUploadDownload:
+        default: Allow upload & download
+      CloudWatch:
+        default: CloudWatch metrics
+      GatewayBootstrapScript:
+        default: Bootstrap Script
+      NTPPrimary:
+        default: Primary NTP server
+      NTPSecondary:
+        default: Secondary NTP server
+Parameters:
+  AvailabilityZone:
+    Description: The availability zone in which to deploy the cluster.
+    Type: AWS::EC2::AvailabilityZone::Name
+    MinLength: 1
+  VPCCIDR:
+    Description: The CIDR block for your VPC.
+    Type: String
+    Default: 10.0.0.0/16
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnetCIDR:
+    Description: The external subnet of the cluster. The cluster's public IPs will be generated from this subnet.
+    Type: String
+    Default: 10.0.10.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PrivateSubnetCIDR:
+    Description: The internal subnet of the cluster. The cluster's private IPs will be generated from this subnet.
+    Type: String
+    Default: 10.0.11.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  GatewayName:
+    Description: The name tag of the Security Gateway instances. (optional)
+    Type: String
+    Default: Check-Point-Cluster
+  GatewayInstanceType:
+    Description: The instance type of the Secutiry Gateway.
+    Type: String
+    Default: c6i.xlarge
+    AllowedValues:
+      - c4.large
+      - c4.xlarge
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: must be a valid EC2 instance type.
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the instance.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+  AllocatePublicAddress:
+    Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  VolumeSize:
+    Type: Number
+    Default: 100
+    MinValue: 100
+  VolumeType:
+    Description: General Purpose SSD Volume Type
+    Type: String
+    Default: gp3
+    AllowedValues:
+      - gp3
+      - gp2
+  VolumeEncryption:
+    Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+    Type: String
+    Default: alias/aws/ebs
+  EnableInstanceConnect:
+    Description: Enable SSH connection over AWS web console.
+    Default: false
+    Type: String
+    AllowedValues:
+      - true
+      - false
+  GatewayPredefinedRole:
+    Description: A predefined IAM role to attach to the cluster profile. (optional)
+    Type: String
+    Default: ''
+  TerminationProtection:
+    Description: Prevents an instance from accidental termination.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  GatewayVersion:
+    Type: String
+    Default: R81.20-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  Shell:
+    Description: Change the admin shell to enable advanced command line configuration.
+    Type: String
+    Default: /etc/cli.sh
+    AllowedValues:
+      - /etc/cli.sh
+      - /bin/bash
+      - /bin/csh
+      - /bin/tcsh
+  GatewayPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD".
+      to get the PASSWORD's hash) (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+    NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  GatewaySICKey:
+    Description: The Secure Internal Communication key creates trusted connections.
+      between Check Point components. Choose a random string consisting of at least
+      8 alphanumeric characters
+    Type: String
+    AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+    ConstraintDescription: At least 8 alpha numeric characters.
+    NoEcho: true
+  MemberAToken:
+    Description: Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+    AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+    Type: String
+    NoEcho: true
+  MemberBToken:
+    Description: Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+    AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+    Type: String
+    NoEcho: true
+  ResourcesTagName:
+    Description: Name tag prefix of the resources (optional).
+    Type: String
+    Default: ''
+  GatewayHostname:
+    Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179.
+    Type: String
+    Default: ''
+    AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$'
+    ConstraintDescription: A valid hostname label or an empty string.
+  AllowUploadDownload:
+    Description: Automatically download updates and share statistical data for product improvement purpose.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  CloudWatch:
+    Description: Report Check Point specific CloudWatch metrics.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  GatewayBootstrapScript:
+    Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+    Type: String
+    Default: ''
+    NoEcho: true
+  NTPPrimary:
+    Description: (optional)
+    Type: String
+    Default: 169.254.169.123
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+  NTPSecondary:
+    Description: (optional)
+    Type: String
+    Default: 0.pool.ntp.org
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+Conditions:
+  AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+Resources:
+  VPCStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc.yaml
+      Parameters:
+        AvailabilityZones: !Ref AvailabilityZone
+        NumberOfAZs: 1
+        VPCCIDR: !Ref VPCCIDR
+        PublicSubnet1CIDR: !Ref PublicSubnetCIDR
+        PrivateSubnet1CIDR: !Ref PrivateSubnetCIDR
+  InternalRouteTable:
+    Type: AWS::EC2::RouteTable
+    DependsOn: VPCStack
+    Properties:
+      VpcId: !GetAtt VPCStack.Outputs.VPCID
+      Tags:
+        - Key: Name
+          Value: Private Subnets Route Table
+  ClusterStack:
+    Type: AWS::CloudFormation::Stack
+    DependsOn: VPCStack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/cluster.yaml
+      Parameters:
+        VPC: !GetAtt VPCStack.Outputs.VPCID
+        PublicSubnet: !GetAtt VPCStack.Outputs.PublicSubnet1ID
+        PrivateSubnet: !GetAtt VPCStack.Outputs.PrivateSubnet1ID
+        InternalRouteTable: !Ref InternalRouteTable
+        GatewayName: !Ref GatewayName
+        GatewayInstanceType: !Ref GatewayInstanceType
+        KeyName: !Ref KeyName
+        AllocatePublicAddress: !Ref AllocatePublicAddress
+        VolumeSize: !Ref VolumeSize
+        VolumeType: !Ref VolumeType
+        VolumeEncryption: !Ref VolumeEncryption
+        EnableInstanceConnect: !Ref EnableInstanceConnect
+        GatewayPredefinedRole: !Ref GatewayPredefinedRole
+        TerminationProtection: !Ref TerminationProtection
+        MetaDataToken: !Ref MetaDataToken
+        GatewayVersion: !Ref GatewayVersion
+        Shell: !Ref Shell
+        GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+        GatewaySICKey: !Ref GatewaySICKey
+        MemberAToken: !Ref MemberAToken
+        MemberBToken: !Ref MemberBToken
+        ResourcesTagName: !Ref ResourcesTagName
+        GatewayHostname: !Ref GatewayHostname
+        AllowUploadDownload: !Ref AllowUploadDownload
+        CloudWatch: !Ref CloudWatch
+        GatewayBootstrapScript: !Ref GatewayBootstrapScript
+        NTPPrimary: !Ref NTPPrimary
+        NTPSecondary: !Ref NTPSecondary
+Outputs:
+  ClusterPublicAddress:
+    Description: The public address of the cluster.
+    Value: !GetAtt ClusterStack.Outputs.ClusterPublicAddress
+  MemberAPublicAddress:
+    Condition: AllocateAddress
+    Description: The public address of member A.
+    Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress
+  MemberASSH:
+    Condition: AllocateAddress
+    Description: SSH command to member A.
+    Value: !GetAtt ClusterStack.Outputs.MemberASSH
+  MemberAURL:
+    Condition: AllocateAddress
+    Description: URL to the member A portal.
+    Value: !GetAtt ClusterStack.Outputs.MemberAURL
+  MemberAExternalInterface:
+    Description: The external interface of member A.
+    Value: !GetAtt ClusterStack.Outputs.MemberAExternalInterface
+  MemberAPrivateExternalAddress:
+    Description: The private external address of member A.
+    Value: !GetAtt ClusterStack.Outputs.MemberAPrivateExternalAddress
+  MemberAPrivateInternalAddress:
+    Description: The private internal address of member A.
+    Value: !GetAtt ClusterStack.Outputs.MemberAPrivateInternalAddress
+  MemberBPublicAddress:
+    Condition: AllocateAddress
+    Description: The public address of member B.
+    Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress
+  MemberBSSH:
+    Condition: AllocateAddress
+    Description: SSH command to member B.
+    Value: !GetAtt ClusterStack.Outputs.MemberBSSH
+  MemberBURL:
+    Condition: AllocateAddress
+    Description: URL to the member B portal.
+    Value: !GetAtt ClusterStack.Outputs.MemberBURL
+  MemberBPrivateExternalAddress:
+    Description: The private external address of member B.
+    Value: !GetAtt ClusterStack.Outputs.MemberBPrivateExternalAddress
+  MemberBPrivateInternalAddress:
+    Description: The private internal address of member B.
+    Value: !GetAtt ClusterStack.Outputs.MemberBPrivateInternalAddress
+  ClusterPrivateAliasExternalAddress:
+    Description: The secondary external private IP address of the cluster.
+    Value: !GetAtt ClusterStack.Outputs.ClusterPrivateAliasExternalAddress
+  ClusterPrivateAliasInternalAddress:
+    Description: The secondary internal private IP address of the cluster.
+    Value: !GetAtt ClusterStack.Outputs.ClusterPrivateAliasInternalAddress
+Rules:
+  MemberATokenNotProvided:
+    RuleCondition: !Equals [!Ref MemberAToken, '']
+    Assertions:
+      - AssertDescription: "Smart-1 Cloud Token for member A can not be empty"
+        Assert: !Equals [!Ref MemberBToken, '']
+  MemberBTokenNotProvided:
+    RuleCondition: !Equals [ !Ref MemberBToken, '' ]
+    Assertions:
+      - AssertDescription: "Smart-1 Cloud Token for member B can not be empty"
+        Assert: !Equals [ !Ref MemberAToken, '' ]
+  MembersTokenValueEquals:
+    RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ]
+    Assertions:
+      - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+        Assert: !Equals [ !Ref MemberAToken, '' ]
+      - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+        Assert: !Equals [ !Ref MemberBToken, '' ]
\ No newline at end of file
diff --git a/china/aws/templates/cluster/cluster.yaml b/china/aws/templates/cluster/cluster.yaml
new file mode 100644
index 00000000..b112ed45
--- /dev/null
+++ b/china/aws/templates/cluster/cluster.yaml
@@ -0,0 +1,755 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: |
+  Deploys a Check Point Cluster into an existing VPC (20250617). 
+  See CloudGuard Network for AWS Single Availability Zone Cluster Deployment guide for detailed deployment and configuration steps.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: VPC Network Configuration
+        Parameters:
+          - VPC
+          - PublicSubnet
+          - PrivateSubnet
+          - InternalRouteTable
+      - Label:
+          default: EC2 Instance Configuration
+        Parameters:
+          - GatewayName
+          - GatewayInstanceType
+          - KeyName
+          - AllocatePublicAddress
+          - VolumeSize
+          - VolumeType
+          - VolumeEncryption
+          - EnableInstanceConnect
+          - GatewayPredefinedRole
+          - TerminationProtection
+          - MetaDataToken
+      - Label:
+          default: Check Point Settings
+        Parameters:
+          - GatewayVersion
+          - Shell
+          - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
+          - GatewaySICKey
+      - Label:
+          default: Quick connect to Smart-1 Cloud (Recommended)
+        Parameters:
+          - MemberAToken
+          - MemberBToken
+      - Label:
+          default: Advanced Settings
+        Parameters:
+          - ResourcesTagName
+          - GatewayHostname
+          - AllowUploadDownload
+          - CloudWatch
+          - GatewayBootstrapScript
+          - NTPPrimary
+          - NTPSecondary
+    ParameterLabels:
+      VPC:
+        default: VPC
+      PublicSubnet:
+        default: Public subnet
+      PrivateSubnet:
+        default: Private subnet
+      InternalRouteTable:
+        default: Internal route table
+      GatewayName:
+        default: Gateway Name
+      GatewayInstanceType:
+        default: Security Gateways instance type
+      KeyName:
+        default: Key name
+      AllocatePublicAddress:
+        default: Allocate Elastic IPs
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeType:
+        default: Volume Type
+      VolumeEncryption:
+        default: Volume encryption KMS key identifier
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      GatewayPredefinedRole:
+        default: Existing IAM role name
+      TerminationProtection:
+        default: Termination Protection
+      MetaDataToken:
+        default: Metadata HTTP token
+      GatewayVersion:
+        default: Version & license
+      Shell:
+        default: Admin shell
+      GatewayPasswordHash:
+        default: Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
+      GatewaySICKey:
+        default: SIC key
+      MemberAToken:
+        default: Smart-1 Cloud Token for member A
+      MemberBToken:
+        default: Smart-1 Cloud Token for member B
+      ResourcesTagName:
+        default: Resources prefix tag
+      GatewayHostname:
+        default: Gateway Hostname
+      AllowUploadDownload:
+        default: Allow upload & download
+      CloudWatch:
+        default: CloudWatch metrics
+      GatewayBootstrapScript:
+        default: Bootstrap Script
+      NTPPrimary:
+        default: Primary NTP server
+      NTPSecondary:
+        default: Secondary NTP server
+Parameters:
+  VPC:
+    Description: Select an existing VPC.
+    Type: AWS::EC2::VPC::Id
+    MinLength: 1
+  PublicSubnet:
+    Description: The public subnet of the cluster. The cluster's public IPs will be generated from this subnet. The subnet's route table must have 0.0.0.0/0 route to Internet Gateway.
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+  PrivateSubnet:
+    Description: The private subnet of the cluster. The cluster's private IPs will be generated from this subnet.
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+  InternalRouteTable:
+    Description: The route table id in which to set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Cluster, this requires manual configuration in the route table. (optional)
+    Type: String
+    Default: ''
+  GatewayName:
+    Description: The name tag of the Security Gateway instances. (optional)
+    Type: String
+    Default: Check-Point-Cluster
+  GatewayInstanceType:
+    Description: The instance type of the Secutiry Gateway.
+    Type: String
+    Default: c6i.xlarge
+    AllowedValues:
+      - c4.large
+      - c4.xlarge
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: must be a valid EC2 instance type.
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the instance.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+    ConstraintDescription: must be the name of an existing EC2 KeyPair.
+  AllocatePublicAddress:
+    Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  VolumeSize:
+    Type: Number
+    Default: 100
+    MinValue: 100
+  VolumeType:
+    Description: General Purpose SSD Volume Type
+    Type: String
+    Default: gp3
+    AllowedValues:
+      - gp3
+      - gp2
+  VolumeEncryption:
+    Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+    Type: String
+    Default: alias/aws/ebs
+  EnableInstanceConnect:
+    Description: Enable SSH connection over AWS web console.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  GatewayPredefinedRole:
+    Description: A predefined IAM role to attach to the cluster profile. (optional)
+    Type: String
+    Default: ''
+  TerminationProtection:
+    Description: Prevents an instance from accidental termination.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  GatewayVersion:
+    Type: String
+    Default: R81.20-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  Shell:
+    Description: Change the admin shell to enable advanced command line configuration.
+    Type: String
+    Default: /etc/cli.sh
+    AllowedValues:
+      - /etc/cli.sh
+      - /bin/bash
+      - /bin/csh
+      - /bin/tcsh
+  GatewayPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD".
+      to get the PASSWORD's hash) (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+    NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  GatewaySICKey:
+    Description: The Secure Internal Communication key creates trusted connections.
+      between Check Point components. Choose a random string consisting of at least
+      8 alphanumeric characters
+    Type: String
+    AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+    ConstraintDescription: At least 8 alpha numeric characters.
+    NoEcho: true
+  MemberAToken:
+    Description: Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+    AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+    Type: String
+    NoEcho: true
+  MemberBToken:
+    Description: Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+    AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+    Type: String
+    NoEcho: true
+  ResourcesTagName:
+    Description: Name tag prefix of the resources (optional).
+    Type: String
+    Default: ''
+  GatewayHostname:
+    Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179.
+    Type: String
+    Default: ''
+    AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$'
+    ConstraintDescription: A valid hostname label or an empty string.
+  AllowUploadDownload:
+    Description: Automatically download updates and share statistical data for product improvement purpose.
+      Improve product experience by sending data to Check Point
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  CloudWatch:
+    Description: Report Check Point specific CloudWatch metrics.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  GatewayBootstrapScript:
+    Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+    Type: String
+    Default: ''
+    NoEcho: true
+  NTPPrimary:
+    Description: (optional)
+    Type: String
+    Default: 169.254.169.123
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+  NTPSecondary:
+    Description: (optional)
+    Type: String
+    Default: 0.pool.ntp.org
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+Conditions:
+  ProvidedRouteTable: !Not [!Equals [!Ref InternalRouteTable, '']]
+  AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+  EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']]
+  CreateRole: !Equals [!Ref GatewayPredefinedRole, '']
+  ProvidedPassHash: !Not [!Equals [!Ref GatewayPasswordHash, '']]
+  ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']]
+  EmptyHostName: !Equals [!Ref GatewayHostname, '']
+  EnableCloudWatch: !Equals [!Ref CloudWatch, true]
+  EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+Resources:
+  ClusterReadyHandle:
+    Type: AWS::CloudFormation::WaitConditionHandle
+    Condition: AllocateAddress
+    Properties: {}
+  ClusterReadyCondition:
+    Type: AWS::CloudFormation::WaitCondition
+    DependsOn: [MemberAInstance, MemberBInstance]
+    Condition: AllocateAddress
+    Properties:
+      Count: 2
+      Handle: !Ref ClusterReadyHandle
+      Timeout: 1800
+  ClusterRole:
+    Condition: CreateRole
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cluster-iam-role.yaml
+  ClusterInstanceProfile:
+    Type: AWS::IAM::InstanceProfile
+    Properties:
+      Path: /
+      Roles: [!If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole]]
+  CloudwatchPolicy:
+    Condition: EnableCloudWatch
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cloudwatch-policy.yaml
+      Parameters:
+          PolicyName: !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+          PolicyRole: !If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole]
+  AMI:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml
+      Parameters:
+        Version: !Join [-, [!Ref GatewayVersion, GW]]
+  PermissiveSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: Permissive security group.
+      VpcId: !Ref VPC
+      SecurityGroupIngress:
+        - IpProtocol: -1
+          CidrIp: 0.0.0.0/0
+      Tags:
+        - Key: Name
+          Value:
+            !Join
+            - _
+            - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+              - PermissiveSecurityGroup
+  MemberAExternalInterface:
+    Type: AWS::EC2::NetworkInterface
+    DependsOn: PermissiveSecurityGroup
+    Properties:
+      Description: Member A external.
+      SecondaryPrivateIpAddressCount: 1
+      SourceDestCheck: false
+      GroupSet: [!Ref PermissiveSecurityGroup]
+      SubnetId: !Ref PublicSubnet
+      Tags:
+        - Key: Name
+          Value:
+            !Join
+            - _
+            - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+              - Member_A_ExternalInterface
+  MemberBExternalInterface:
+    Type: AWS::EC2::NetworkInterface
+    DependsOn: PermissiveSecurityGroup
+    Properties:
+      Description: Member B external.
+      SourceDestCheck: false
+      GroupSet: [!Ref PermissiveSecurityGroup]
+      SubnetId: !Ref PublicSubnet
+      Tags:
+        - Key: Name
+          Value:
+            !Join
+            - _
+            - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+              - Member_B_ExternalInterface
+  MemberAInternalInterface:
+    Type: AWS::EC2::NetworkInterface
+    DependsOn: PermissiveSecurityGroup
+    Properties:
+      Description: Member A internal.
+      SecondaryPrivateIpAddressCount: 1
+      GroupSet: [!Ref PermissiveSecurityGroup]
+      SourceDestCheck: false
+      SubnetId: !Ref PrivateSubnet
+      Tags:
+        - Key: Name
+          Value:
+            !Join
+            - _
+            - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+              - Member_A_InternalInterface
+  MemberBInternalInterface:
+    Type: AWS::EC2::NetworkInterface
+    DependsOn: PermissiveSecurityGroup
+    Properties:
+      Description: Member B internal.
+      GroupSet: [!Ref PermissiveSecurityGroup]
+      SourceDestCheck: false
+      SubnetId: !Ref PrivateSubnet
+      Tags:
+        - Key: Name
+          Value:
+            !Join
+            - _
+            - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+              - Member_B_InternalInterface
+  InternalDefaultRoute:
+    Type: AWS::EC2::Route
+    Condition: ProvidedRouteTable
+    DependsOn: MemberAInternalInterface
+    Properties:
+      DestinationCidrBlock: 0.0.0.0/0
+      NetworkInterfaceId: !Ref MemberAInternalInterface
+      RouteTableId: !Ref InternalRouteTable
+  PrivateSubnetRouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Condition: ProvidedRouteTable
+    Properties:
+      RouteTableId: !Ref InternalRouteTable
+      SubnetId: !Ref PrivateSubnet
+  MemberAInstance:
+    Type: AWS::EC2::Instance
+    DependsOn: [MemberAExternalInterface, MemberAInternalInterface, MemberAGatewayLaunchTemplate]
+    Properties:
+      LaunchTemplate:
+        LaunchTemplateId: !Ref MemberAGatewayLaunchTemplate
+        Version: !GetAtt MemberAGatewayLaunchTemplate.LatestVersionNumber
+      DisableApiTermination: !Ref TerminationProtection
+      Tags:
+        - Key: Name
+          Value: !Join ['-', [!Ref GatewayName, Member-A]]
+        - Key: x-chkp-member-ips
+          Value: !Join
+            - ':'
+            - - !Join [ '=', [ public-ip, !If [ AllocateAddress, !Ref MemberAPublicAddress, '' ] ] ]
+              - !Join [ '=', [ external-private-ip, !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress ] ]
+              - !Join [ '=', [ internal-private-ip, !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress ] ]
+        - Key: x-chkp-cluster-ips
+          Value: !Join
+            - ':'
+            - - !Join [ '=', [ cluster-ip, !Ref ClusterPublicAddress ] ]
+              - !Join [ '=', [ cluster-eth0-private-ip, !Select [ 0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses ] ] ]
+              - !Join [ '=', [ cluster-eth1-private-ip, !Select [ 0, !GetAtt MemberAInternalInterface.SecondaryPrivateIpAddresses ] ] ]
+  MemberBInstance:
+    Type: AWS::EC2::Instance
+    DependsOn: [MemberBExternalInterface, MemberBInternalInterface, MemberBGatewayLaunchTemplate]
+    Properties:
+      LaunchTemplate:
+        LaunchTemplateId: !Ref MemberBGatewayLaunchTemplate
+        Version: !GetAtt MemberBGatewayLaunchTemplate.LatestVersionNumber
+      DisableApiTermination: !Ref TerminationProtection
+      Tags:
+        - Key: Name
+          Value: !Join ['-', [!Ref GatewayName, Member-B]]
+        - Key: x-chkp-member-ips
+          Value: !Join
+            - ':'
+            - - !Join [ '=', [ public-ip, !If [ AllocateAddress, !Ref MemberBPublicAddress, '' ] ] ]
+              - !Join [ '=', [ external-private-ip, !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress ] ]
+              - !Join [ '=', [ internal-private-ip, !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress ] ]
+        - Key: x-chkp-cluster-ips
+          Value: !Join
+            - ':'
+            - - !Join [ '=', [ cluster-ip, !Ref ClusterPublicAddress ] ]
+              - !Join [ '=', [ cluster-eth0-private-ip, !Select [ 0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses ] ] ]
+              - !Join [ '=', [ cluster-eth1-private-ip, !Select [ 0, !GetAtt MemberAInternalInterface.SecondaryPrivateIpAddresses ] ] ]
+  MemberAGatewayLaunchTemplate:
+    Type: AWS::EC2::LaunchTemplate
+    Properties:
+      LaunchTemplateData:
+        NetworkInterfaces:
+          - DeviceIndex: 0
+            NetworkInterfaceId: !Ref MemberAExternalInterface
+          - DeviceIndex: 1
+            NetworkInterfaceId: !Ref MemberAInternalInterface
+        KeyName: !Ref KeyName
+        ImageId: !GetAtt AMI.Outputs.ImageId
+        InstanceType: !Ref GatewayInstanceType
+        MetadataOptions:
+          HttpTokens: !If [EnableMetaDataToken, required, optional]
+        BlockDeviceMappings:
+            - DeviceName: '/dev/xvda'
+              Ebs:
+                Encrypted: !If [ EncryptedVolume, true, false ]
+                KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+                VolumeType: !Ref VolumeType
+                VolumeSize: !Ref VolumeSize
+        IamInstanceProfile:
+          Name: !Ref ClusterInstanceProfile
+        UserData:
+          'Fn::Base64':
+            !Join
+            - |+
+
+            - - '#cloud-config'
+              - 'runcmd:'
+              - '  - |'
+              - '    set -e'
+              - !Sub '    admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenA=''${MemberAToken}'''
+              - !If [AllocateAddress, !Sub '    wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue']
+              - !If [EmptyHostName, '    hostname=""',!Sub '    hostname=${GatewayHostname}-member-a']
+              - !Join ['', ['    eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']]
+              - !Join ['', ['    sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
+              - !Join ['', ['    pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+              - !Join ['', ['    maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']]
+              - !Join ['', ['    bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
+              - !Sub ['    version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+              - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"'
+      VersionDescription: Initial template version
+  MemberBGatewayLaunchTemplate:
+    Type: AWS::EC2::LaunchTemplate
+    Properties:
+      LaunchTemplateData:
+        NetworkInterfaces:
+          - DeviceIndex: 0
+            NetworkInterfaceId: !Ref MemberBExternalInterface
+          - DeviceIndex: 1
+            NetworkInterfaceId: !Ref MemberBInternalInterface
+        KeyName: !Ref KeyName
+        ImageId: !GetAtt AMI.Outputs.ImageId
+        InstanceType: !Ref GatewayInstanceType
+        MetadataOptions:
+          HttpTokens: !If [EnableMetaDataToken, required, optional]
+        BlockDeviceMappings:
+            - DeviceName: '/dev/xvda'
+              Ebs:
+                Encrypted: !If [ EncryptedVolume, true, false ]
+                KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+                VolumeType: !Ref VolumeType
+                VolumeSize: !Ref VolumeSize
+        IamInstanceProfile:
+          Name: !Ref ClusterInstanceProfile
+        UserData:
+          'Fn::Base64':
+            !Join
+            - |+
+
+            - - '#cloud-config'
+              - 'runcmd:'
+              - '  - |'
+              - '    set -e'
+              - !Sub '    admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenB=''${MemberBToken}'''
+              - !If [AllocateAddress, !Sub '    wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue']
+              - !If [EmptyHostName, '    hostname=""',!Sub '    hostname=${GatewayHostname}-member-b']
+              - !Join ['', ['    eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']]
+              - !Join ['', ['    sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
+              - !Join ['', ['    pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+              - !Join ['', ['    maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']]
+              - !Join ['', ['    bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
+              - !Sub ['    version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+              - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"'
+      VersionDescription: Initial template version
+  ClusterPublicAddress:
+    Type: AWS::EC2::EIP
+    Properties:
+      Domain: vpc
+  MemberAPublicAddress:
+    Type: AWS::EC2::EIP
+    Condition: AllocateAddress
+    Properties:
+      Domain: vpc
+  MemberBPublicAddress:
+    Type: AWS::EC2::EIP
+    Condition: AllocateAddress
+    Properties:
+      Domain: vpc
+  ClusterAddressAssoc:
+    Type: AWS::EC2::EIPAssociation
+    DependsOn: MemberAInstance
+    Properties:
+      NetworkInterfaceId: !Ref MemberAExternalInterface
+      AllocationId: !GetAtt ClusterPublicAddress.AllocationId
+      PrivateIpAddress: !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses]
+  MemberAAddressAssoc:
+    Type: AWS::EC2::EIPAssociation
+    Condition: AllocateAddress
+    DependsOn: MemberAInstance
+    Properties:
+      NetworkInterfaceId: !Ref MemberAExternalInterface
+      AllocationId: !GetAtt MemberAPublicAddress.AllocationId
+      PrivateIpAddress: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress
+  MemberBAddressAssoc:
+    Type: AWS::EC2::EIPAssociation
+    Condition: AllocateAddress
+    DependsOn: MemberBInstance
+    Properties:
+      NetworkInterfaceId: !Ref MemberBExternalInterface
+      AllocationId: !GetAtt MemberBPublicAddress.AllocationId
+      PrivateIpAddress: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress
+Outputs:
+  ClusterPublicAddress:
+    Description: The public address of the cluster.
+    Value: !Ref ClusterPublicAddress
+  MemberAPublicAddress:
+    Condition: AllocateAddress
+    Description: The public address of member A.
+    Value: !Ref MemberAPublicAddress
+  MemberASSH:
+    Condition: AllocateAddress
+    Description: SSH command to member A.
+    Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberAPublicAddress]]
+  MemberAURL:
+    Condition: AllocateAddress
+    Description: URL to the member A portal.
+    Value: !Join ['', ['https://', !Ref MemberAPublicAddress]]
+  MemberAExternalInterface:
+    Description: The external interface of member A.
+    Value: !Ref MemberAExternalInterface
+  MemberAPrivateExternalAddress:
+    Description: The private external address of member A.
+    Value: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress
+  MemberAPrivateInternalAddress:
+    Description: The private internal address of member A.
+    Value: !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress
+  MemberBPublicAddress:
+    Condition: AllocateAddress
+    Description: The public address of member B.
+    Value: !Ref MemberBPublicAddress
+  MemberBSSH:
+    Condition: AllocateAddress
+    Description: SSH command to member B.
+    Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberBPublicAddress]]
+  MemberBURL:
+    Condition: AllocateAddress
+    Description: URL to the member B portal.
+    Value: !Join ['', ['https://', !Ref MemberBPublicAddress]]
+  MemberBPrivateExternalAddress:
+    Description: The private external address of member B.
+    Value: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress
+  MemberBPrivateInternalAddress:
+    Description: The private internal address of member B.
+    Value: !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress
+  ClusterPrivateAliasExternalAddress:
+    Description: The secondary external private IP address of the cluster.
+    Value: !Select [ 0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses ]
+  ClusterPrivateAliasInternalAddress:
+    Description: The secondary internal private IP address of the cluster.
+    Value: !Select [ 0, !GetAtt MemberAInternalInterface.SecondaryPrivateIpAddresses ]
+
+Rules:
+  MemberATokenNotProvided:
+    RuleCondition: !Equals [!Ref MemberAToken, '']
+    Assertions:
+      - AssertDescription: "Smart-1 Cloud Token for member A can not be empty"
+        Assert: !Equals [!Ref MemberBToken, '']
+  MemberBTokenNotProvided:
+    RuleCondition: !Equals [ !Ref MemberBToken, '' ]
+    Assertions:
+      - AssertDescription: "Smart-1 Cloud Token for member B can not be empty"
+        Assert: !Equals [ !Ref MemberAToken, '' ]
+  MembersTokenValueEquals:
+    RuleCondition: !EachMemberEquals [[!Ref MemberBToken], !Ref MemberAToken]
+    Assertions:
+      - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+        Assert: !Equals [ !Ref MemberAToken, '' ]
+      - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+        Assert: !Equals [ !Ref MemberBToken, '' ]
+
+
diff --git a/china/aws/templates/cross-az-cluster/README.md b/china/aws/templates/cross-az-cluster/README.md
new file mode 100644
index 00000000..410fbdba
--- /dev/null
+++ b/china/aws/templates/cross-az-cluster/README.md
@@ -0,0 +1,26 @@
+
+## Cross Availability Zone Cluster
+<table>
+    <thead>
+        <tr>
+            <th>Description</th>
+            <th>Notes</th>
+            <th>Direct Launch</th>
+        </tr>
+    </thead>
+    <tbody>
+        <tr>
+            <td rowspan="2" width="40%">
+                Deploys two Security Gateways, each in a different Availability Zone.<br/><br/>For more details, refer to <a href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Default.htm">Cross Availability Zone Cluster for AWS R81.20 Administration Guide</a>.
+            </td>
+            <td width="40%">Creates a new VPC and deploys a Cross Availability Zone Cluster of Security Gateways into it.</td>
+            <td><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/cross-az-cluster-master.yaml&stackName=Check-Point-Cross-AZ-Cluster"><img src="../../images/launch.png"/></a></td>
+        </tr>
+        <tr>
+            <td width="40%">Deploys a Cross Availability Zone Cluster of Security Gateways into an existing VPC.</td>
+            <td><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/cross-az-cluster.yaml&stackName=Check-Point-Cross-AZ-Cluster"><img src="../../images/launch.png"/></a></td>
+        </tr>
+    </tbody>
+</table>
+<br/>
+<br/>
\ No newline at end of file
diff --git a/china/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml b/china/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml
new file mode 100644
index 00000000..8bf7bd6f
--- /dev/null
+++ b/china/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml
@@ -0,0 +1,516 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: |
+  Deploy a Check Point Cluster in a new VPC (20250617). 
+  See CloudGuard Network for AWS Cross Availability Zone Cluster Deployment guide for detailed deployment and configuration steps.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: VPC Network Configuration
+        Parameters:
+          - AvailabilityZones
+          - VPCCIDR
+          - PublicSubnet1CIDR
+          - PublicSubnet2CIDR
+          - PrivateSubnet1CIDR
+          - PrivateSubnet2CIDR
+      - Label:
+          default: EC2 Instance Configuration
+        Parameters:
+          - GatewayName
+          - GatewayInstanceType
+          - KeyName
+          - AllocatePublicAddress
+          - VolumeSize
+          - VolumeEncryption
+          - EnableInstanceConnect
+          - GatewayPredefinedRole
+          - TerminationProtection
+          - MetaDataToken
+      - Label:
+          default: Check Point Settings
+        Parameters:
+          - GatewayVersion
+          - Shell
+          - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
+          - GatewaySICKey
+      - Label:
+          default: Quick connect to Smart-1 Cloud (Recommended)
+        Parameters:
+          - MemberAToken
+          - MemberBToken
+      - Label:
+          default: Advanced Settings
+        Parameters:
+          - ResourcesTagName
+          - GatewayHostname
+          - AllowUploadDownload
+          - CloudWatch
+          - GatewayBootstrapScript
+          - NTPPrimary
+          - NTPSecondary
+    ParameterLabels:
+      AvailabilityZones:
+        default: Availability zones
+      VPCCIDR:
+        default: VPC CIDR
+      PublicSubnet1CIDR:
+        default: Public subnet 1 CIDR
+      PublicSubnet2CIDR:
+        default: Public subnet 2 CIDR
+      PrivateSubnet1CIDR:
+        default: Private subnet 1 CIDR
+      PrivateSubnet2CIDR:
+        default: Private subnet 2 CIDR
+      GatewayName:
+        default: Gateway Name
+      GatewayInstanceType:
+        default: Security Gateways instance type
+      KeyName:
+        default: Key name
+      AllocatePublicAddress:
+        default: Allocate Elastic IPs
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeEncryption:
+        default: Volume encryption KMS key identifier
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      GatewayPredefinedRole:
+        default: Existing IAM role name
+      TerminationProtection:
+        default: Termination Protection
+      MetaDataToken:
+        default: Metadata HTTP token
+      GatewayVersion:
+        default: Version & license
+      Shell:
+        default: Admin shell
+      GatewayPasswordHash:
+        default: Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
+      GatewaySICKey:
+        default: SIC key
+      MemberAToken:
+        default: Smart-1 Cloud Token for member A
+      MemberBToken:
+        default: Smart-1 Cloud Token for member B
+      ResourcesTagName:
+        default: Resources prefix tag
+      GatewayHostname:
+        default: Gateway Hostname
+      AllowUploadDownload:
+        default: Allow upload & download
+      CloudWatch:
+        default: CloudWatch metrics
+      GatewayBootstrapScript:
+        default: Bootstrap Script
+      NTPPrimary:
+        default: Primary NTP server
+      NTPSecondary:
+        default: Secondary NTP server
+Parameters:
+  AvailabilityZones:
+    Description: The availability zones in which to deploy the cluster.
+    Type: List<AWS::EC2::AvailabilityZone::Name>
+    MinLength: 2
+  VPCCIDR:
+    Description: The CIDR block for your VPC.
+    Type: String
+    Default: 10.0.0.0/16
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet1CIDR:
+    Description: The 1st external subnet of the cluster. The cluster's public IPs will be generated from this subnet.
+    Type: String
+    Default: 10.0.10.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet2CIDR:
+    Description: The 2nd external subnet of the cluster. The cluster's public IPs will be generated from this subnet.
+    Type: String
+    Default: 10.0.20.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PrivateSubnet1CIDR:
+    Description: The 1st internal subnet of the cluster. The cluster's private IPs will be generated from this subnet.
+    Type: String
+    Default: 10.0.11.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PrivateSubnet2CIDR:
+    Description: The 2nd internal subnet of the cluster. The cluster's private IPs will be generated from this subnet.
+    Type: String
+    Default: 10.0.21.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  GatewayName:
+    Description: The name tag of the Security Gateway instances. (optional)
+    Type: String
+    Default: Check-Point-Cluster
+  GatewayInstanceType:
+    Description: The instance type of the Secutiry Gateway.
+    Type: String
+    Default: c6i.xlarge
+    AllowedValues:
+      - c4.large
+      - c4.xlarge
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: must be a valid EC2 instance type.
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the instance.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+  AllocatePublicAddress:
+    Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  VolumeSize:
+    Type: Number
+    Default: 100
+    MinValue: 100
+  VolumeEncryption:
+    Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+    Type: String
+    Default: alias/aws/ebs
+  EnableInstanceConnect:
+    Description: Enable SSH connection over AWS web console.
+    Default: false
+    Type: String
+    AllowedValues:
+      - true
+      - false
+  GatewayPredefinedRole:
+    Description: A predefined IAM role to attach to the cluster profile. (optional)
+    Type: String
+    Default: ''
+  TerminationProtection:
+    Description: Prevents an instance from accidental termination.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  GatewayVersion:
+    Type: String
+    Default: R81.20-BYOL
+    AllowedValues:
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  Shell:
+    Description: Change the admin shell to enable advanced command line configuration.
+    Type: String
+    Default: /etc/cli.sh
+    AllowedValues:
+      - /etc/cli.sh
+      - /bin/bash
+      - /bin/csh
+      - /bin/tcsh
+  GatewayPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD".
+      to get the PASSWORD's hash) (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+    NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  GatewaySICKey:
+    Description: The Secure Internal Communication key creates trusted connections.
+      between Check Point components. Choose a random string consisting of at least
+      8 alphanumeric characters
+    Type: String
+    AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+    ConstraintDescription: At least 8 alpha numeric characters.
+    NoEcho: true
+  MemberAToken:
+    Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+    AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+    Type: String
+    NoEcho: true
+  MemberBToken:
+    Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+    AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+    Type: String
+    NoEcho: true
+  ResourcesTagName:
+    Description: Name tag prefix of the resources. (optional)
+    Type: String
+    Default: ''
+  GatewayHostname:
+    Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179.
+    Type: String
+    Default: ''
+    AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$'
+    ConstraintDescription: A valid hostname label or an empty string.
+  AllowUploadDownload:
+    Description: Automatically download updates and share statistical data for product improvement purpose.
+      Improve product experience by sending data to Check Point.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  CloudWatch:
+    Description: Report Check Point specific CloudWatch metrics.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  GatewayBootstrapScript:
+    Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+    Type: String
+    Default: ''
+    NoEcho: true
+  NTPPrimary:
+    Description: (optional)
+    Type: String
+    Default: 169.254.169.123
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+  NTPSecondary:
+    Description: (optional)
+    Type: String
+    Default: 0.pool.ntp.org
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+Conditions:
+  AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+Resources:
+  VPCStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc.yaml
+      Parameters:
+        AvailabilityZones: !Join [',', !Ref AvailabilityZones]
+        NumberOfAZs: 2
+        VPCCIDR: !Ref VPCCIDR
+        PublicSubnet1CIDR: !Ref PublicSubnet1CIDR
+        PublicSubnet2CIDR: !Ref PublicSubnet2CIDR
+        PrivateSubnet1CIDR: !Ref PrivateSubnet1CIDR
+        PrivateSubnet2CIDR: !Ref PrivateSubnet2CIDR
+  InternalRouteTable:
+    Type: AWS::EC2::RouteTable
+    DependsOn: VPCStack
+    Properties:
+      VpcId: !GetAtt VPCStack.Outputs.VPCID
+      Tags:
+        - Key: Name
+          Value: Private Subnets Route Table
+  ClusterStack:
+    Type: AWS::CloudFormation::Stack
+    DependsOn: VPCStack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/cross-az-cluster.yaml
+      Parameters:
+        VPC: !GetAtt VPCStack.Outputs.VPCID
+        PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID
+        PublicSubnetB: !GetAtt VPCStack.Outputs.PublicSubnet2ID
+        PrivateSubnetA: !GetAtt VPCStack.Outputs.PrivateSubnet1ID
+        PrivateSubnetB: !GetAtt VPCStack.Outputs.PrivateSubnet2ID
+        InternalRouteTable: !Ref InternalRouteTable
+        GatewayName: !Ref GatewayName
+        GatewayInstanceType: !Ref GatewayInstanceType
+        KeyName: !Ref KeyName
+        AllocatePublicAddress: !Ref AllocatePublicAddress
+        VolumeSize: !Ref VolumeSize
+        VolumeEncryption: !Ref VolumeEncryption
+        EnableInstanceConnect: !Ref EnableInstanceConnect
+        GatewayPredefinedRole: !Ref GatewayPredefinedRole
+        TerminationProtection: !Ref TerminationProtection
+        MetaDataToken: !Ref MetaDataToken
+        GatewayVersion: !Ref GatewayVersion
+        Shell: !Ref Shell
+        GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+        GatewaySICKey: !Ref GatewaySICKey
+        MemberAToken: !Ref MemberAToken
+        MemberBToken: !Ref MemberBToken
+        ResourcesTagName: !Ref ResourcesTagName
+        GatewayHostname: !Ref GatewayHostname
+        AllowUploadDownload: !Ref AllowUploadDownload
+        CloudWatch: !Ref CloudWatch
+        GatewayBootstrapScript: !Ref GatewayBootstrapScript
+        NTPPrimary: !Ref NTPPrimary
+        NTPSecondary: !Ref NTPSecondary
+Outputs:
+  ClusterPublicAddress:
+    Description: The public address of the cluster.
+    Value: !GetAtt ClusterStack.Outputs.ClusterPublicAddress
+  MemberAPublicAddress:
+    Condition: AllocateAddress
+    Description: The public address of member A.
+    Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress
+  MemberASSH:
+    Condition: AllocateAddress
+    Description: SSH command to member A.
+    Value: !GetAtt ClusterStack.Outputs.MemberASSH
+  MemberAURL:
+    Condition: AllocateAddress
+    Description: URL to the member A portal.
+    Value: !GetAtt ClusterStack.Outputs.MemberAURL
+  MemberAExternalInterface:
+    Description: The external interface of member A.
+    Value: !GetAtt ClusterStack.Outputs.MemberAExternalInterface
+  MemberAPrivateExternalAddress:
+    Description: The primary external private address of member A.
+    Value: !GetAtt ClusterStack.Outputs.MemberAPrivateExternalAddress
+  MemberAPrivateAliasAddress:
+    Description: The secondary external private IP address of Member A.
+    Value: !GetAtt ClusterStack.Outputs.MemberAPrivateAliasAddress
+  MemberAPrivateInternalAddress:
+    Description: The private Internal address of member A.
+    Value: !GetAtt ClusterStack.Outputs.MemberAPrivateInternalAddress
+  MemberBPublicAddress:
+    Condition: AllocateAddress
+    Description: The public address of member B.
+    Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress
+  MemberBSSH:
+    Condition: AllocateAddress
+    Description: SSH command to member B.
+    Value: !GetAtt ClusterStack.Outputs.MemberBSSH
+  MemberBURL:
+    Condition: AllocateAddress
+    Description: URL to the member B portal.
+    Value: !GetAtt ClusterStack.Outputs.MemberBURL
+  MemberBPrivateExternalAddress:
+    Description: The primary external private address of member B.
+    Value: !GetAtt ClusterStack.Outputs.MemberBPrivateExternalAddress
+  MemberBPrivateAliasAddress:
+    Description: The secondary external private IP address of Member B.
+    Value: !GetAtt ClusterStack.Outputs.MemberBPrivateAliasAddress
+  MemberBPrivateInternalAddress:
+    Description: The private Internal address of member B.
+    Value: !GetAtt ClusterStack.Outputs.MemberBPrivateInternalAddress
+Rules:
+  MemberATokenNotProvided:
+    RuleCondition: !Equals [!Ref MemberAToken, '']
+    Assertions:
+      - AssertDescription: "Smart-1 Cloud Token for member A can not be empty"
+        Assert: !Equals [!Ref MemberBToken, '']
+  MemberBTokenNotProvided:
+    RuleCondition: !Equals [ !Ref MemberBToken, '' ]
+    Assertions:
+      - AssertDescription: "Smart-1 Cloud Token for member B can not be empty"
+        Assert: !Equals [ !Ref MemberAToken, '' ]
+  MembersTokenValueEquals:
+    RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ]
+    Assertions:
+      - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+        Assert: !Equals [ !Ref MemberAToken, '' ]
+      - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+        Assert: !Equals [ !Ref MemberBToken, '' ]
\ No newline at end of file
diff --git a/china/aws/templates/cross-az-cluster/cross-az-cluster.yaml b/china/aws/templates/cross-az-cluster/cross-az-cluster.yaml
new file mode 100644
index 00000000..181a918c
--- /dev/null
+++ b/china/aws/templates/cross-az-cluster/cross-az-cluster.yaml
@@ -0,0 +1,780 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: |
+  Deploys a Check Point Cluster into an existing VPC (20250617). 
+  See CloudGuard Network for AWS Cross Availability Zone Cluster Deployment guide for detailed deployment and configuration steps.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: VPC Network Configuration
+        Parameters:
+          - VPC
+          - PublicSubnetA
+          - PublicSubnetB
+          - PrivateSubnetA
+          - PrivateSubnetB
+          - InternalRouteTable
+      - Label:
+          default: EC2 Instance Configuration
+        Parameters:
+          - GatewayName
+          - GatewayInstanceType
+          - KeyName
+          - AllocatePublicAddress
+          - VolumeSize
+          - VolumeType
+          - VolumeEncryption
+          - EnableInstanceConnect
+          - GatewayPredefinedRole
+          - TerminationProtection
+          - MetaDataToken
+      - Label:
+          default: Check Point Settings
+        Parameters:
+          - GatewayVersion
+          - Shell
+          - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
+          - GatewaySICKey
+      - Label:
+          default: Quick connect to Smart-1 Cloud (Recommended)
+        Parameters:
+          - MemberAToken
+          - MemberBToken
+      - Label:
+          default: Advanced Settings
+        Parameters:
+          - ResourcesTagName
+          - GatewayHostname
+          - AllowUploadDownload
+          - CloudWatch
+          - GatewayBootstrapScript
+          - NTPPrimary
+          - NTPSecondary
+    ParameterLabels:
+      VPC:
+        default: VPC
+      PublicSubnetA:
+        default: Public subnet 1
+      PublicSubnetB:
+        default: Public subnet 2
+      PrivateSubnetA:
+        default: Private subnet 1
+      PrivateSubnetB:
+        default: Private subnet 2
+      InternalRouteTable:
+        default: Internal route table
+      GatewayName:
+        default: Gateway Name
+      GatewayInstanceType:
+        default: Security Gateways instance type
+      KeyName:
+        default: Key name
+      AllocatePublicAddress:
+        default: Allocate Elastic IPs
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeType:
+        default: Volume Type
+      VolumeEncryption:
+        default: Volume encryption KMS key identifier
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      GatewayPredefinedRole:
+        default: Existing IAM role name
+      TerminationProtection:
+        default: Termination Protection
+      MetaDataToken:
+        default: Metadata HTTP token
+      GatewayVersion:
+        default: Version & license
+      Shell:
+        default: Admin shell
+      GatewayPasswordHash:
+        default: Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
+      GatewaySICKey:
+        default: SIC key
+      MemberAToken:
+        default: Smart-1 Cloud Token for member A
+      MemberBToken:
+        default: Smart-1 Cloud Token for member B
+      ResourcesTagName:
+        default: Resources prefix tag
+      GatewayHostname:
+        default: Gateway Hostname
+      AllowUploadDownload:
+        default: Allow upload & download
+      CloudWatch:
+        default: CloudWatch metrics
+      GatewayBootstrapScript:
+        default: Bootstrap Script
+      NTPPrimary:
+        default: Primary NTP server
+      NTPSecondary:
+        default: Secondary NTP server
+Parameters:
+  VPC:
+    Description: Select an existing VPC.
+    Type: AWS::EC2::VPC::Id
+    MinLength: 1
+  PublicSubnetA:
+    Description: Select a public subnet for the first Security Gateway.
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+    ConstraintDescription: you must select a public subnet for the first Security Gateway.
+  PublicSubnetB:
+    Description: Select a public subnet for the second Security Gateway.
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+    ConstraintDescription: you must select a public subnet for the second Security Gateway.
+  PrivateSubnetA:
+    Description: Select a private subnet for the first Security Gateway.
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+    ConstraintDescription: you must select a private subnet for the first Security Gateway.
+  PrivateSubnetB:
+    Description: Select a private subnet for the second Security Gateway.
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+    ConstraintDescription: you must select a private subnet for the second Security Gateway.
+  InternalRouteTable:
+    Description: Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Cluster, this requires manual configuration in the Route Table. (optional)
+    Type: String
+    Default: ''
+  GatewayName:
+    Description: The name tag of the Security Gateway instances. (optional)
+    Type: String
+    Default: Check-Point-Cluster
+  GatewayInstanceType:
+    Description: The instance type of the Secutiry Gateway.
+    Type: String
+    Default: c6i.xlarge
+    AllowedValues:
+      - c4.large
+      - c4.xlarge
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: must be a valid EC2 instance type.
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the instance.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+    ConstraintDescription: must be the name of an existing EC2 KeyPair.
+  AllocatePublicAddress:
+    Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  VolumeSize:
+    Type: Number
+    Default: 100
+    MinValue: 100
+  VolumeType:
+    Description: General Purpose SSD Volume Type
+    Type: String
+    Default: gp3
+    AllowedValues:
+      - gp3
+      - gp2
+  VolumeEncryption:
+    Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+    Type: String
+    Default: alias/aws/ebs
+  EnableInstanceConnect:
+    Description: Enable SSH connection over AWS web console.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  GatewayPredefinedRole:
+    Description: A predefined IAM role to attach to the cluster profile. (optional)
+    Type: String
+    Default: ''
+  TerminationProtection:
+    Description: Prevents an instance from accidental termination.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  GatewayVersion:
+    Type: String
+    Default: R81.20-BYOL
+    AllowedValues:
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  Shell:
+    Description: Change the admin shell to enable advanced command line configuration.
+    Type: String
+    Default: /etc/cli.sh
+    AllowedValues:
+      - /etc/cli.sh
+      - /bin/bash
+      - /bin/csh
+      - /bin/tcsh
+  GatewayPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+      to get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+    NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  GatewaySICKey:
+    Description: The Secure Internal Communication key creates trusted connections
+      between Check Point components. Choose a random string consisting of at least
+      8 alphanumeric characters.
+    Type: String
+    AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+    ConstraintDescription: At least 8 alpha numeric characters.
+    NoEcho: true
+  MemberAToken:
+    Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+    AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+    Type: String
+    NoEcho: true
+  MemberBToken:
+    Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+    AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+    Type: String
+    NoEcho: true
+  ResourcesTagName:
+    Description: Name tag prefix of the resources. (optional)
+    Type: String
+    Default: ''
+  GatewayHostname:
+    Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179.
+    Type: String
+    Default: ''
+    AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$'
+    ConstraintDescription: A valid hostname label or an empty string.
+  AllowUploadDownload:
+    Description: Automatically download updates and share statistical data for product improvement purpose
+      Improve product experience by sending data to Check Point.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  CloudWatch:
+    Description: Report Check Point specific CloudWatch metrics.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  GatewayBootstrapScript:
+    Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+    Type: String
+    Default: ''
+    NoEcho: true
+  NTPPrimary:
+    Description: (optional)
+    Type: String
+    Default: 169.254.169.123
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+  NTPSecondary:
+    Description: (optional)
+    Type: String
+    Default: 0.pool.ntp.org
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+Conditions:
+  ProvidedRouteTable: !Not [!Equals [!Ref InternalRouteTable, '']]
+  AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+  EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']]
+  CreateRole: !Equals [!Ref GatewayPredefinedRole, '']
+  ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']]
+  EmptyHostName: !Equals [!Ref GatewayHostname, '']
+  EnableCloudWatch: !Equals [!Ref CloudWatch, true]
+  EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+Resources:
+  ClusterReadyHandle:
+    Type: AWS::CloudFormation::WaitConditionHandle
+    Condition: AllocateAddress
+    Properties: {}
+  ClusterReadyCondition:
+    Type: AWS::CloudFormation::WaitCondition
+    DependsOn: [MemberAInstance, MemberBInstance]
+    Condition: AllocateAddress
+    Properties:
+      Count: 2
+      Handle: !Ref ClusterReadyHandle
+      Timeout: 1800
+  ClusterRole:
+    Condition: CreateRole
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cluster-iam-role.yaml
+  ClusterInstanceProfile:
+    Type: AWS::IAM::InstanceProfile
+    Properties:
+      Path: /
+      Roles: [!If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole]]
+  CloudwatchPolicy:
+    Condition: EnableCloudWatch
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cloudwatch-policy.yaml
+      Parameters:
+        PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ]
+        PolicyRole: !If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole]
+  AMI:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml
+      Parameters:
+        Version: !Join ['-', [!Ref GatewayVersion, GW]]
+  PermissiveSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: Permissive security group.
+      VpcId: !Ref VPC
+      SecurityGroupIngress:
+        - IpProtocol: -1
+          CidrIp: 0.0.0.0/0
+      Tags:
+        - Key: Name
+          Value:
+            !Join
+            - _
+            - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+              - PermissiveSecurityGroup
+  MemberAExternalInterface:
+    Type: AWS::EC2::NetworkInterface
+    DependsOn: PermissiveSecurityGroup
+    Properties:
+      Description: Member A external.
+      SecondaryPrivateIpAddressCount: 1
+      SourceDestCheck: false
+      GroupSet: [!Ref PermissiveSecurityGroup]
+      SubnetId: !Ref PublicSubnetA
+      Tags:
+        - Key: Name
+          Value:
+            !Join
+            - _
+            - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+              - Member_A_ExternalInterface
+  MemberBExternalInterface:
+    Type: AWS::EC2::NetworkInterface
+    DependsOn: PermissiveSecurityGroup
+    Properties:
+      Description: Member B external.
+      SecondaryPrivateIpAddressCount: 1
+      SourceDestCheck: false
+      GroupSet: [!Ref PermissiveSecurityGroup]
+      SubnetId: !Ref PublicSubnetB
+      Tags:
+        - Key: Name
+          Value:
+            !Join
+            - _
+            - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+              - Member_B_ExternalInterface
+  MemberAInternalInterface:
+    Type: AWS::EC2::NetworkInterface
+    DependsOn: PermissiveSecurityGroup
+    Properties:
+      Description: Member A internal.
+      GroupSet: [!Ref PermissiveSecurityGroup]
+      SourceDestCheck: false
+      SubnetId: !Ref PrivateSubnetA
+      Tags:
+        - Key: Name
+          Value:
+            !Join
+            - _
+            - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+              - Member_A_InternalInterface
+  MemberBInternalInterface:
+    Type: AWS::EC2::NetworkInterface
+    DependsOn: PermissiveSecurityGroup
+    Properties:
+      Description: Member B internal.
+      GroupSet: [!Ref PermissiveSecurityGroup]
+      SourceDestCheck: false
+      SubnetId: !Ref PrivateSubnetB
+      Tags:
+        - Key: Name
+          Value:
+            !Join
+            - _
+            - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+              - Member_B_InternalInterface
+  InternalDefaultRoute:
+    Type: AWS::EC2::Route
+    Condition: ProvidedRouteTable
+    DependsOn: MemberAInternalInterface
+    Properties:
+      DestinationCidrBlock: 0.0.0.0/0
+      NetworkInterfaceId: !Ref MemberAInternalInterface
+      RouteTableId: !Ref InternalRouteTable
+  PrivateSubnet1RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Condition: ProvidedRouteTable
+    Properties:
+      RouteTableId: !Ref InternalRouteTable
+      SubnetId: !Ref PrivateSubnetA
+  PrivateSubnet2RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Condition: ProvidedRouteTable
+    Properties:
+      RouteTableId: !Ref InternalRouteTable
+      SubnetId: !Ref PrivateSubnetB
+  ClusterPublicAddress:
+    Type: AWS::EC2::EIP
+    Properties:
+      Domain: vpc
+  MemberAPublicAddress:
+    Type: AWS::EC2::EIP
+    Condition: AllocateAddress
+    Properties:
+      Domain: vpc
+  MemberBPublicAddress:
+    Type: AWS::EC2::EIP
+    Condition: AllocateAddress
+    Properties:
+      Domain: vpc
+  ClusterAddressAssoc:
+    Type: AWS::EC2::EIPAssociation
+    DependsOn: MemberAInstance
+    Properties:
+      NetworkInterfaceId: !Ref MemberAExternalInterface
+      AllocationId: !GetAtt ClusterPublicAddress.AllocationId
+      PrivateIpAddress: !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses]
+  MemberAAddressAssoc:
+    Type: AWS::EC2::EIPAssociation
+    Condition: AllocateAddress
+    DependsOn: MemberAInstance
+    Properties:
+      NetworkInterfaceId: !Ref MemberAExternalInterface
+      AllocationId: !GetAtt MemberAPublicAddress.AllocationId
+      PrivateIpAddress: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress
+  MemberBAddressAssoc:
+    Type: AWS::EC2::EIPAssociation
+    Condition: AllocateAddress
+    DependsOn: MemberBInstance
+    Properties:
+      NetworkInterfaceId: !Ref MemberBExternalInterface
+      AllocationId: !GetAtt MemberBPublicAddress.AllocationId
+      PrivateIpAddress: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress
+  MemberAInstance:
+    Type: AWS::EC2::Instance
+    DependsOn: [MemberAExternalInterface, MemberAInternalInterface, ClusterPublicAddress, MemberBInternalInterface, MemberBExternalInterface, MemberAGatewayLaunchTemplate]
+    Properties:
+      LaunchTemplate:
+        LaunchTemplateId: !Ref MemberAGatewayLaunchTemplate
+        Version: !GetAtt MemberAGatewayLaunchTemplate.LatestVersionNumber
+      DisableApiTermination: !Ref TerminationProtection
+      Tags:
+        - Key: Name
+          Value: !Join ['-', [!Ref GatewayName, Member-A]]
+        - Key: x-chkp-member-ips
+          Value: !Join
+            - ':'
+            - - !Join [ '=', [ public-ip, !If [ AllocateAddress, !Ref MemberAPublicAddress, '' ] ] ]
+              - !Join [ '=', [ external-private-ip, !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress ] ]
+              - !Join [ '=', [ internal-private-ip, !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress ] ]
+        - Key: x-chkp-cluster-ips
+          Value: !Join
+            - ':'
+            - - !Join [ '=', [ cluster-ip, !Ref ClusterPublicAddress ] ]
+              - !Join [ '=', [ secondary-external-private-ip, !Select [ 0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses ] ] ]
+  MemberBInstance:
+    Type: AWS::EC2::Instance
+    DependsOn: [MemberBExternalInterface, MemberBInternalInterface, ClusterPublicAddress, MemberAInternalInterface, MemberBGatewayLaunchTemplate]
+    Properties:
+      LaunchTemplate:
+        LaunchTemplateId: !Ref MemberBGatewayLaunchTemplate
+        Version: !GetAtt MemberBGatewayLaunchTemplate.LatestVersionNumber
+      DisableApiTermination: !Ref TerminationProtection
+      Tags:
+        - Key: Name
+          Value: !Join ['-', [!Ref GatewayName, Member-B]]
+        - Key: x-chkp-member-ips
+          Value: !Join
+            - ':'
+            - - !Join [ '=', [ public-ip, !If [ AllocateAddress, !Ref MemberBPublicAddress, '' ] ] ]
+              - !Join [ '=', [ external-private-ip, !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress ] ]
+              - !Join [ '=', [ internal-private-ip, !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress ] ]
+        - Key: x-chkp-cluster-ips
+          Value: !Join
+            - ':'
+            - - !Join [ '=', [ cluster-ip, !Ref ClusterPublicAddress ] ]
+              - !Join [ '=', [ secondary-external-private-ip, !Select [ 0, !GetAtt MemberBExternalInterface.SecondaryPrivateIpAddresses ] ] ]
+  MemberAGatewayLaunchTemplate:
+    Type: AWS::EC2::LaunchTemplate
+    Properties:
+      LaunchTemplateData:
+        NetworkInterfaces:
+          - DeviceIndex: 0
+            NetworkInterfaceId: !Ref MemberAExternalInterface
+          - DeviceIndex: 1
+            NetworkInterfaceId: !Ref MemberAInternalInterface
+        KeyName: !Ref KeyName
+        ImageId: !GetAtt AMI.Outputs.ImageId
+        InstanceType: !Ref GatewayInstanceType
+        MetadataOptions:
+          HttpTokens: !If [EnableMetaDataToken, required, optional]
+        BlockDeviceMappings:
+            - DeviceName: '/dev/xvda'
+              Ebs:
+                Encrypted: !If [ EncryptedVolume, true, false ]
+                KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+                VolumeType: !Ref VolumeType
+                VolumeSize: !Ref VolumeSize
+        IamInstanceProfile:
+          Name: !Ref ClusterInstanceProfile
+        UserData:
+          'Fn::Base64':
+              !Join
+              - |+
+
+              - - '#cloud-config'
+                - 'runcmd:'
+                - '  - |'
+                - '    set -e'
+                - !Sub '    admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenA=''${MemberAToken}'''
+                - !If [AllocateAddress, !Sub '    wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue']
+                - !If [EmptyHostName, '    hostname=""',!Sub '    hostname=${GatewayHostname}-member-a']
+                - !Join ['', ['    other_member_ip="', !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress, '"']]
+                - !Join ['', ['    secondary_ip="', !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses], '"']]
+                - !Join ['', ['    remote_secondary_ip="', !Select [0, !GetAtt MemberBExternalInterface.SecondaryPrivateIpAddresses], '"']]
+                - !Join ['', ['    cluster_ip="', !Ref ClusterPublicAddress, '"']]
+                - !Join ['', ['    eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']]
+                - !Join ['', ['    sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
+                - !Join ['', ['    pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+                - !Join ['', ['    maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']]
+                - !Join ['', ['    bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
+                - !Sub ['    version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+                - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"'
+      VersionDescription: Initial template version
+  MemberBGatewayLaunchTemplate:
+    Type: AWS::EC2::LaunchTemplate
+    Properties:
+      LaunchTemplateData:
+        NetworkInterfaces:
+          - DeviceIndex: 0
+            NetworkInterfaceId: !Ref MemberBExternalInterface
+          - DeviceIndex: 1
+            NetworkInterfaceId: !Ref MemberBInternalInterface
+        KeyName: !Ref KeyName
+        ImageId: !GetAtt AMI.Outputs.ImageId
+        InstanceType: !Ref GatewayInstanceType
+        MetadataOptions:
+          HttpTokens: !If [EnableMetaDataToken, required, optional]
+        BlockDeviceMappings:
+            - DeviceName: '/dev/xvda'
+              Ebs:
+                Encrypted: !If [ EncryptedVolume, true, false ]
+                KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+                VolumeType: !Ref VolumeType
+                VolumeSize: !Ref VolumeSize
+        IamInstanceProfile:
+          Name: !Ref ClusterInstanceProfile
+        UserData:
+          'Fn::Base64':
+            !Join
+            - |+
+
+            - - '#cloud-config'
+              - 'runcmd:'
+              - '  - |'
+              - '    set -e'
+              - !Sub '    admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenB=''${MemberBToken}'''
+              - !If [AllocateAddress, !Sub '    wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue']
+              - !If [EmptyHostName, '    hostname=""',!Sub '    hostname=${GatewayHostname}-member-b']
+              - !Join ['', ['    other_member_ip="', !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress, '"']]
+              - !Join ['', ['    secondary_ip="', !Select [0, !GetAtt MemberBExternalInterface.SecondaryPrivateIpAddresses], '"']]
+              - !Join ['', ['    remote_secondary_ip="', !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses], '"']]
+              - !Join ['', ['    cluster_ip="', !Ref ClusterPublicAddress, '"']]
+              - !Join ['', ['    eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']]
+              - !Join ['', ['    sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
+              - !Join ['', ['    pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+              - !Join [ '', ['    maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"' ] ]
+              - !Join ['', ['    bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
+              - !Sub ['    version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+              - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"'
+      VersionDescription: Initial template version
+Outputs:
+  ClusterPublicAddress:
+    Description: The public address of the cluster.
+    Value: !Ref ClusterPublicAddress
+  MemberAPublicAddress:
+    Condition: AllocateAddress
+    Description: The public address of member A.
+    Value: !Ref MemberAPublicAddress
+  MemberASSH:
+    Condition: AllocateAddress
+    Description: SSH command to member A.
+    Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberAPublicAddress]]
+  MemberAURL:
+    Condition: AllocateAddress
+    Description: URL to the member A portal.
+    Value: !Join ['', ['https://', !Ref MemberAPublicAddress]]
+  MemberAExternalInterface:
+    Description: The external interface of member A.
+    Value: !Ref MemberAExternalInterface
+  MemberAPrivateExternalAddress:
+    Description: The primary external private address of member A.
+    Value: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress
+  MemberAPrivateAliasAddress:
+    Description: The secondary external private IP address of Member A.
+    Value: !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses]
+  MemberAPrivateInternalAddress:
+    Description: The private Internal address of member A.
+    Value: !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress
+  MemberBPublicAddress:
+    Condition: AllocateAddress
+    Description: The public address of member B.
+    Value: !Ref MemberBPublicAddress
+  MemberBSSH:
+    Condition: AllocateAddress
+    Description: SSH command to member B.
+    Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberBPublicAddress]]
+  MemberBURL:
+    Condition: AllocateAddress
+    Description: URL to the member B portal.
+    Value: !Join ['', ['https://', !Ref MemberBPublicAddress]]
+  MemberBPrivateExternalAddress:
+    Description: The primary external private address of member B.
+    Value: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress
+  MemberBPrivateAliasAddress:
+    Description: The secondary external private IP address of Member B.
+    Value: !Select [0, !GetAtt MemberBExternalInterface.SecondaryPrivateIpAddresses]
+  MemberBPrivateInternalAddress:
+    Description: The private Internal address of member B.
+    Value: !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress
+Rules:
+  MemberATokenNotProvided:
+    RuleCondition: !Equals [!Ref MemberAToken, '']
+    Assertions:
+      - AssertDescription: "Smart-1 Cloud Token for member A can not be empty"
+        Assert: !Equals [!Ref MemberBToken, '']
+  MemberBTokenNotProvided:
+    RuleCondition: !Equals [ !Ref MemberBToken, '' ]
+    Assertions:
+      - AssertDescription: "Smart-1 Cloud Token for member B can not be empty"
+        Assert: !Equals [ !Ref MemberAToken, '' ]
+  MembersTokenValueEquals:
+    RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ]
+    Assertions:
+      - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+        Assert: !Equals [ !Ref MemberAToken, '' ]
+      - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+        Assert: !Equals [ !Ref MemberBToken, '' ]
diff --git a/china/aws/templates/download-m.png b/china/aws/templates/download-m.png
new file mode 100644
index 00000000..1920b1bb
Binary files /dev/null and b/china/aws/templates/download-m.png differ
diff --git a/china/aws/templates/general/README.md b/china/aws/templates/general/README.md
new file mode 100644
index 00000000..0905ffea
--- /dev/null
+++ b/china/aws/templates/general/README.md
@@ -0,0 +1,29 @@
+## General
+
+<table>
+    <thead>
+        <tr>
+            <th>Description</th>
+            <th>Direct Launch</th>
+        </tr>
+    </thead>
+    <tbody>
+        <tr>
+            <td>
+                <b>Create an IAM role for Security Management Server</b><br/>
+                Creates an IAM role in your account preconfigured with permissions to manage resources.<br/>    
+                For more details, refer to <a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122074">sk122074 </a>.
+            </td>
+            <td><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cme-iam-role.yaml&stackName=Check-Point-IAM-role"><img src="../../images/launch.png"></a></td>
+        </tr>
+        <tr>
+            <td>
+                <b>Current Check Point AMIs</b> <br/>
+                A helper template that returns the latest Check Point AMIs in a given region.
+            </td>
+            <td><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml&stackName=Check-Point-AMIs"><img src="../../images/launch.png"></a></td>
+        </tr>
+    </tbody>
+</table>
+<br/>
+<br/>
diff --git a/china/aws/templates/general/cloudwatch-policy.yaml b/china/aws/templates/general/cloudwatch-policy.yaml
new file mode 100644
index 00000000..58dca0b6
--- /dev/null
+++ b/china/aws/templates/general/cloudwatch-policy.yaml
@@ -0,0 +1,39 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Creates an IAM role for selected permissions (20250617)
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: Policy Attributes
+        Parameters:
+          - PolicyName
+          - PolicyRole
+    ParameterLabels:
+      PolicyName:
+        default: Policy name
+      PolicyRole:
+        default: IAM role name
+Parameters:
+  PolicyName:
+    Description: ''
+    Type: String
+    Default: 'Cloudwatch'
+    AllowedPattern: '[\w+=,.@-]+'
+  PolicyRole:
+    Description: ''
+    Type: String
+    AllowedPattern: '[\w+=,.@-]+'
+Resources:
+  IAMPolicy:
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyName: !Sub "${PolicyName}-iam-policy"
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action:
+              - cloudwatch:PutMetricData
+            Resource: '*'
+      Roles:
+        - !Ref PolicyRole
diff --git a/china/aws/templates/general/cluster-iam-role.yaml b/china/aws/templates/general/cluster-iam-role.yaml
new file mode 100644
index 00000000..7e5ea6d8
--- /dev/null
+++ b/china/aws/templates/general/cluster-iam-role.yaml
@@ -0,0 +1,35 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Creates an IAM role for selected permissions (20250617)
+Resources:
+  ClusterIAMRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: [ec2.amazonaws.com.cn]
+            Action: sts:AssumeRole
+      Path: /
+      Policies:
+        - PolicyName: ClusterPolicy
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Effect: Allow
+                Action:
+                  - ec2:AssignPrivateIpAddresses
+                  - ec2:AssociateAddress
+                  - ec2:CreateRoute
+                  - ec2:DescribeNetworkInterfaces
+                  - ec2:DescribeRouteTables
+                  - ec2:ReplaceRoute
+                Resource: '*'
+Outputs:
+  ClusterIAMRole:
+    Description: The IAM role.
+    Value: !Ref ClusterIAMRole
+  ClusterARNRole:
+    Description: The IAM role ARN.
+    Value: !GetAtt ClusterIAMRole.Arn
diff --git a/china/aws/templates/general/cme-iam-role.yaml b/china/aws/templates/general/cme-iam-role.yaml
new file mode 100644
index 00000000..86a4a2d9
--- /dev/null
+++ b/china/aws/templates/general/cme-iam-role.yaml
@@ -0,0 +1,161 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: |
+  Creates an IAM role for selected permissions (20250617)
+  See sk122074 administration guide for detailed deployment and configuration steps.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: IAM
+        Parameters:
+          - Permissions
+      - Label:
+          default: Advanced Configuration (optional)
+        Parameters:
+          - STSRoles
+          - TrustedAccount
+    ParameterLabels:
+      Permissions:
+        default: IAM role
+      STSRoles:
+        default: STS roles
+      TrustedAccount:
+        default: Trusted Account ID
+Parameters:
+  Permissions:
+    Type: String
+    Default: Create with read permissions
+    AllowedValues:
+      - Create with read permissions
+      - Create with read-write permissions
+      - Create with assume role permissions (specify an STS role ARN)
+  STSRoles:
+    Description: The IAM role will be able to assume these STS Roles (comma separated list of ARNs, without spaces).
+    Type: String
+    Default: ''
+  TrustedAccount:
+    Description: A 12 digits number that represents the ID of a trusted account. IAM users in this account will be able assume the IAM role and receive the permissions attached to it.
+    Type: String
+    Default: ''
+    AllowedPattern: '^([0-9]{12})|$'
+Conditions:
+  AllowReadPermissions: !Or
+    - !Equals [!Ref Permissions, Create with read permissions]
+    - !Equals [!Ref Permissions, Create with read-write permissions]
+  AllowWritePermissions: !Equals [!Ref Permissions, Create with read-write permissions]
+  ProvidedSTSRoles: !Not [!Equals [!Ref STSRoles, '']]
+  NotProvidedTrustedAccount: !Equals ['', !Ref TrustedAccount]
+  ProvidedTrustedAccount: !Not [!Condition NotProvidedTrustedAccount]
+Resources:
+  CMEIAMRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - !If
+            - ProvidedTrustedAccount
+            - Effect: Allow
+              Principal:
+                AWS: [!Ref TrustedAccount]
+              Action: ['sts:AssumeRole']
+            - !Ref 'AWS::NoValue'
+          - !If
+            - NotProvidedTrustedAccount
+            - Effect: Allow
+              Principal:
+                Service: [ec2.amazonaws.com.cn]
+              Action: ['sts:AssumeRole']
+            - !Ref 'AWS::NoValue'
+      Path: /
+      Policies:
+        - PolicyName: CMEPolicy
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - !If
+                - ProvidedSTSRoles
+                - Effect: Allow
+                  Action: ['sts:AssumeRole']
+                  Resource: !Split [',', !Ref STSRoles]
+                - !Ref 'AWS::NoValue'
+              - !If
+                - AllowReadPermissions
+                - Effect: Allow
+                  Action:
+                    - autoscaling:DescribeAutoScalingGroups
+                    - ec2:DescribeRegions
+                    - ec2:DescribeCustomerGateways
+                    - ec2:DescribeInstances
+                    - ec2:DescribeNetworkInterfaces
+                    - ec2:DescribeRouteTables
+                    - ec2:DescribeSecurityGroups
+                    - ec2:DescribeSubnets
+                    - ec2:DescribeTransitGateways
+                    - ec2:DescribeTransitGatewayAttachments
+                    - ec2:DescribeTransitGatewayRouteTables
+                    - ec2:DescribeVpcs
+                    - ec2:DescribeVpnGateways
+                    - ec2:DescribeVpnConnections
+                    - ec2:GetTransitGatewayAttachmentPropagations
+                    - elasticloadbalancing:DescribeLoadBalancers
+                    - elasticloadbalancing:DescribeTags
+                    - elasticloadbalancing:DescribeListeners
+                    - elasticloadbalancing:DescribeTargetGroups
+                    - elasticloadbalancing:DescribeRules
+                    - elasticloadbalancing:DescribeTargetHealth
+                  Resource: '*'
+                - !Ref 'AWS::NoValue'
+              - !If
+                - AllowWritePermissions
+                - Effect: Allow
+                  Action:
+                    - ec2:AssociateTransitGatewayRouteTable
+                    - ec2:AttachVpnGateway
+                    - ec2:CreateCustomerGateway
+                    - ec2:CreateVpnConnection
+                    - ec2:CreateVpnGateway
+                    - ec2:DeleteCustomerGateway
+                    - ec2:DeleteVpnConnection
+                    - ec2:DeleteVpnGateway
+                    - ec2:DetachVpnGateway
+                    - ec2:DisableTransitGatewayRouteTablePropagation
+                    - ec2:DisableVgwRoutePropagation
+                    - ec2:DisassociateTransitGatewayRouteTable
+                    - ec2:EnableTransitGatewayRouteTablePropagation
+                    - ec2:EnableVgwRoutePropagation
+                  Resource: '*'
+                - !Ref 'AWS::NoValue'
+              - !If
+                - AllowWritePermissions
+                - Effect: Allow
+                  Action:
+                    - cloudformation:DescribeStacks
+                    - cloudformation:DescribeStackResources
+                    - cloudformation:ListStacks
+                  Resource: '*'
+                - !Ref 'AWS::NoValue'
+              - !If
+                - AllowWritePermissions
+                - Effect: Allow
+                  Action:
+                    - cloudformation:CreateStack
+                    - cloudformation:DeleteStack
+                  Resource: 'arn:aws-cn:cloudformation:*:*:stack/vpn-by-tag--*/*'
+                - !Ref 'AWS::NoValue'
+  InstanceProfile:
+    Type: AWS::IAM::InstanceProfile
+    Properties:
+        InstanceProfileName: !Ref CMEIAMRole
+        Roles:
+          - !Ref CMEIAMRole          
+Outputs:
+  CMEIAMRole:
+    Description: The IAM role.
+    Value: !Ref CMEIAMRole
+  CMEARNRole:
+    Description: The IAM role ARN.
+    Value: !GetAtt CMEIAMRole.Arn
+  InstanceProfile:
+    Description: The Instance Profile ARN.
+    Value: !GetAtt InstanceProfile.Arn
diff --git a/china/aws/templates/general/sts-role.yaml b/china/aws/templates/general/sts-role.yaml
new file mode 100755
index 00000000..93f5cb40
--- /dev/null
+++ b/china/aws/templates/general/sts-role.yaml
@@ -0,0 +1,119 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Creates an IAM role for cross account permissions (20190313)
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: Cross Account Permissions Configuration
+        Parameters:
+          - TrustedAccount
+          - Permissions
+    ParameterLabels:
+      TrustedAccount:
+        default: Trusted Account ID
+      STSPermissions:
+        default: IAM Role Permissions
+Parameters:
+  TrustedAccount:
+    Description: A 12 digits number that represents the ID of the trusted account.
+    Type: String
+    AllowedPattern: '^[0-9]{12}$'
+  STSPermissions:
+    Description: Select Read-Write if you intend to use this role with Transit VPC.
+    Type: String
+    Default: Read only
+    AllowedValues:
+      - Read only
+      - Read-Write
+Conditions:
+  AllowReadPermissions: !Or
+    - !Equals [!Ref STSPermissions, Read only]
+    - !Equals [!Ref STSPermissions, Read-Write]
+  AllowCreateVPNPermissions: !Equals [!Ref STSPermissions, Read-Write]
+Resources:
+  Role:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              AWS:
+                - !Ref TrustedAccount
+            Action:
+              - sts:AssumeRole
+      Path: /
+      Policies:
+        - PolicyName: Policy
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - !If
+                - AllowReadPermissions
+                - Effect: Allow
+                  Action:
+                    - ec2:DescribeInstances
+                    - ec2:DescribeNetworkInterfaces
+                    - ec2:DescribeSubnets
+                    - ec2:DescribeVpcs
+                    - ec2:DescribeVpnGateways
+                    - ec2:DescribeVpnConnections
+                    - ec2:DescribeSecurityGroups
+                    - elasticloadbalancing:DescribeLoadBalancers
+                    - elasticloadbalancing:DescribeTags
+                    - elasticloadbalancing:DescribeListeners
+                    - elasticloadbalancing:DescribeTargetGroups
+                    - elasticloadbalancing:DescribeRules
+                    - elasticloadbalancing:DescribeTargetHealth
+                    - autoscaling:DescribeAutoScalingGroups
+                  Resource: '*'
+                - !Ref 'AWS::NoValue'
+              - !If
+                - AllowCreateVPNPermissions
+                - Effect: Allow
+                  Action:
+                    - ec2:DescribeCustomerGateways
+                    - ec2:CreateCustomerGateway
+                    - ec2:DeleteCustomerGateway
+                    - ec2:DescribeRouteTables
+                    - ec2:EnableVgwRoutePropagation
+                    - ec2:DisableVgwRoutePropagation
+                    - ec2:DescribeVpnGateways
+                    - ec2:CreateVpnGateway
+                    - ec2:AttachVpnGateway
+                    - ec2:DetachVpnGateway
+                    - ec2:DeleteVpnGateway
+                    - ec2:DescribeVpnConnections
+                    - ec2:CreateVpnConnection
+                    - ec2:DeleteVpnConnection
+                    - ec2:DescribeTransitGateways
+                    - ec2:DescribeTransitGatewayRouteTables
+                    - ec2:DescribeTransitGatewayAttachments
+                    - ec2:AssociateTransitGatewayRouteTable
+                    - ec2:DisassociateTransitGatewayRouteTable
+                    - ec2:EnableTransitGatewayRouteTablePropagation
+                    - ec2:DisableTransitGatewayRouteTablePropagation
+                    - ec2:GetTransitGatewayAttachmentPropagations
+                  Resource: '*'
+                - !Ref 'AWS::NoValue'
+              - !If
+                - AllowCreateVPNPermissions
+                - Effect: Allow
+                  Action:
+                    - cloudformation:DescribeStacks
+                    - cloudformation:DescribeStackResources
+                  Resource: '*'
+                - !Ref 'AWS::NoValue'
+              - !If
+                - AllowCreateVPNPermissions
+                - Effect: Allow
+                  Action:
+                    - cloudformation:CreateStack
+                    - cloudformation:DeleteStack
+                  Resource: arn:aws:cloudformation:*:*:stack/vpn-by-tag--*/*
+                - !Ref 'AWS::NoValue'
+Outputs:
+  Role:
+    Description: The role ARN to assume by the trusted account.
+    Value: !GetAtt Role.Arn
diff --git a/china/aws/templates/geo-cluster/README.md b/china/aws/templates/geo-cluster/README.md
new file mode 100644
index 00000000..bd022a24
--- /dev/null
+++ b/china/aws/templates/geo-cluster/README.md
@@ -0,0 +1,40 @@
+
+## Cross Availability Zone Cluster
+<table>
+    <thead>
+        <tr>
+            <th>Description</th>
+            <th>Notes</th>
+            <th>Direct Launch</th>
+        </tr>
+    </thead>
+    <tbody>
+        <tr>
+            <td rowspan="2" width="40%">
+                Deploys two Security Gateways, each in a different Availability Zone.<br/><br/>For more details, refer to <a href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Transit_Gateway_High_Availability/Default.htm">CloudGuard Transit Gateway High Availability for AWS R80.40 Administration Guide</a>.
+            </td>
+            <td width="40%">Creates a new VPC and deploys a Cross Availability Zone Cluster of Security Gateways into it.</td>
+            <td><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/geo-cluster-master.yaml&stackName=Check-Point-geo-cluster"><img src="../../images/launch.png"/></a></td>
+        </tr>
+        <tr>
+            <td width="40%">Deploys a Cross Availability Zone Cluster of Security Gateways into an existing VPC.</td>
+            <td><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/geo-cluster.yaml&stackName=Check-Point-geo-cluster"><img src="../../images/launch.png"/></a></td>
+        </tr>
+    </tbody>
+</table>
+<br/>
+<br/>
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description                                                                                                      |
+|------------------|------------------------------------------------------------------------------------------------------------------|
+| 20240704         | - R80.40 version deprecation.<br/>- R81 version  deprecation                                                     |
+| 20240519         | Add support for requiring use instance metadata service version 2 (IMDSv2) only                                  |
+| 20230923         | Add support for C5d instance type.                                                                               |
+| 20230521         | - Change default shell for the admin user to /etc/cli.sh<br/>- Add description for reserved words in hostname    |
+| 20230503         | Template version 20230503 and above supports Smart-1 Cloud token validation.                                     |
+| 20230411         | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud.                               |
+| 20221123         | Templates version 20221120 and above support R81.20                                                              |
+| 20220606         | New instance type support                                                                                        |
+| 20210309         | First release of Check Point Security Management Server & Security Gateway (Standalone) Terraform module for AWS |
diff --git a/china/aws/templates/geo-cluster/geo-cluster-master.yaml b/china/aws/templates/geo-cluster/geo-cluster-master.yaml
new file mode 100644
index 00000000..326a0f49
--- /dev/null
+++ b/china/aws/templates/geo-cluster/geo-cluster-master.yaml
@@ -0,0 +1,523 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploy a Check Point cross AZ Cluster in a new VPC (20241027)
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: VPC Network Configuration
+        Parameters:
+          - AvailabilityZones
+          - VPCCIDR
+          - PublicSubnet1CIDR
+          - PublicSubnet2CIDR
+          - PrivateSubnet1CIDR
+          - PrivateSubnet2CIDR
+      - Label:
+          default: EC2 Instance Configuration
+        Parameters:
+          - GatewayName
+          - GatewayInstanceType
+          - KeyName
+          - AllocatePublicAddress
+          - VolumeSize
+          - VolumeType
+          - VolumeEncryption
+          - EnableInstanceConnect
+          - GatewayPredefinedRole
+          - TerminationProtection
+          - MetaDataToken
+      - Label:
+          default: Check Point Settings
+        Parameters:
+          - GatewayVersion
+          - Shell
+          - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
+          - GatewaySICKey
+      - Label:
+          default: Quick connect to Smart-1 Cloud (Recommended)
+        Parameters:
+          - MemberAToken
+          - MemberBToken
+      - Label:
+          default: Advanced Settings
+        Parameters:
+          - ResourcesTagName
+          - GatewayHostname
+          - AllowUploadDownload
+          - CloudWatch
+          - GatewayBootstrapScript
+          - NTPPrimary
+          - NTPSecondary
+    ParameterLabels:
+      AvailabilityZones:
+        default: Availability Zones
+      VPCCIDR:
+        default: VPC CIDR
+      PublicSubnet1CIDR:
+        default: Public subnet 1 CIDR
+      PublicSubnet2CIDR:
+        default: Public subnet 2 CIDR
+      PrivateSubnet1CIDR:
+        default: Private subnet 1 CIDR
+      PrivateSubnet2CIDR:
+        default: Private subnet 2 CIDR
+      GatewayName:
+        default: Gateway Name
+      GatewayInstanceType:
+        default: Security Gateways instance type
+      KeyName:
+        default: Key name
+      AllocatePublicAddress:
+        default: Allocate Elastic IPs for cluster members
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeType:
+        default: Volume Type
+      VolumeEncryption:
+        default: Volume encryption KMS key identifier
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      GatewayPredefinedRole:
+        default: Existing IAM role name
+      TerminationProtection:
+        default: Termination Protection
+      MetaDataToken:
+        default: Metadata HTTP token
+      GatewayVersion:
+        default: Gateways version & license
+      Shell:
+        default: Admin shell
+      GatewayPasswordHash:
+        default: Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
+      GatewaySICKey:
+        default: SIC key
+      MemberAToken:
+        default: Smart-1 Cloud Token for member A
+      MemberBToken:
+        default: Smart-1 Cloud Token for member B
+      ResourcesTagName:
+        default: Resources prefix tag
+      GatewayHostname:
+        default: Gateway Hostname
+      AllowUploadDownload:
+        default: Allow upload & download
+      CloudWatch:
+        default: CloudWatch metrics
+      GatewayBootstrapScript:
+        default: Bootstrap Script
+      NTPPrimary:
+        default: Primary NTP server
+      NTPSecondary:
+        default: Secondary NTP server
+Parameters:
+  AvailabilityZones:
+    Description: The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved).
+    Type: List<AWS::EC2::AvailabilityZone::Name>
+    MinLength: 2
+  VPCCIDR:
+    Description: CIDR block for the VPC.
+    Type: String
+    Default: 10.0.0.0/16
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet1CIDR:
+    Description: CIDR block for public subnet 1 located in the 1st Availability Zone. The cluster's public IPs will be generated from this subnet.
+    Type: String
+    Default: 10.0.10.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet2CIDR:
+    Description: CIDR block for public subnet 2 located in the 2nd Availability Zone. The cluster's public IPs will be generated from this subnet.
+    Type: String
+    Default: 10.0.20.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PrivateSubnet1CIDR:
+    Description: CIDR block for private subnet 1 located in the 1st Availability Zone. The cluster's private IPs will be generated from this subnet.
+    Type: String
+    Default: 10.0.11.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PrivateSubnet2CIDR:
+    Description: CIDR block for private subnet 2 located in the 2nd Availability Zone. The cluster's private IPs will be generated from this subnet.
+    Type: String
+    Default: 10.0.21.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  GatewayName:
+    Description: The name tag of the Security Gateway instances. (optional)
+    Type: String
+    Default: Check-Point-Cluster
+  GatewayInstanceType:
+    Description: The instance type of the Secutiry Gateway.
+    Type: String
+    Default: c5.xlarge
+    AllowedValues:
+      - c4.large
+      - c4.xlarge
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - c6in.large
+      - c6in.xlarge
+      - c6in.2xlarge
+      - c6in.4xlarge
+      - c6in.8xlarge
+      - c6in.12xlarge
+      - c6in.16xlarge
+      - c6in.24xlarge
+      - c6in.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: must be a valid EC2 instance type.
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the Security Gateways.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+    ConstraintDescription: must be the name of an existing EC2 KeyPair.
+  AllocatePublicAddress:
+    Description: When choosing "false", make sure the cluster members can connect to an ec2 endpoint.
+    Default: true
+    Type: String
+    AllowedValues:
+      - true
+      - false
+  VolumeSize:
+    Type: Number
+    Default: 100
+    MinValue: 100
+  VolumeType:
+    Description: General Purpose SSD Volume Type
+    Type: String
+    Default: gp3
+    AllowedValues:
+      - gp3
+      - gp2
+  VolumeEncryption:
+    Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+    Type: String
+    Default: alias/aws/ebs
+  EnableInstanceConnect:
+    Description: Enable SSH connection over AWS web console.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  GatewayPredefinedRole:
+    Description: A predefined IAM role to attach to the cluster profile. (optional)
+    Type: String
+    Default: ''
+  TerminationProtection:
+    Description: Prevents an instance from accidental termination.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  GatewayVersion:
+    Description: The license to install on the Security Gateways.
+    Type: String
+    Default: R81.10-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  Shell:
+    Description: Change the admin shell to enable advanced command line configuration.
+    Type: String
+    Default: /etc/cli.sh
+    AllowedValues:
+      - /etc/cli.sh
+      - /bin/bash
+      - /bin/csh
+      - /bin/tcsh
+  GatewayPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to
+      get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+    NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  GatewaySICKey:
+    Description: The Secure Internal Communication key creates trusted connections between
+      Check Point components. Choose a random string consisting of at least 8
+      alphanumeric characters.
+    Type: String
+    AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+    ConstraintDescription: At least 8 alpha numeric characters.
+    NoEcho: true
+  MemberAToken:
+    Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+    AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+    Type: String
+    NoEcho: true
+  MemberBToken:
+    Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+    AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+    Type: String
+    NoEcho: true
+  ResourcesTagName:
+    Description: Name tag prefix of the resources. (optional)
+    Type: String
+    Default: ''
+  GatewayHostname:
+    Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179.
+    Type: String
+    Default: ''
+    AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$'
+    ConstraintDescription: A valid hostname label or an empty string.
+  AllowUploadDownload:
+    Description: >-
+      Automatically download updates and share statistical data for product improvement purpose.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  CloudWatch:
+    Description: Report Check Point specific CloudWatch metrics.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  GatewayBootstrapScript:
+    Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+    Type: String
+    Default: ''
+    NoEcho: true
+  NTPPrimary:
+    Description: (optional)
+    Type: String
+    Default: 169.254.169.123
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+  NTPSecondary:
+    Description: (optional)
+    Type: String
+    Default: 0.pool.ntp.org
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+Conditions:
+  AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+Resources:
+  VPCStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc.yaml
+      Parameters:
+        AvailabilityZones: !Join [',', !Ref AvailabilityZones]
+        NumberOfAZs: 2
+        VPCCIDR: !Ref VPCCIDR
+        PublicSubnet1CIDR: !Ref PublicSubnet1CIDR
+        PublicSubnet2CIDR: !Ref PublicSubnet2CIDR
+        PrivateSubnet1CIDR: !Ref PrivateSubnet1CIDR
+        PrivateSubnet2CIDR: !Ref PrivateSubnet2CIDR
+  InternalRouteTable:
+    Type: AWS::EC2::RouteTable
+    DependsOn: VPCStack
+    Properties:
+      VpcId: !GetAtt VPCStack.Outputs.VPCID
+      Tags:
+        - Key: Name
+          Value: Private Subnets Route Table
+  ClusterStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/geo-cluster.yaml
+      Parameters:
+        VPC: !GetAtt VPCStack.Outputs.VPCID
+        PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID
+        PublicSubnetB: !GetAtt VPCStack.Outputs.PublicSubnet2ID
+        PrivateSubnetA: !GetAtt VPCStack.Outputs.PrivateSubnet1ID
+        PrivateSubnetB: !GetAtt VPCStack.Outputs.PrivateSubnet2ID
+        InternalRouteTable: !Ref InternalRouteTable
+        GatewayName: !Ref GatewayName
+        GatewayInstanceType: !Ref GatewayInstanceType
+        KeyName: !Ref KeyName
+        AllocatePublicAddress: !Ref AllocatePublicAddress
+        VolumeSize: !Ref VolumeSize
+        VolumeType: !Ref VolumeType
+        VolumeEncryption: !Ref VolumeEncryption
+        EnableInstanceConnect: !Ref EnableInstanceConnect
+        GatewayPredefinedRole: !Ref GatewayPredefinedRole
+        TerminationProtection: !Ref TerminationProtection
+        MetaDataToken: !Ref MetaDataToken
+        GatewayVersion: !Ref GatewayVersion
+        Shell: !Ref Shell
+        GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+        GatewaySICKey: !Ref GatewaySICKey
+        MemberAToken: !Ref MemberAToken
+        MemberBToken: !Ref MemberBToken
+        ResourcesTagName: !Ref ResourcesTagName
+        GatewayHostname: !Ref GatewayHostname
+        AllowUploadDownload: !Ref AllowUploadDownload
+        CloudWatch: !Ref CloudWatch
+        GatewayBootstrapScript: !Ref GatewayBootstrapScript
+        NTPPrimary: !Ref NTPPrimary
+        NTPSecondary: !Ref NTPSecondary
+Outputs:
+  MemberAPublicAddress:
+    Condition: AllocateAddress
+    Description: The public address of member A.
+    Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress
+  MemberAPrivateExternalAddress:
+    Description: The private external address of member A.
+    Value: !GetAtt ClusterStack.Outputs.MemberAPrivateExternalAddress
+  MemberAPrivateInternalAddress:
+    Description: The private internal address of member A.
+    Value: !GetAtt ClusterStack.Outputs.MemberAPrivateInternalAddress
+  MemberASSH:
+    Condition: AllocateAddress
+    Description: SSH command to member A.
+    Value: !GetAtt ClusterStack.Outputs.MemberASSH
+  MemberAURL:
+    Condition: AllocateAddress
+    Description: URL to the member A portal.
+    Value: !GetAtt ClusterStack.Outputs.MemberAURL
+  MemberBPublicAddress:
+    Condition: AllocateAddress
+    Description: The public address of member B.
+    Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress
+  MemberBPrivateExternalAddress:
+    Description: The private external address of member B.
+    Value: !GetAtt ClusterStack.Outputs.MemberBPrivateExternalAddress
+  MemberBPrivateInternalAddress:
+    Description: The private internal address of member B.
+    Value: !GetAtt ClusterStack.Outputs.MemberBPrivateInternalAddress
+  MemberBSSH:
+    Condition: AllocateAddress
+    Description: SSH command to member B.
+    Value: !GetAtt ClusterStack.Outputs.MemberBSSH
+  MemberBURL:
+    Condition: AllocateAddress
+    Description: URL to the member B portal.
+    Value: !GetAtt ClusterStack.Outputs.MemberBURL
+Rules:
+  MemberATokenNotProvided:
+    RuleCondition: !Equals [!Ref MemberAToken, '']
+    Assertions:
+      - AssertDescription: "Smart-1 Cloud Token for member A can not be empty."
+        Assert: !Equals [!Ref MemberBToken, '']
+  MemberBTokenNotProvided:
+    RuleCondition: !Equals [ !Ref MemberBToken, '' ]
+    Assertions:
+      - AssertDescription: "Smart-1 Cloud Token for member B can not be empty."
+        Assert: !Equals [ !Ref MemberAToken, '' ]
+  MembersTokenValueEquals:
+    RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ]
+    Assertions:
+      - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+        Assert: !Equals [ !Ref MemberAToken, '' ]
+      - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+        Assert: !Equals [ !Ref MemberBToken, '' ]
\ No newline at end of file
diff --git a/china/aws/templates/geo-cluster/geo-cluster.yaml b/china/aws/templates/geo-cluster/geo-cluster.yaml
new file mode 100644
index 00000000..51cdc5dd
--- /dev/null
+++ b/china/aws/templates/geo-cluster/geo-cluster.yaml
@@ -0,0 +1,734 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploys a Check Point cross AZ Cluster into an existing VPC (20241027)
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: VPC Network Configuration
+        Parameters:
+          - VPC
+          - PublicSubnetA
+          - PublicSubnetB
+          - PrivateSubnetA
+          - PrivateSubnetB
+          - InternalRouteTable
+      - Label:
+          default: EC2 Instance Configuration
+        Parameters:
+          - GatewayName
+          - GatewayInstanceType
+          - KeyName
+          - AllocatePublicAddress
+          - VolumeSize
+          - VolumeType
+          - VolumeEncryption
+          - EnableInstanceConnect
+          - GatewayPredefinedRole
+          - TerminationProtection
+          - MetaDataToken
+      - Label:
+          default: Check Point Settings
+        Parameters:
+          - GatewayVersion
+          - Shell
+          - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
+          - GatewaySICKey
+      - Label:
+          default: Quick connect to Smart-1 Cloud (Recommended)
+        Parameters:
+          - MemberAToken
+          - MemberBToken
+      - Label:
+          default: Advanced Settings
+        Parameters:
+          - ResourcesTagName
+          - GatewayHostname
+          - AllowUploadDownload
+          - CloudWatch
+          - GatewayBootstrapScript
+          - NTPPrimary
+          - NTPSecondary
+    ParameterLabels:
+      VPC:
+        default: VPC
+      PublicSubnetA:
+        default: Public subnet 1
+      PublicSubnetB:
+        default: Public subnet 2
+      PrivateSubnetA:
+        default: Private subnet 1
+      PrivateSubnetB:
+        default: Private subnet 2
+      InternalRouteTable:
+        default: Internal route table
+      GatewayName:
+        default: Gateway Name
+      GatewayInstanceType:
+        default: Security Gateways instance type
+      KeyName:
+        default: Key name
+      AllocatePublicAddress:
+        default: Allocate Elastic IPs for cluster members
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeType:
+        default: Volume Type
+      VolumeEncryption:
+        default: Volume encryption KMS key identifier
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      GatewayPredefinedRole:
+        default: Existing IAM role name
+      TerminationProtection:
+        default: Termination Protection
+      MetaDataToken:
+        default: Metadata HTTP token
+      GatewayVersion:
+        default: Gateways version & license
+      Shell:
+        default: Admin shell
+      GatewayPasswordHash:
+        default: Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
+      GatewaySICKey:
+        default: SIC key
+      MemberAToken:
+        default: Smart-1 Cloud Token for member A
+      MemberBToken:
+        default: Smart-1 Cloud Token for member B
+      ResourcesTagName:
+        default: Resources prefix tag
+      GatewayHostname:
+        default: Gateway Hostname
+      AllowUploadDownload:
+        default: Allow upload & download
+      CloudWatch:
+        default: CloudWatch metrics
+      GatewayBootstrapScript:
+        default: Bootstrap Script
+      NTPPrimary:
+        default: Primary NTP server
+      NTPSecondary:
+        default: Secondary NTP server
+Parameters:
+  VPC:
+    Description: Select an existing VPC.
+    Type: AWS::EC2::VPC::Id
+    MinLength: 1
+    ConstraintDescription: you must select a VPC.
+  PublicSubnetA:
+    Description: Select a public subnet for the first Security Gateway.
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+    ConstraintDescription: you must select a public subnet for the first Security Gateway.
+  PublicSubnetB:
+    Description: Select a public subnet for the second Security Gateway.
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+    ConstraintDescription: you must select a public subnet for the second Security Gateway.
+  PrivateSubnetA:
+    Description: Select a private subnet for the first Security Gateway.
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+    ConstraintDescription: you must select a private subnet for the first Security Gateway.
+  PrivateSubnetB:
+    Description: Select a private subnet for the second Security Gateway.
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+    ConstraintDescription: you must select a private subnet for the second Security Gateway.
+  InternalRouteTable:
+    Description: Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Cluster, this requires manual configuration in the Route Table. (optional)
+    Type: String
+    Default: ''
+  GatewayName:
+    Description: The name tag of the Security Gateway instances. (optional)
+    Type: String
+    Default: Check-Point-Cluster
+  GatewayInstanceType:
+    Type: String
+    Default: c5.xlarge
+    AllowedValues:
+      - c4.large
+      - c4.xlarge
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - c6in.large
+      - c6in.xlarge
+      - c6in.2xlarge
+      - c6in.4xlarge
+      - c6in.8xlarge
+      - c6in.12xlarge
+      - c6in.16xlarge
+      - c6in.24xlarge
+      - c6in.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: must be a valid EC2 instance type.
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the Security Gateways.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+    ConstraintDescription: must be the name of an existing EC2 KeyPair.
+  AllocatePublicAddress:
+    Description: When choosing "false", make sure the cluster members can connect to an ec2 endpoint.
+    Default: true
+    Type: String
+    AllowedValues:
+      - true
+      - false
+  VolumeSize:
+    Type: Number
+    Default: 100
+    MinValue: 100
+  VolumeType:
+    Description: General Purpose SSD Volume Type
+    Type: String
+    Default: gp3
+    AllowedValues:
+      - gp3
+      - gp2
+  VolumeEncryption:
+    Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+    Type: String
+    Default: alias/aws/ebs
+  EnableInstanceConnect:
+    Description: Enable SSH connection over AWS web console.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  GatewayPredefinedRole:
+    Description: A predefined IAM role to attach to the cluster profile. (optional)
+    Type: String
+    Default: ''
+  TerminationProtection:
+    Description: Prevents an instance from accidental termination.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  GatewayVersion:
+    Description: The license to install on the Security Gateways.
+    Type: String
+    Default: R81.10-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  Shell:
+    Description: Change the admin shell to enable advanced command line configuration.
+    Type: String
+    Default: /etc/cli.sh
+    AllowedValues:
+      - /etc/cli.sh
+      - /bin/bash
+      - /bin/csh
+      - /bin/tcsh
+  GatewayPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to
+      get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+    NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  GatewaySICKey:
+    Description: The Secure Internal Communication key creates trusted connections between
+      Check Point components. Choose a random string consisting of at least 8
+      alphanumeric characters.
+    Type: String
+    AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+    ConstraintDescription: At least 8 alpha numeric characters.
+    NoEcho: true
+  MemberAToken:
+    Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+    AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+    Type: String
+    NoEcho: true
+  MemberBToken:
+    Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+    AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+    Type: String
+    NoEcho: true
+  ResourcesTagName:
+    Description: Name tag prefix of the resources. (optional)
+    Type: String
+    Default: ''
+  GatewayHostname:
+    Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179.
+    Type: String
+    Default: ''
+    AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$'
+    ConstraintDescription: A valid hostname label or an empty string.
+  AllowUploadDownload:
+    Description: >-
+      Automatically download updates and share statistical data for product improvement purpose.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  CloudWatch:
+    Description: Report Check Point specific CloudWatch metrics.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  GatewayBootstrapScript:
+    Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+    Type: String
+    Default: ''
+    NoEcho: true
+  NTPPrimary:
+    Description: (optional)
+    Type: String
+    Default: 169.254.169.123
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+  NTPSecondary:
+    Description: (optional)
+    Type: String
+    Default: 0.pool.ntp.org
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+Conditions:
+  ProvidedRouteTable: !Not [!Equals [!Ref InternalRouteTable, '']]
+  AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+  EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']]
+  CreateRole: !Equals [!Ref GatewayPredefinedRole, '']
+  ProvidedPassHash: !Not [!Equals [!Ref GatewayPasswordHash, '']]
+  ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']]
+  EmptyHostName: !Equals [!Ref GatewayHostname, '']
+  EnableCloudWatch: !Equals [!Ref CloudWatch, true]
+  EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+Resources:
+  ClusterReadyHandle:
+    Type: AWS::CloudFormation::WaitConditionHandle
+    Condition: AllocateAddress
+    Properties: {}
+  ClusterReadyCondition:
+    Type: AWS::CloudFormation::WaitCondition
+    Condition: AllocateAddress
+    DependsOn: [MemberAInstance, MemberBInstance]
+    Properties:
+      Count: 2
+      Handle: !Ref ClusterReadyHandle
+      Timeout: 1800
+  ClusterRole:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cluster-iam-role.yaml
+  ClusterInstanceProfile:
+    Type: AWS::IAM::InstanceProfile
+    Properties:
+      Path: /
+      Roles: [!If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole]]
+  CloudwatchPolicy:
+    Condition: EnableCloudWatch
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cloudwatch-policy.yaml
+      Parameters:
+        PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ]
+        PolicyRole: !If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole]
+  AMI:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml
+      Parameters:
+        Version: !Join ['-', [!Ref GatewayVersion, GW]]
+  PermissiveSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: Permissive security group.
+      VpcId: !Ref VPC
+      SecurityGroupIngress:
+        - IpProtocol: -1
+          CidrIp: 0.0.0.0/0
+      Tags:
+        - Key: Name
+          Value:
+            !Join
+            - _
+            - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+              - PermissiveSecurityGroup
+  MemberAExternalInterface:
+    Type: AWS::EC2::NetworkInterface
+    Properties:
+      Description: External.
+      SourceDestCheck: false
+      GroupSet: [!Ref PermissiveSecurityGroup]
+      SubnetId: !Ref PublicSubnetA
+      Tags:
+        - Key: Name
+          Value:
+            !Join
+            - _
+            - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+              - Member_A_ExternalInterface
+  MemberBExternalInterface:
+    Type: AWS::EC2::NetworkInterface
+    Properties:
+      Description: External.
+      SourceDestCheck: false
+      GroupSet: [!Ref PermissiveSecurityGroup]
+      SubnetId: !Ref PublicSubnetB
+      Tags:
+        - Key: Name
+          Value:
+            !Join
+            - _
+            - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+              - Member_B_ExternalInterface
+  MemberAInternalInterface:
+    Type: AWS::EC2::NetworkInterface
+    Properties:
+      Description: Internal.
+      GroupSet: [!Ref PermissiveSecurityGroup]
+      SourceDestCheck: false
+      SubnetId: !Ref PrivateSubnetA
+      Tags:
+        - Key: Name
+          Value:
+            !Join
+            - _
+            - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+              - Member_A_InternalInterface
+  MemberBInternalInterface:
+    Type: AWS::EC2::NetworkInterface
+    Properties:
+      Description: Internal.
+      GroupSet: [!Ref PermissiveSecurityGroup]
+      SourceDestCheck: false
+      SubnetId: !Ref PrivateSubnetB
+      Tags:
+        - Key: Name
+          Value:
+            !Join
+            - _
+            - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+              - Member_B_InternalInterface
+  InternalDefaultRoute:
+    Type: AWS::EC2::Route
+    Condition: ProvidedRouteTable
+    DependsOn: MemberAInternalInterface
+    Properties:
+      DestinationCidrBlock: 0.0.0.0/0
+      NetworkInterfaceId: !Ref MemberAInternalInterface
+      RouteTableId: !Ref InternalRouteTable
+  PrivateSubnet1RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Condition: ProvidedRouteTable
+    Properties:
+      RouteTableId: !Ref InternalRouteTable
+      SubnetId: !Ref PrivateSubnetA
+  PrivateSubnet2RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Condition: ProvidedRouteTable
+    Properties:
+      RouteTableId: !Ref InternalRouteTable
+      SubnetId: !Ref PrivateSubnetB
+  MemberAInstance:
+    Type: AWS::EC2::Instance
+    DependsOn: [MemberAInternalInterface, MemberAGatewayLaunchTemplate]
+    Properties:
+      LaunchTemplate:
+        LaunchTemplateId: !Ref MemberAGatewayLaunchTemplate
+        Version: !GetAtt MemberAGatewayLaunchTemplate.LatestVersionNumber
+      DisableApiTermination: !Ref TerminationProtection
+      Tags:
+        - Key: Name
+          Value: !Join ['-', [!Ref GatewayName, Member-A]]
+  MemberBInstance:
+    Type: AWS::EC2::Instance
+    DependsOn: [MemberBInternalInterface, MemberBGatewayLaunchTemplate]
+    Properties:
+      LaunchTemplate:
+        LaunchTemplateId: !Ref MemberBGatewayLaunchTemplate
+        Version: !GetAtt MemberBGatewayLaunchTemplate.LatestVersionNumber
+      DisableApiTermination: !Ref TerminationProtection
+      Tags:
+        - Key: Name
+          Value: !Join ['-', [!Ref GatewayName, Member-B]]
+  MemberAGatewayLaunchTemplate:
+    Type: AWS::EC2::LaunchTemplate
+    Properties:
+      LaunchTemplateData:
+        NetworkInterfaces:
+          - DeviceIndex: 0
+            NetworkInterfaceId: !Ref MemberAExternalInterface
+          - DeviceIndex: 1
+            NetworkInterfaceId: !Ref MemberAInternalInterface
+        KeyName: !Ref KeyName
+        ImageId: !GetAtt AMI.Outputs.ImageId
+        InstanceType: !Ref GatewayInstanceType
+        MetadataOptions:
+          HttpTokens: !If [EnableMetaDataToken, required, optional]
+        BlockDeviceMappings:
+          - DeviceName: '/dev/xvda'
+            Ebs:
+              Encrypted: !If [ EncryptedVolume, true, false ]
+              KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+              VolumeType: !Ref VolumeType
+              VolumeSize: !Ref VolumeSize
+        IamInstanceProfile:
+          Name: !Ref ClusterInstanceProfile
+        UserData: !Base64
+          'Fn::Join':
+            - |+
+
+            - - '#cloud-config'
+              - 'runcmd:'
+              - '  - |'
+              - '    set -e'
+              - !Sub '    admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenA=''${MemberAToken}'''
+              - !If [AllocateAddress, !Sub '    wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue']
+              - !If [EmptyHostName, '    hostname=""',!Sub '    hostname=${GatewayHostname}-member-a']
+              - !Join ['', ['    other_member_ip="', !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress, '"']]
+              - !Join ['', ['    eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']]
+              - !Join ['', ['    sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
+              - !Join ['', ['    pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+              - !Join ['', ['    maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']]
+              - !Join ['', ['    bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
+              - !Sub ['    version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+              - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" elasticIp=\"${eip}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"'
+  MemberBGatewayLaunchTemplate:
+    Type: AWS::EC2::LaunchTemplate
+    Properties:
+      LaunchTemplateData:
+        NetworkInterfaces:
+          - DeviceIndex: 0
+            NetworkInterfaceId: !Ref MemberBExternalInterface
+          - DeviceIndex: 1
+            NetworkInterfaceId: !Ref MemberBInternalInterface
+        KeyName: !Ref KeyName
+        ImageId: !GetAtt AMI.Outputs.ImageId
+        InstanceType: !Ref GatewayInstanceType
+        MetadataOptions:
+          HttpTokens: !If [EnableMetaDataToken, required, optional]
+        BlockDeviceMappings:
+          - DeviceName: '/dev/xvda'
+            Ebs:
+              Encrypted: !If [ EncryptedVolume, true, false ]
+              KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+              VolumeType: !Ref VolumeType
+              VolumeSize: !Ref VolumeSize
+        IamInstanceProfile:
+          Name: !Ref ClusterInstanceProfile
+        UserData: !Base64
+          'Fn::Join':
+            - |+
+
+            - - '#cloud-config'
+              - 'runcmd:'
+              - '  - |'
+              - '    set -e'
+              - !Sub '    admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenB=''${MemberBToken}'''
+              - !If [AllocateAddress, !Sub '    wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue']
+              - !If [EmptyHostName, '    hostname=""',!Sub '    hostname=${GatewayHostname}-member-b']
+              - !Join ['', ['    other_member_ip="', !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress, '"']]
+              - !Join ['', ['    eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']]
+              - !Join ['', ['    sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
+              - !Join ['', ['    pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+              - !Join [ '', ['    maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"' ] ]
+              - !Join ['', ['    bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
+              - !Sub ['    version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+              - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"'
+      VersionDescription: Initial template version
+  MemberAPublicAddress:
+    Type: AWS::EC2::EIP
+    Condition: AllocateAddress
+    Properties:
+      Domain: vpc
+  MemberBPublicAddress:
+    Type: AWS::EC2::EIP
+    Condition: AllocateAddress
+    Properties:
+      Domain: vpc
+  MemberAAddressAssoc:
+    Type: AWS::EC2::EIPAssociation
+    Condition: AllocateAddress
+    DependsOn: MemberAInstance
+    Properties:
+      NetworkInterfaceId: !Ref MemberAExternalInterface
+      AllocationId: !GetAtt MemberAPublicAddress.AllocationId
+      PrivateIpAddress: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress
+  MemberBAddressAssoc:
+    Type: AWS::EC2::EIPAssociation
+    Condition: AllocateAddress
+    DependsOn: MemberBInstance
+    Properties:
+      NetworkInterfaceId: !Ref MemberBExternalInterface
+      AllocationId: !GetAtt MemberBPublicAddress.AllocationId
+      PrivateIpAddress: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress
+Outputs:
+  MemberAPublicAddress:
+    Condition: AllocateAddress
+    Description: The public address of member A.
+    Value: !Ref MemberAPublicAddress
+  MemberAPrivateExternalAddress:
+    Description: The private external address of member A.
+    Value: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress
+  MemberAPrivateInternalAddress:
+    Description: The private internal address of member A.
+    Value: !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress
+  MemberAExternalInterface:
+    Description: The external interface of member A.
+    Value: !Ref MemberAExternalInterface
+  MemberASSH:
+    Condition: AllocateAddress
+    Description: SSH command to member A.
+    Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberAPublicAddress]]
+  MemberAURL:
+    Condition: AllocateAddress
+    Description: URL to the member A portal.
+    Value: !Join ['', ['https://', !Ref MemberAPublicAddress]]
+  MemberBPublicAddress:
+    Condition: AllocateAddress
+    Description: The public address of member B.
+    Value: !Ref MemberBPublicAddress
+  MemberBPrivateExternalAddress:
+    Description: The private external address of member B.
+    Value: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress
+  MemberBPrivateInternalAddress:
+    Description: The private internal address of member B.
+    Value: !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress
+  MemberBExternalInterface:
+    Description: The external interface of member B.
+    Value: !Ref MemberBExternalInterface
+  MemberBSSH:
+    Condition: AllocateAddress
+    Description: SSH command to member B.
+    Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberBPublicAddress]]
+  MemberBURL:
+    Condition: AllocateAddress
+    Description: URL to the member B portal.
+    Value: !Join ['', ['https://', !Ref MemberBPublicAddress]]
+Rules:
+  MemberATokenNotProvided:
+    RuleCondition: !Equals [!Ref MemberAToken, '']
+    Assertions:
+      - AssertDescription: "Smart-1 Cloud Token for member A can not be empty."
+        Assert: !Equals [!Ref MemberBToken, '']
+  MemberBTokenNotProvided:
+    RuleCondition: !Equals [ !Ref MemberBToken, '' ]
+    Assertions:
+      - AssertDescription: "Smart-1 Cloud Token for member B can not be empty."
+        Assert: !Equals [ !Ref MemberAToken, '' ]
+  MembersTokenValueEquals:
+    RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ]
+    Assertions:
+      - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+        Assert: !Equals [ !Ref MemberAToken, '' ]
+      - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+        Assert: !Equals [ !Ref MemberBToken, '' ]
\ No newline at end of file
diff --git a/china/aws/templates/gwlb-asg/README.md b/china/aws/templates/gwlb-asg/README.md
new file mode 100644
index 00000000..f287a7b1
--- /dev/null
+++ b/china/aws/templates/gwlb-asg/README.md
@@ -0,0 +1,73 @@
+
+## Gateway Load Balancer (GWLB) Auto Scaling Group
+<table>
+    <thead>
+        <tr>
+            <th>Description</th>
+            <th>Notes</th>
+            <th>Direct Launch</th>
+        </tr>
+    </thead>
+    <tbody>
+        <tr>
+            <td width="40%">
+            Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC.<br/><br/>For more details, refer to <a href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Gateway_Load_Balancer_ASG/Default.htm">CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide</a>.
+            </td>
+            <td width="40%">Creates a new VPC and deploys into it a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server.</td>
+            <td><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gwlb/gwlb-master.yaml"><img src="../../images/launch.png"/></a></td>
+        </tr>
+        <tr>
+            <td width="40%">
+            Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC.<br/><br/>For more details, refer to <a href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Gateway_Load_Balancer_ASG/Default.htm">CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide</a>.
+            </td>
+            <td width="40%">Deploys a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server into an existing VPC.</td>
+            <td><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gwlb/gwlb.yaml"><img src="../../images/launch.png"/></a></td>
+        </tr>
+        <tr>
+            <td width="40%">
+            Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC for Transit Gateway.<br/><br/>For more details, refer to <a href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Gateway_Load_Balancer_ASG/Default.htm">CloudGuard Network for AWS Gateway Load Balancer Security VPC for Transit Gateway R80.40 Deployment Guide</a>.
+            </td>
+            <td width="40%">Creates a new VPC and deploys into it a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, for Transit Gateway. </td>
+            <td><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gwlb/tgw-gwlb-master.yaml"><img src="../../images/launch.png"/></a></td>
+        </tr>
+        <tr>
+            <td width="40%">
+            Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC for Transit Gateway.<br/><br/>For more details, refer to <a href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Gateway_Load_Balancer_ASG/Default.htm">CloudGuard Network for AWS Gateway Load Balancer Security VPC for Transit Gateway R80.40 Deployment Guide</a>.
+            </td>
+            <td width="40%">Deploys a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, for Transit Gateway into an existing VPC.</td>
+            <td><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gwlb/tgw-gwlb.yaml"><img src="../../images/launch.png"/></a></td>
+        </tr>
+        <tr>
+            <td width="40%">
+            Deploys and configures a Quick Start AWS Auto Scaling Group configured for Gateway Load Balancer in a Centralized Security VPC, and Servers in Servers VPC<br/><br/>For more details, refer to <a href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Gateway_Load_Balancer_ASG/Default.htm">CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide</a>.
+            </td>
+            <td width="40%">Creates a new Security VPC with Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, Servers' VPC with Gateway Load Balancer Endpoints (1 per Availability Zone), Application Load Balancer in Servers' VPC, Servers and optionally a Security Management Server.</br>
+            <td><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gwlb/qs-gwlb-master.yaml"><img src="../../images/launch.png"/></a></td>
+        </tr>
+        <tr>
+            <td width="40%">
+            Deploys and configures a Quick Start AWS Auto Scaling Group configured for Gateway Load Balancer in a Centralized Security VPC, and Servers in Servers VPC.<br/><br/>For more details, refer to <a href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Gateway_Load_Balancer_ASG/Default.htm">CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide</a>.
+            </td>
+            <td width="40%">Deploys a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, optionally a Security Management Server into an existing Security VPC, Gateway Load Balancer Endpoints (1 per Availability Zone), Application Load Balancer and Servers into an existing Servers' VPC.</br>
+			</td>
+            <td><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gwlb/qs-gwlb.yaml"><img src="../../images/launch.png"/></a></td>
+        </tr>
+    </tbody>
+</table>
+<br/>
+<br/>
+
+## Revision History
+In order to check the template version, please refer to [sk125252](https://support.checkpoint.com/results/sk/sk125252#ToggleR8120gateway)
+
+| Template Version | Description                                                                                                   |
+|------------------|---------------------------------------------------------------------------------------------------------------|
+| 20240704         | - R80.40 version deprecation.<br/>- R81 version  deprecation                                                  |
+| 20240519         | Add support for requiring use instance metadata service version 2 (IMDSv2) only                               |
+| 20240414         | Add support for Elastic Load Balancer Health Checks.                                                          |
+| 20230923         | Add support for C5d instance type.                                                                            |
+| 20230521         | - Change default shell for the admin user to /etc/cli.sh<br/>- Add description for reserved words in hostname |
+| 20221226         | Support ASG Launch Template instead of Launch Configuration.                                                  |
+| 20221123         | Templates version 20221120 and above support R81.20                                                           |
+| 20220606         | New instance type support                                                                                     |
+| 20220414         | First release of Check Point Auto Scaling GWLB Terraform module for AWS                                       |
diff --git a/china/aws/templates/gwlb-asg/autoscale-gwlb.yaml b/china/aws/templates/gwlb-asg/autoscale-gwlb.yaml
new file mode 100644
index 00000000..e74745d0
--- /dev/null
+++ b/china/aws/templates/gwlb-asg/autoscale-gwlb.yaml
@@ -0,0 +1,677 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: |
+  Create an Auto Scaling group of Check Point gateways (20250617)
+  See CloudGuard Network for AWS Gateway Load Balancer Auto Scaling Group Deployment Guide administration guide for detailed deployment and configuration steps.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: VPC Network Configuration
+        Parameters:
+          - VPC
+          - GatewaysSubnets
+      - Label:
+          default: EC2 Instances Configuration
+        Parameters:
+          - GatewayName
+          - GatewayInstanceType
+          - KeyName
+          - VolumeSize
+          - VolumeType
+          - EnableVolumeEncryption
+          - EnableInstanceConnect
+          - MetaDataToken
+      - Label:
+          default: Auto Scaling Configuration
+        Parameters:
+          - AutoScaleGroupName
+          - GatewaysMinSize
+          - GatewaysMaxSize
+          - AdminEmail
+          - GatewaysTargetGroups
+      - Label:
+          default: Check Point Settings
+        Parameters:
+          - GatewayVersion
+          - Shell
+          - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
+          - GatewaySICKey
+          - AllowUploadDownload
+          - CloudWatch
+          - EnableIPv6Traffic
+          - GatewayBootstrapScript
+      - Label:
+          default: Automatic Provisioning with Security Management Server Settings
+        Parameters:
+          - ControlGatewayOverPrivateOrPublicAddress
+          - AllocatePublicAddress
+          - ManagementServer
+          - ConfigurationTemplate
+      - Label:
+          default: Proxy Configuration (optional)
+        Parameters:
+          - ELBType
+          - ELBPort
+          - ELBClients
+    ParameterLabels:
+      VPC:
+        default: VPC
+      GatewaysSubnets:
+        default: Gateways subnets
+      GatewayName:
+        default: Gateways name
+      GatewayInstanceType:
+        default: Gateways instance type
+      KeyName:
+        default: Key name
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeType:
+        default: Volume Type
+      EnableVolumeEncryption:
+        default: Enable volume encryption
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      MetaDataToken:
+        default: Metadata HTTP token
+      GatewaysMinSize:
+        default: Minimum Gateway group size
+      GatewaysMaxSize:
+        default: Maximum Gateway group size
+      AdminEmail:
+        default: Email address
+      GatewaysTargetGroups:
+        default: Gateways target groups
+      GatewayVersion:
+        default: Gateways version & license
+      Shell:
+        default: Admin shell
+      GatewayPasswordHash:
+        default: Gateways Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
+      GatewaySICKey:
+        default: Gateways SIC key
+      AllowUploadDownload:
+        default: Allow upload & download
+      CloudWatch:
+        default: CloudWatch metrics
+      GatewayBootstrapScript:
+        default: Gateways bootstrap script
+      ControlGatewayOverPrivateOrPublicAddress:
+        default: Gateways addresses
+      AllocatePublicAddress:
+        default: Allocate Public IPs
+      ManagementServer:
+        default: Management Server
+      ConfigurationTemplate:
+        default: Configuration template
+      ELBType:
+        default: Proxy type
+      ELBPort:
+        default: Proxy port
+      ELBClients:
+        default: Allowed proxy clients
+      AutoScaleGroupName:
+        default: Auto Scale Group name
+      EnableIPv6Traffic:
+        default: Add support for IPv6 traffic inspection
+Parameters:
+  VPC:
+    Description: Select an existing VPC.
+    Type: AWS::EC2::VPC::Id
+    MinLength: 1
+  GatewaysSubnets:
+    Description: Select at least 2 public subnets in the VPC.
+    Type: List<AWS::EC2::Subnet::Id>
+    MinLength: 2
+  GatewayName:
+    Description: The name tag of the Security Gateway instances. (optional)
+    Type: String
+    Default: Check-Point-Gateway
+  GatewayInstanceType:
+    Description: The instance type of the Secutiry Gateways.
+    Type: String
+    Default: c6i.xlarge
+    AllowedValues:
+      - c4.large
+      - c4.xlarge
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: must be a valid EC2 instance type.
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the instances.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+    ConstraintDescription: Must be the name of an existing EC2 KeyPair.
+  VolumeSize:
+    Type: Number
+    Default: 100
+    MinValue: 100
+  VolumeType:
+    Description: General Purpose SSD Volume Type
+    Type: String
+    Default: gp3
+    AllowedValues:
+      - gp3
+      - gp2
+  EnableVolumeEncryption:
+    Description: Encrypt Auto Scaling instances volume with default AWS KMS key.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  EnableInstanceConnect:
+    Description: Enable SSH connection over AWS web console.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  GatewaysMinSize:
+    Description: The minimal number of gateways in the Auto Scaling group.
+    Type: Number
+    Default: 2
+    MinValue: 1
+  GatewaysMaxSize:
+    Description: The maximal number of gateways in the Auto Scaling group.
+    Type: Number
+    Default: 10
+    MinValue: 1
+  AdminEmail:
+    Description: Notifications about scaling events will be sent to this email address. (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$'
+    ConstraintDescription: Must be a valid email address.
+  GatewaysTargetGroups:
+    Description: A list of Target Groups to associate with the Auto Scaling
+      group (comma separated list of ARNs, without spaces). (optional)
+    Type: String
+    Default: ''
+  GatewayVersion:
+    Type: String
+    Default: R81.20-BYOL
+    AllowedValues:
+      - R81.20-BYOL
+      - R82-BYOL
+  Shell:
+    Description: Change the admin shell to enable advanced command line configuration.
+    Type: String
+    Default: /etc/cli.sh
+    AllowedValues:
+      - /etc/cli.sh
+      - /bin/bash
+      - /bin/csh
+      - /bin/tcsh
+  GatewayPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+      to get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+    NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  GatewaySICKey:
+    Description: The Secure Internal Communication key creates trusted connections
+      between Check Point components. Choose a random string consisting of at least
+      8 alphanumeric characters.
+    Type: String
+    AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+    ConstraintDescription: At least 8 alpha numeric characters.
+    NoEcho: true
+  AllowUploadDownload:
+    Description: Automatically download updates and share statistical data for product improvement purpose.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  CloudWatch:
+    Description: Report Check Point specific CloudWatch metrics.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  GatewayBootstrapScript:
+    Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+    Type: String
+    Default: ''
+    NoEcho: true
+  ControlGatewayOverPrivateOrPublicAddress:
+    Description: Determines if the gateways are provisioned using their private or public address.
+    Type: String
+    Default: private
+    AllowedValues:
+      - private
+      - public
+  AllocatePublicAddress:
+    Description: Allocate a Public IP for gateway members.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  ManagementServer:
+    Description: The name that represents the Security Management Server in the automatic provisioning configuration.
+    Type: String
+    Default: management-server
+    MinLength: 1
+  ConfigurationTemplate:
+    Description: A name of a gateway configuration template in the automatic provisioning configuration.
+    Type: String
+    Default: ASG-configuration
+    MinLength: 1
+    MaxLength: 30
+  ELBType:
+    Type: String
+    Default: none
+    AllowedValues:
+      - none
+      - internal
+      - internet-facing
+  ELBPort:
+    Type: Number
+    Default: 8080
+  ELBClients:
+    Type: String
+    Default: 0.0.0.0/0
+    AllowedPattern: '^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})$'
+  AutoScaleGroupName:
+    Description: The Name of the Auto Scaling Group. (optional)
+    Type: String
+    Default: ""
+    MaxLength: 100
+  EnableIPv6Traffic:
+    Description: Add support for IPv6 traffic inspection.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+Conditions:
+  ProvidedAdminEmail: !Not [!Equals [!Ref AdminEmail, '']]
+  ProvidedTargetGroups: !Not [!Equals [!Ref GatewaysTargetGroups, '']]
+  EnableCloudWatch: !Equals [!Ref CloudWatch, true]
+  CreateELB: !Not [!Equals [!Ref ELBType, none]]
+  EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+  GenerateAutoScalingName: !Equals [!Ref AutoScaleGroupName, ""]
+  EnableIPv6: !Equals [!Ref EnableIPv6Traffic, true]
+Resources:
+  ChkpGatewayRole:
+    Type: AWS::IAM::Role
+    Condition: EnableCloudWatch
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - ec2.amazonaws.com.cn
+            Action:
+              - sts:AssumeRole
+      Path: /
+  CloudwatchPolicy:
+    Condition: EnableCloudWatch
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cloudwatch-policy.yaml
+      Parameters:
+        PolicyName: ChkpGatewayPolicy
+        PolicyRole: !Ref ChkpGatewayRole
+  InstanceProfile:
+    Type: AWS::IAM::InstanceProfile
+    Condition: EnableCloudWatch
+    Properties:
+      Path: /
+      Roles:
+        - !Ref ChkpGatewayRole
+  AMI:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml
+      Parameters:
+        Version: !Join ['-', [!Ref GatewayVersion, GW]]
+  NotificationTopic:
+    Type: AWS::SNS::Topic
+    Condition: ProvidedAdminEmail
+    Properties:
+      Subscription:
+        - Endpoint: !Ref AdminEmail
+          Protocol: email
+  ElasticLoadBalancer:
+    Type: AWS::ElasticLoadBalancing::LoadBalancer
+    Condition: CreateELB
+    Properties:
+      CrossZone: true
+      Listeners:
+        - LoadBalancerPort: !Ref ELBPort
+          InstancePort: !Ref ELBPort
+          Protocol: TCP
+      HealthCheck:
+        Target: !Join [':', [TCP, !Ref ELBPort]]
+        HealthyThreshold: 3
+        UnhealthyThreshold: 5
+        Interval: 30
+        Timeout: 5
+      Scheme: !Ref ELBType
+      Subnets: !Ref GatewaysSubnets
+      Policies:
+        - PolicyName: EnableProxyProtocol
+          PolicyType: ProxyProtocolPolicyType
+          Attributes:
+            - Name: ProxyProtocol
+              Value: true
+          InstancePorts:
+            - !Ref ELBPort
+      SecurityGroups:
+        - !Ref ELBSecurityGroup
+  PermissiveSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      Tags:
+        - Key: Name
+          Value: !Join ['_', [!Ref 'AWS::StackName', PermissiveSecurityGroup]]
+      GroupDescription: Permissive security group.
+      VpcId: !Ref VPC
+      SecurityGroupIngress:
+        - IpProtocol: -1
+          CidrIp: 0.0.0.0/0
+  GatewayGroup:
+    Type: AWS::AutoScaling::AutoScalingGroup
+    DependsOn: GatewayLaunchTemplate
+    Properties:
+      # AutoScalingGroupName: !If [GenerateAutoScalingName, !Join ["-", [!Ref 'AWS::StackName', GatewayGroup]], !Ref AutoScaleGroupName]
+      VPCZoneIdentifier: !Ref GatewaysSubnets
+      LaunchTemplate:
+        LaunchTemplateId: !Ref GatewayLaunchTemplate
+        Version: !GetAtt GatewayLaunchTemplate.LatestVersionNumber
+      MinSize: !Ref GatewaysMinSize
+      MaxSize: !Ref GatewaysMaxSize
+      LoadBalancerNames: !If [CreateELB, [!Ref ElasticLoadBalancer], !Ref 'AWS::NoValue']
+      TargetGroupARNs: !If [ProvidedTargetGroups, !Split [',', !Ref GatewaysTargetGroups], !Ref 'AWS::NoValue']
+      HealthCheckGracePeriod: 3600
+      HealthCheckType: ELB
+      NotificationConfiguration: !If
+        - ProvidedAdminEmail
+        - TopicARN: !Ref NotificationTopic
+          NotificationTypes:
+            - autoscaling:EC2_INSTANCE_LAUNCH
+            - autoscaling:EC2_INSTANCE_LAUNCH_ERROR
+            - autoscaling:EC2_INSTANCE_TERMINATE
+            - autoscaling:EC2_INSTANCE_TERMINATE_ERROR
+        - !Ref 'AWS::NoValue'
+      Tags:
+        - Key: Name
+          Value: !Ref GatewayName
+          PropagateAtLaunch: true
+        - Key: x-chkp-tags
+          Value: !Join
+            - ':'
+            - - !Join ['=', [management, !Ref ManagementServer]]
+              - !Join ['=', [template, !Ref ConfigurationTemplate]]
+              - !Join ['=', [ip-address, !Ref ControlGatewayOverPrivateOrPublicAddress]]
+          PropagateAtLaunch: true
+        - Key: x-chkp-topology
+          Value: internal
+          PropagateAtLaunch: true
+        - Key: x-chkp-solution
+          Value: autoscale_gwlb
+          PropagateAtLaunch: true
+  GatewayLaunchTemplate:
+    Type: AWS::EC2::LaunchTemplate
+    Properties:
+      LaunchTemplateData:
+        NetworkInterfaces:
+          - DeviceIndex: 0
+            AssociatePublicIpAddress: !Ref AllocatePublicAddress
+            Groups:
+              - !Ref PermissiveSecurityGroup
+        Monitoring:
+          Enabled: true
+        KeyName: !Ref KeyName
+        ImageId: !GetAtt AMI.Outputs.ImageId
+        InstanceType: !Ref GatewayInstanceType
+        MetadataOptions:
+          HttpTokens: !If [EnableMetaDataToken, required, optional]
+        BlockDeviceMappings:
+          - DeviceName: '/dev/xvda'
+            Ebs:
+              Encrypted: !Ref EnableVolumeEncryption
+              VolumeType: !Ref VolumeType
+              VolumeSize: !Ref VolumeSize
+        IamInstanceProfile:
+          Name: !If [EnableCloudWatch, !Ref InstanceProfile, !Ref 'AWS::NoValue']
+        UserData:
+          'Fn::Base64':
+            !Join
+            - |+
+
+            - - '#cloud-config'
+              - 'network:'
+              - '  version: 1'
+              - '  config:'
+              - '  - type: bridge'
+              - '    name: br0'
+              - '    mtu: *eth0-mtu'
+              - '    subnets:'
+              - '      - address: *eth0-private'
+              - '        type: static'
+              - '        gateway: *default-gateway'
+              - '        dns_nameservers:'
+              - '        - *eth0-dns1'
+              - '    bridge_interfaces:'
+              - '      - eth0'
+              - 'kernel_parameters:'
+              - '  sim:'
+              - '    - sim_geneve_enabled=1'
+              - '    - sim_geneve_br_dev=br0'
+              - '  fw:'
+              - '    - fwtls_bridge_mode_inspection=1'
+              - '    - fw_geneve_enabled=1'
+              - 'bootcmd:'
+              - '    - echo "brctl hairpin br0 eth0 on" >> /etc/rc.local'
+              - '    - echo "cpprod_util CPPROD_SetValue \"fw1\" \"AwsGwlb\" 4 1 1" >> /etc/rc.local'
+              - '    - |'
+              - '      gparam_file_path="$(find $PPKDIR/boot/modules/ -regextype egrep -regex ''.*(sim_kern_64_3_10_64_v6|sim_kern_64_v6)\.gparams'')"'
+              - '      if cat $gparam_file_path | grep -q sim_geneve_enabled ; then'
+              - '          cp /etc/basedb /etc/basedb.bak'
+              - '          grep -vx "ipv6 t" /etc/basedb.bak | grep -vx "ipv6 f" > /etc/basedb;'
+              - '          echo "ipv6 t" >> /etc/basedb;'
+              - '          /etc/rc3.d/S07ipv6gen'
+              - '      fi'
+              - 'runcmd:'
+              - '  - |'
+              - '    set -e'
+              - !Sub '    admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect}'
+              - !Join ['', ['    sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
+              - !Join ['', ['    pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+              - !Join ['', ['    maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']]
+              - !Join ['', ['    bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
+              - !Sub ['    version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+              - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" sicKey=\"${sic}\" installationType=\"autoscale\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"autoscale_gwlb\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" bootstrapScript64=\"${bootstrap}\"'
+      VersionDescription: Initial template version
+  GatewayScaleUpPolicy:
+    Type: AWS::AutoScaling::ScalingPolicy
+    Properties:
+      AdjustmentType: ChangeInCapacity
+      AutoScalingGroupName: !Ref GatewayGroup
+      Cooldown: 300
+      ScalingAdjustment: 1
+  GatewayScaleDownPolicy:
+    Type: AWS::AutoScaling::ScalingPolicy
+    Properties:
+      AdjustmentType: ChangeInCapacity
+      AutoScalingGroupName: !Ref GatewayGroup
+      Cooldown: 300
+      ScalingAdjustment: -1
+  CPUAlarmHigh:
+    Type: AWS::CloudWatch::Alarm
+    Properties:
+      AlarmDescription: Scale-up if CPU > 80% for 10 minutes.
+      MetricName: CPUUtilization
+      Namespace: AWS/EC2
+      Statistic: Average
+      Period: 300
+      EvaluationPeriods: 2
+      Threshold: 80
+      AlarmActions:
+        - !Ref GatewayScaleUpPolicy
+      Dimensions:
+        - Name: AutoScalingGroupName
+          Value: !Ref GatewayGroup
+      ComparisonOperator: GreaterThanThreshold
+  CPUAlarmLow:
+    Type: AWS::CloudWatch::Alarm
+    Properties:
+      AlarmDescription: Scale-down if CPU < 60% for 10 minutes.
+      MetricName: CPUUtilization
+      Namespace: AWS/EC2
+      Statistic: Average
+      Period: 300
+      EvaluationPeriods: 2
+      Threshold: 60
+      AlarmActions:
+        - !Ref GatewayScaleDownPolicy
+      Dimensions:
+        - Name: AutoScalingGroupName
+          Value: !Ref GatewayGroup
+      ComparisonOperator: LessThanThreshold
+  ELBSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Condition: CreateELB
+    Properties:
+      GroupDescription: ELB security group.
+      VpcId: !Ref VPC
+      SecurityGroupIngress:
+        - IpProtocol: tcp
+          CidrIp: !Ref ELBClients
+          FromPort: !Ref ELBPort
+          ToPort: !Ref ELBPort
+Outputs:
+  URL:
+    Description: The URL of the Proxy.
+    Condition: CreateELB
+    Value: !Join ['', ['http://', !GetAtt ElasticLoadBalancer.DNSName]]
+  SecurityGroup:
+    Description: The Security Group of the Auto Scaling group.
+    Value: !GetAtt PermissiveSecurityGroup.GroupId
+Rules:
+  GatewayAddressAllocationRule:
+    RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] 
+    Assertions:  
+      - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false"
+        Assert: !Equals [!Ref AllocatePublicAddress, 'true']
diff --git a/china/aws/templates/gwlb-asg/cme-iam-role-gwlb.yaml b/china/aws/templates/gwlb-asg/cme-iam-role-gwlb.yaml
new file mode 100644
index 00000000..a6b48ff4
--- /dev/null
+++ b/china/aws/templates/gwlb-asg/cme-iam-role-gwlb.yaml
@@ -0,0 +1,131 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Creates an IAM role for selected permissions (20250617). Refer to sk122074 for more info
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: IAM
+        Parameters:
+          - Permissions
+      - Label:
+          default: Advanced Configuration (optional)
+        Parameters:
+          - STSRoles
+          - TrustedAccount
+    ParameterLabels:
+      Permissions:
+        default: IAM role
+      STSRoles:
+        default: STS roles
+      TrustedAccount:
+        default: Trusted Account ID
+Parameters:
+  Permissions:
+    Type: String
+    Default: Create with read permissions
+    AllowedValues:
+      - Create with read permissions
+      - Create with read-write permissions
+      - Create with assume role permissions (specify an STS role ARN)
+  STSRoles:
+    Description: The IAM role will be able to assume these STS Roles (comma separated list of ARNs, without spaces).
+    Type: String
+    Default: ''
+  TrustedAccount:
+    Description: A 12 digits number that represents the ID of a trusted account. IAM users in this account will be able assume the IAM role and receive the permissions attached to it.
+    Type: String
+    Default: ''
+    AllowedPattern: '^([0-9]{12})|$'
+Conditions:
+  AllowReadPermissions: !Or
+    - !Equals [!Ref Permissions, Create with read permissions]
+    - !Equals [!Ref Permissions, Create with read-write permissions]
+  AllowWritePermissions: !Equals [!Ref Permissions, Create with read-write permissions]
+  ProvidedSTSRoles: !Not [!Equals [!Ref STSRoles, '']]
+  NotProvidedTrustedAccount: !Equals ['', !Ref TrustedAccount]
+  ProvidedTrustedAccount: !Not [!Condition NotProvidedTrustedAccount]
+Resources:
+  CMEIAMRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - !If
+            - ProvidedTrustedAccount
+            - Effect: Allow
+              Principal:
+                AWS: [!Ref TrustedAccount]
+              Action: ['sts:AssumeRole']
+            - !Ref 'AWS::NoValue'
+          - !If
+            - NotProvidedTrustedAccount
+            - Effect: Allow
+              Principal:
+                Service: [ec2.amazonaws.com.cn]
+              Action: ['sts:AssumeRole']
+            - !Ref 'AWS::NoValue'
+      Path: /
+      Policies:
+        - PolicyName: CMEPolicy
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - !If
+                - ProvidedSTSRoles
+                - Effect: Allow
+                  Action: ['sts:AssumeRole']
+                  Resource: !Split [',', !Ref STSRoles]
+                - !Ref 'AWS::NoValue'
+              - !If
+                - AllowReadPermissions
+                - Effect: Allow
+                  Action:
+                    - autoscaling:DescribeAutoScalingGroups
+                    - ec2:DescribeRegions
+                    - ec2:DescribeInstances
+                    - ec2:DescribeNetworkInterfaces
+                    - ec2:DescribeRouteTables
+                    - ec2:DescribeSecurityGroups
+                    - ec2:DescribeSubnets
+                    - ec2:DescribeVpcs
+                    - ec2:DescribeInternetGateways
+                    - ec2:DescribeVpcEndpoints
+                    - ec2:DescribeVpcEndpointServiceConfigurations
+                    - elasticloadbalancing:DescribeLoadBalancers
+                    - elasticloadbalancing:DescribeTags
+                    - elasticloadbalancing:DescribeListeners
+                    - elasticloadbalancing:DescribeTargetGroups
+                    - elasticloadbalancing:DescribeRules
+                    - elasticloadbalancing:DescribeTargetHealth
+                  Resource: '*'
+                - !Ref 'AWS::NoValue'
+              - !If
+                - AllowWritePermissions
+                - Effect: Allow
+                  Action:
+                    - ec2:CreateRoute
+                    - ec2:ReplaceRoute
+                    - ec2:DeleteRoute
+                    - ec2:CreateRouteTable
+                    - ec2:AssociateRouteTable
+                    - ec2:CreateTags
+                  Resource: '*'
+                - !Ref 'AWS::NoValue'
+  InstanceProfile:
+    Type: AWS::IAM::InstanceProfile
+    Properties:
+      InstanceProfileName: !Ref CMEIAMRole
+      Roles:
+        - !Ref CMEIAMRole
+Outputs:
+  CMEIAMRole:
+    Description: The IAM role.
+    Value: !Ref CMEIAMRole
+  CMEARNRole:
+    Description: The IAM role ARN.
+    Value: !GetAtt CMEIAMRole.Arn
+  InstanceProfile:
+    Description: The Instance Profile ARN.
+    Value: !GetAtt InstanceProfile.Arn
+
diff --git a/china/aws/templates/gwlb-asg/gwlb-master.yaml b/china/aws/templates/gwlb-asg/gwlb-master.yaml
new file mode 100644
index 00000000..363f6a94
--- /dev/null
+++ b/china/aws/templates/gwlb-asg/gwlb-master.yaml
@@ -0,0 +1,740 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: |
+  Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (20250617). 
+  See CloudGuard Network for AWS Gateway Load Balancer Auto Scaling Group deployment guide for detailed deployment and configuration steps.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: VPC Network Configuration
+        Parameters:
+          - AvailabilityZones
+          - NumberOfAZs
+          - VPCCIDR
+          - PublicSubnet1CIDR
+          - PublicSubnet2CIDR
+          - PublicSubnet3CIDR
+          - PublicSubnet4CIDR
+      - Label:
+          default: General Settings
+        Parameters:
+          - KeyName
+          - EnableVolumeEncryption
+          - VolumeSize
+          - VolumeType
+          - EnableInstanceConnect
+          - TerminationProtection
+          - MetaDataToken
+          - AllowUploadDownload
+          - ManagementServer
+          - ConfigurationTemplate
+          - AdminEmail
+          - Shell
+      - Label:
+          default: Gateway Load Balancer Configuration
+        Parameters:
+          - GWLBName
+          - TargetGroupName
+          - AcceptConnectionRequired
+          - CrossZoneLoadBalancing
+      - Label:
+          default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration
+        Parameters:
+          - AutoScaleGroupName
+          - GatewayName
+          - GatewayInstanceType
+          - GatewaysMinSize
+          - GatewaysMaxSize
+          - GatewayVersion
+          - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
+          - GatewaySICKey
+          - ControlGatewayOverPrivateOrPublicAddress
+          - IPMode
+          - AllocatePublicAddress
+          - CloudWatch
+          - GatewayBootstrapScript
+      - Label:
+          default: Check Point CloudGuard IaaS Security Management Server Configuration
+        Parameters:
+          - ManagementDeploy
+          - ManagementInstanceType
+          - ManagementVersion
+          - ManagementPasswordHash
+          - ManagementMaintenancePasswordHash
+          - GatewaysPolicy
+          - AdminCIDR
+          - GatewayManagement
+          - GatewaysAddresses
+    ParameterLabels:
+      AvailabilityZones:
+        default: Availability Zones
+      NumberOfAZs:
+        default: Number of AZs
+      VPCCIDR:
+        default: VPC CIDR
+      PublicSubnet1CIDR:
+        default: Auto Scaling Group Public Subnet 1
+      PublicSubnet2CIDR:
+        default: Auto Scaling Group Public Subnet 2
+      PublicSubnet3CIDR:
+        default: Auto Scaling Group Public Subnet 3
+      PublicSubnet4CIDR:
+        default: Auto Scaling Group Public Subnet 4
+      KeyName:
+        default: Key name
+      IPMode:
+        default: IP Configuration Mode
+      EnableVolumeEncryption:
+        default: Enable environment volume encryption
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeType:
+        default: Volume Type
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      TerminationProtection:
+        default: Termination Protection
+      MetaDataToken:
+        default: Metadata HTTP token
+      AllowUploadDownload:
+        default: Allow upload & download
+      ManagementServer:
+        default: Management Server
+      ConfigurationTemplate:
+        default: Configuration template
+      AdminEmail:
+        default: Email address
+      Shell:
+        default: Admin shell
+      GWLBName:
+        default: Gateway Load Balancer Name
+      TargetGroupName:
+        default: Target Group Name
+      AcceptConnectionRequired:
+        default:  Connection Acceptance Required
+      CrossZoneLoadBalancing:
+        default:  Enable Cross Zone Load Balancing
+      GatewayName:
+        default: Gateways instance name
+      GatewayInstanceType:
+        default: Gateways instance type
+      GatewaysMinSize:
+        default: Minimum group size
+      GatewaysMaxSize:
+        default: Maximum group size
+      GatewayVersion:
+        default: Gateways version & license
+      GatewayPasswordHash:
+        default: Gateways Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
+      GatewaySICKey:
+        default: Gateways SIC key
+      ControlGatewayOverPrivateOrPublicAddress:
+        default: Gateways addresses
+      AllocatePublicAddress:
+        default: Allocate Public IPs
+      CloudWatch:
+        default: CloudWatch metrics
+      GatewayBootstrapScript:
+        default: Gateways bootstrap script
+      ManagementDeploy:
+        default: Deploy Management Server
+      ManagementInstanceType:
+        default: Management instance type
+      ManagementVersion:
+        default: Management version & license
+      ManagementPasswordHash:
+        default: Management password hash
+      ManagementMaintenancePasswordHash:
+        default: Management Maintenance Password hash
+      GatewaysPolicy:
+        default: Security Policy
+      AdminCIDR:
+        default: Administrator addresses
+      GatewayManagement:
+        default: Manage Gateways
+      GatewaysAddresses:
+        default: Gateways addresses
+      AutoScaleGroupName:
+        default: Auto Scale Group name
+Parameters:
+  AvailabilityZones:
+    Description: List of Availability Zones (AZs) to use for the subnets in the VPC. Select at least two.
+    Type: List<AWS::EC2::AvailabilityZone::Name>
+    MinLength: 2
+  NumberOfAZs:
+    Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter.
+    Type: Number
+    Default: 2
+    MinValue: 2
+    MaxValue: 4
+  VPCCIDR:
+    Description: CIDR block for the VPC.
+    Type: String
+    Default: 10.0.0.0/16
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet1CIDR:
+    Description: CIDR block for public subnet 1 located in the 1st Availability Zone. If you choose to deploy a Security Management Server it will be deployed in this subnet.
+    Type: String
+    Default: 10.0.10.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet2CIDR:
+    Description: CIDR block for public subnet 2 located in the 2nd Availability Zone.
+    Type: String
+    Default: 10.0.20.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet3CIDR:
+    Description: CIDR block for public subnet 3 located in the 3rd Availability Zone.
+    Type: String
+    Default: 10.0.30.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet4CIDR:
+    Description: CIDR block for public subnet 4 located in the 4th Availability Zone.
+    Type: String
+    Default: 10.0.40.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the instances created by this stack.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+    ConstraintDescription: Must be the name of an existing EC2 KeyPair.
+  EnableVolumeEncryption:
+    Description: Encrypt Environment instances volume with default AWS KMS key.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  VolumeSize:
+    Type: Number
+    MinValue: 100
+    Default: 100
+  VolumeType:
+    Description: General Purpose SSD Volume Type
+    Type: String
+    Default: gp3
+    AllowedValues:
+      - gp3
+      - gp2
+  EnableInstanceConnect:
+    Description: Enable SSH connection over AWS web console.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  TerminationProtection:
+    Description: Prevents an instance from accidental termination.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  AllowUploadDownload:
+    Description: Automatically download updates and share statistical data for product improvement purpose.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  ManagementServer:
+    Description: The name that represents the Security Management Server in the automatic provisioning configuration.
+    Type: String
+    Default: gwlb-management-server
+    MinLength: 1
+  ConfigurationTemplate:
+    Description: A name of a gateway configuration template in the automatic provisioning configuration.
+    Type: String
+    Default: gwlb-ASG-configuration
+    MinLength: 1
+    MaxLength: 30
+  AdminEmail:
+    Description: Notifications about scaling events will be sent to this email address. (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$'
+  Shell:
+    Description: Change the admin shell to enable advanced command line configuration. Applies for Security Gateways and Security Management Server if deployed.
+    Type: String
+    Default: /etc/cli.sh
+    AllowedValues:
+      - /etc/cli.sh
+      - /bin/bash
+      - /bin/csh
+      - /bin/tcsh
+  GWLBName:
+    Description: Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen.
+    Type: String
+    AllowedPattern: '^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])$'
+    Default: gwlb1
+    MaxLength: 32
+    ConstraintDescription: Must be a valid GWLB Name.
+  TargetGroupName:
+    Description: Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen.
+    Type: String
+    AllowedPattern: '^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])$'
+    Default: tg1
+    MaxLength: 32
+    ConstraintDescription: Must be a valid target group name.
+  AcceptConnectionRequired:
+    Description: Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required).
+    Default: "false"
+    AllowedValues: ["true", "false"]
+    Type: String
+    ConstraintDescription: Must be true or false.
+  CrossZoneLoadBalancing:
+    Description: Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  GatewayName:
+    Description: The name tag of the Security Gateway instances. (optional)
+    Type: String
+    Default: Check-Point-Gateway
+  GatewayInstanceType:
+    Description: The EC2 instance type for the Security Gateways.
+    Type: String
+    Default: c6i.xlarge
+    AllowedValues:
+      - c4.large
+      - c4.xlarge
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: Must be a valid EC2 instance type
+  GatewaysMinSize:
+    Description: The minimal number of Security Gateways.
+    Type: Number
+    Default: 2
+    MinValue: 1
+  GatewaysMaxSize:
+    Description: The maximal number of Security Gateways.
+    Type: Number
+    Default: 10
+    MinValue: 1
+  GatewayVersion:
+    Description: The version and license to install on the Security Gateways.
+    Type: String
+    Default: R82-BYOL
+    AllowedValues:
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  GatewayPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+    NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  GatewaySICKey:
+    Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters.
+    Type: String
+    AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+    ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long.
+    NoEcho: true
+  ControlGatewayOverPrivateOrPublicAddress:
+    Description: Determines if the gateways are provisioned using their private or public address.
+    Type: String
+    Default: private
+    AllowedValues:
+      - private
+      - public
+  AllocatePublicAddress:
+    Description: Allocate a Public IP for gateway members.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  IPMode:
+    Description: Specifies the IP mode for inspection of traffic encapsulation in IPv4 Geneve headers. When set to DualStack, both IPv4 and IPv6 traffic are inspected. For supported versions and Jumbo Hotfix requirements, refer to the admin guide.
+    Type: String
+    AllowedValues:
+      - IPv4
+      - DualStack
+    Default: IPv4
+  CloudWatch:
+    Description: Report Check Point specific CloudWatch metrics.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  GatewayBootstrapScript:
+    Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+    Type: String
+    Default: ''
+    NoEcho: true
+  ManagementDeploy:
+    Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  ManagementInstanceType:
+    Description: The EC2 instance type of the Security Management Server.
+    Type: String
+    Default: m5.xlarge
+    AllowedValues:
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: Must be a valid EC2 instance type
+  ManagementVersion:
+    Description: The license to install on the Security Management Server.
+    Type: String
+    Default: R82-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  ManagementPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+    NoEcho: true
+  ManagementMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  GatewaysPolicy:
+    Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group.
+    Type: String
+    Default: Standard
+    MinLength: 1
+  AdminCIDR:
+    Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server.
+    Type: String
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+  GatewayManagement:
+    Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address.
+    Type: String
+    Default: Locally managed
+    AllowedValues:
+      - Locally managed
+      - Over the internet
+  GatewaysAddresses:
+    Description: Allow gateways only from this network to communicate with the Security Management Server.
+    Type: String
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+  AutoScaleGroupName:
+    Description: The Name of the Auto Scaling Group. (optional)
+    Type: String
+    Default: ""
+    MaxLength: 100
+Conditions:
+  4AZs: !Equals [!Ref NumberOfAZs, 4]
+  3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs]
+  DeployManagement: !Equals [!Ref ManagementDeploy, true]
+  GenerateAutoScalingName: !Equals [!Ref AutoScaleGroupName, ""]
+  IsIPv6Enabled: !Not [!Equals [!Ref IPMode, "IPv4"]]
+Resources:
+  VPCStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: !If [IsIPv6Enabled, https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc-ipv6.yaml, https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc.yaml]
+      Parameters:
+        AvailabilityZones: !Join [',' , !Ref AvailabilityZones]
+        NumberOfAZs: !Ref NumberOfAZs
+        VPCCIDR: !Ref VPCCIDR
+        PublicSubnet1CIDR: !Ref PublicSubnet1CIDR
+        PublicSubnet2CIDR: !Ref PublicSubnet2CIDR
+        PublicSubnet3CIDR: !Ref PublicSubnet3CIDR
+        PublicSubnet4CIDR: !Ref PublicSubnet4CIDR
+        CreatePrivateSubnets: false
+  GWLBStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gwlb/gwlb.yaml
+      Parameters:
+        VPC: !GetAtt VPCStack.Outputs.VPCID
+        AutoScaleGroupName: !If [GenerateAutoScalingName, !Join ["-", [!Ref 'AWS::StackName', GatewayGroup]], !Ref AutoScaleGroupName]
+        GatewaysSubnets: !Join
+          - ','
+          - - !GetAtt VPCStack.Outputs.PublicSubnet1ID
+            - !GetAtt VPCStack.Outputs.PublicSubnet2ID
+            - !If [ 3AZs, !GetAtt VPCStack.Outputs.PublicSubnet3ID, !Ref 'AWS::NoValue' ]
+            - !If [ 4AZs, !GetAtt VPCStack.Outputs.PublicSubnet4ID, !Ref 'AWS::NoValue' ]
+        KeyName: !Ref KeyName
+        EnableVolumeEncryption: !Ref EnableVolumeEncryption
+        VolumeType: !Ref VolumeType
+        VolumeSize: !Ref VolumeSize
+        EnableInstanceConnect: !Ref EnableInstanceConnect
+        TerminationProtection: !Ref TerminationProtection
+        MetaDataToken: !Ref MetaDataToken
+        AllowUploadDownload: !Ref AllowUploadDownload
+        ManagementServer: !Ref ManagementServer
+        ConfigurationTemplate: !Ref ConfigurationTemplate
+        AdminEmail: !Ref AdminEmail
+        Shell: !Ref Shell
+        GWLBName: !Ref GWLBName
+        TargetGroupName: !Ref TargetGroupName
+        AcceptConnectionRequired: !Ref AcceptConnectionRequired
+        CrossZoneLoadBalancing: !Ref CrossZoneLoadBalancing
+        GatewayName: !Ref GatewayName
+        GatewayInstanceType: !Ref GatewayInstanceType
+        GatewaysMinSize: !Ref GatewaysMinSize
+        GatewaysMaxSize: !Ref GatewaysMaxSize
+        GatewayVersion: !Ref GatewayVersion
+        GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+        GatewaySICKey: !Ref GatewaySICKey
+        ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress
+        AllocatePublicAddress: !Ref AllocatePublicAddress
+        CloudWatch: !Ref CloudWatch
+        GatewayBootstrapScript: !Ref GatewayBootstrapScript
+        ManagementDeploy: !Ref ManagementDeploy
+        ManagementInstanceType: !Ref ManagementInstanceType
+        ManagementVersion: !Ref ManagementVersion
+        ManagementPasswordHash: !Ref ManagementPasswordHash
+        ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash
+        GatewaysPolicy: !Ref GatewaysPolicy
+        AdminCIDR: !Ref AdminCIDR
+        GatewayManagement: !Ref GatewayManagement
+        GatewaysAddresses: !Ref GatewaysAddresses
+        IPMode: !Ref IPMode
+Outputs:
+  VPCID:
+    Description: VPC ID.
+    Value: !GetAtt VPCStack.Outputs.VPCID
+  ManagementPublicAddress:
+    Description: The public address of the management server.
+    Value: !GetAtt GWLBStack.Outputs.ManagementPublicAddress
+    Condition: DeployManagement
+  ConfigurationTemplateName:
+    Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name.
+    Value: !GetAtt GWLBStack.Outputs.ConfigurationTemplateName
+  ControllerName:
+    Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name
+    Value: !GetAtt GWLBStack.Outputs.ControllerName
+  GWLBName:
+    Description: Gateway Load Balancer Name.
+    Value: !Ref GWLBName
+  GWLBServiceName:
+    Description: Gateway Load Balancer Service Name.
+    Value: !GetAtt GWLBStack.Outputs.GWLBServiceName
+Rules:
+  GatewayAddressAllocationRule:
+    RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public']
+    Assertions:
+      - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false"
+        Assert: !Equals [!Ref AllocatePublicAddress, 'true']
diff --git a/china/aws/templates/gwlb-asg/gwlb.yaml b/china/aws/templates/gwlb-asg/gwlb.yaml
new file mode 100644
index 00000000..664c32b5
--- /dev/null
+++ b/china/aws/templates/gwlb-asg/gwlb.yaml
@@ -0,0 +1,744 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: |
+  Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC  (20250617). 
+  See CloudGuard Network for AWS Gateway Load Balancer Auto Scaling Group deployment guide for detailed deployment and configuration steps.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: Network Configuration
+        Parameters:
+          - VPC
+          - GatewaysSubnets
+      - Label:
+          default: General Settings
+        Parameters:
+          - KeyName
+          - EnableVolumeEncryption
+          - VolumeSize
+          - VolumeType
+          - EnableInstanceConnect
+          - TerminationProtection
+          - MetaDataToken
+          - AllowUploadDownload
+          - ManagementServer
+          - ConfigurationTemplate
+          - AdminEmail
+          - Shell
+      - Label:
+          default: Gateway Load Balancer Configuration
+        Parameters:
+          - GWLBName
+          - TargetGroupName
+          - AcceptConnectionRequired
+          - CrossZoneLoadBalancing
+      - Label:
+          default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration
+        Parameters:
+          - AutoScaleGroupName
+          - GatewayName
+          - GatewayInstanceType
+          - GatewaysMinSize
+          - GatewaysMaxSize
+          - GatewayVersion
+          - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
+          - GatewaySICKey
+          - ControlGatewayOverPrivateOrPublicAddress
+          - AllocatePublicAddress
+          - IPMode
+          - CloudWatch
+          - GatewayBootstrapScript
+      - Label:
+          default: Check Point CloudGuard IaaS Security Management Server Configuration
+        Parameters:
+          - ManagementDeploy
+          - ManagementInstanceType
+          - ManagementVersion
+          - ManagementPasswordHash
+          - ManagementMaintenancePasswordHash
+          - GatewaysPolicy
+          - AdminCIDR
+          - GatewayManagement
+          - GatewaysAddresses
+    ParameterLabels:
+      VPC:
+        default: VPC
+      GatewaysSubnets:
+        default: Gateways subnets
+      KeyName:
+        default: Key name
+      IPMode:
+        default: IP Configuration Mode
+      EnableVolumeEncryption:
+        default: Enable environment volume encryption
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeType:
+        default: Volume Type
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      TerminationProtection:
+        default: Termination Protection
+      MetaDataToken:
+        default: Metadata HTTP token
+      AllowUploadDownload:
+        default: Allow upload & download
+      ManagementServer:
+        default: Management Server
+      ConfigurationTemplate:
+        default: Configuration template
+      AdminEmail:
+        default: Email address
+      Shell:
+        default: Admin shell
+      GWLBName:
+        default: Gateway Load Balancer Name
+      TargetGroupName:
+        default: Target Group Name
+      AcceptConnectionRequired:
+        default:  Connection Acceptance Required
+      CrossZoneLoadBalancing:
+        default:  Enable Cross Zone Load Balancing
+      GatewayName:
+        default: Gateways instance name
+      GatewayInstanceType:
+        default: Gateways instance type
+      GatewaysMinSize:
+        default: Minimum group size
+      GatewaysMaxSize:
+        default: Maximum group size
+      GatewayVersion:
+        default: Gateways version & license
+      GatewayPasswordHash:
+        default: Gateways Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
+      GatewaySICKey:
+        default: Gateways SIC key
+      ControlGatewayOverPrivateOrPublicAddress:
+        default: Gateways addresses
+      AllocatePublicAddress:
+        default: Allocate Public IPs
+      CloudWatch:
+        default: CloudWatch metrics
+      GatewayBootstrapScript:
+        default: Gateways bootstrap script
+      ManagementDeploy:
+        default: Deploy Management Server
+      ManagementInstanceType:
+        default: Management instance type
+      ManagementVersion:
+        default: Management version & license
+      ManagementPasswordHash:
+        default: Management password hash
+      ManagementMaintenancePasswordHash:
+        default:  Management Maintenance Password hash
+      GatewaysPolicy:
+        default: Security Policy
+      AdminCIDR:
+        default: Administrator addresses
+      GatewayManagement:
+        default: Manage Gateways
+      GatewaysAddresses:
+        default: Gateways addresses
+      AutoScaleGroupName:
+        default: Auto Scale Group name
+Parameters:
+  VPC:
+    Description: Select an existing VPC.
+    Type: AWS::EC2::VPC::Id
+    MinLength: 1
+    ConstraintDescription: You must select a VPC.
+  GatewaysSubnets:
+    Description: Select at least 2 public subnets in the VPC.
+    Type: List<AWS::EC2::Subnet::Id>
+    MinLength: 2
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the instances created by this stack.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+    ConstraintDescription: Must be the name of an existing EC2 KeyPair.
+  EnableVolumeEncryption:
+    Description: Encrypt Environment instances volume with default AWS KMS key.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  VolumeSize:
+    Type: Number
+    MinValue: 100
+    Default: 100
+  VolumeType:
+    Description: General Purpose SSD Volume Type
+    Type: String
+    Default: gp3
+    AllowedValues:
+      - gp3
+      - gp2
+  EnableInstanceConnect:
+    Description: Enable SSH connection over AWS web console.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  TerminationProtection:
+    Description: Prevents an instance from accidental termination.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  AllowUploadDownload:
+    Description: Automatically download updates and share statistical data for product improvement purpose.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  ManagementServer:
+    Description: The name that represents the Security Management Server in the automatic provisioning configuration.
+    Type: String
+    Default: gwlb-management-server
+    MinLength: 1
+  ConfigurationTemplate:
+    Description: A name of a gateway configuration template in the automatic provisioning configuration.
+    Type: String
+    Default: gwlb-ASG-configuration
+    MinLength: 1
+    MaxLength: 30
+  AdminEmail:
+    Description: Notifications about scaling events will be sent to this email address. (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$'
+  Shell:
+    Description: Change the admin shell to enable advanced command line configuration. Applies for Security Gateways and Security Management Server if deployed.
+    Type: String
+    Default: /etc/cli.sh
+    AllowedValues:
+      - /etc/cli.sh
+      - /bin/bash
+      - /bin/csh
+      - /bin/tcsh
+  GWLBName:
+    Description: Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen.
+    Type: String
+    Default: gwlb1
+    ConstraintDescription: Must be a valid GWLB Name.
+  TargetGroupName:
+    Description: Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen.
+    Type: String
+    Default: tg1
+    ConstraintDescription: Must be a valid target group name.
+  AcceptConnectionRequired:
+    Description: Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required).
+    Default: "false"
+    AllowedValues: ["true", "false"]
+    Type: String
+    ConstraintDescription: Must be true or false.
+  CrossZoneLoadBalancing:
+    Description: Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  GatewayName:
+    Description: The name tag of the Security Gateway instances. (optional)
+    Type: String
+    Default: Check-Point-Gateway
+  GatewayInstanceType:
+    Description: The EC2 instance type for the Security Gateways.
+    Type: String
+    Default: c6i.xlarge
+    AllowedValues:
+      - c4.large
+      - c4.xlarge
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: Must be a valid EC2 instance type
+  GatewaysMinSize:
+    Description: The minimal number of Security Gateways.
+    Type: Number
+    Default: 2
+    MinValue: 1
+  GatewaysMaxSize:
+    Description: The maximal number of Security Gateways.
+    Type: Number
+    Default: 10
+    MinValue: 1
+  GatewayVersion:
+    Description: The version and license to install on the Security Gateways.
+    Type: String
+    Default: R82-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  GatewayPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+    NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  GatewaySICKey:
+    Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters.
+    Type: String
+    AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+    ConstraintDescription: Secure Internal Communication acti.vation key should contain only alpha numeric characters and be at least 8 characters long.
+    NoEcho: true
+  ControlGatewayOverPrivateOrPublicAddress:
+    Description: Determines if the gateways are provisioned using their private or public address.
+    Type: String
+    Default: private
+    AllowedValues:
+      - private
+      - public
+  AllocatePublicAddress:
+    Description: Allocate a Public IP for gateway members.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  CloudWatch:
+    Description: Report Check Point specific CloudWatch metrics.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  IPMode:
+    Description: Specifies the IP mode for inspection of traffic encapsulation in IPv4 Geneve headers. When set to DualStack, both IPv4 and IPv6 traffic are inspected. For supported versions and Jumbo Hotfix requirements, refer to the admin guide.
+    Type: String
+    AllowedValues:
+      - IPv4
+      - DualStack
+    Default: IPv4
+  GatewayBootstrapScript:
+    Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+    Type: String
+    Default: ''
+    NoEcho: true
+  ManagementDeploy:
+    Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  ManagementInstanceType:
+    Description: The EC2 instance type of the Security Management Server.
+    Type: String
+    Default: m5.xlarge
+    AllowedValues:
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: Must be a valid EC2 instance type
+  ManagementVersion:
+    Description: The license to install on the Security Management Server.
+    Type: String
+    Default: R82-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  ManagementPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+    NoEcho: true
+  ManagementMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  GatewaysPolicy:
+    Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group.
+    Type: String
+    Default: Standard
+    MinLength: 1
+  AdminCIDR:
+    Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server.
+    Type: String
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+  GatewayManagement:
+    Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address.
+    Type: String
+    Default: Locally managed
+    AllowedValues:
+      - Locally managed
+      - Over the internet
+  GatewaysAddresses:
+    Description: Allow gateways only from this network to communicate with the Security Management Server.
+    Type: String
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+  AutoScaleGroupName:
+    Description: The Name of the Auto Scaling Group. (optional)
+    Type: String
+    Default: ""
+    MaxLength: 100
+Conditions:
+  DeployManagement: !Equals [!Ref ManagementDeploy, true]
+  VolumeEncryption: !Equals [!Ref EnableVolumeEncryption, true]
+  GenerateAutoScalingName: !Equals [!Ref AutoScaleGroupName, ""]
+  IsIPv6Enabled: !Not [!Equals [!Ref IPMode, "IPv4"]]
+Resources:
+  GatewayLoadBalancer:
+    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
+    Properties:
+      Type: gateway
+      Name: !Ref GWLBName
+      IpAddressType: !If [IsIPv6Enabled, dualstack, ipv4]
+      LoadBalancerAttributes:
+        - Key: load_balancing.cross_zone.enabled
+          Value: !Ref CrossZoneLoadBalancing
+      Subnets: !Ref GatewaysSubnets
+      Tags:
+        - Key: x-chkp-management
+          Value: !Ref ManagementServer
+        - Key: x-chkp-template
+          Value: !Ref ConfigurationTemplate
+  VpcEndpointService:
+    Type: AWS::EC2::VPCEndpointService
+    Properties:
+      # Due to an issue in AWS CloudFormation, EndpointService deployment does not support IPv6.
+      # This issue will be resolved in the future.
+      AcceptanceRequired: !Ref AcceptConnectionRequired
+      GatewayLoadBalancerArns:
+        - !Ref GatewayLoadBalancer
+  TargetGroup:
+    Type: AWS::ElasticLoadBalancingV2::TargetGroup
+    Properties:
+      Name: !Ref TargetGroupName
+      Port: 6081
+      Protocol: GENEVE
+      HealthCheckPort: 8117
+      HealthCheckProtocol: TCP
+      TargetGroupAttributes:
+        - Key: deregistration_delay.timeout_seconds
+          Value: 20
+      VpcId: !Ref VPC
+      TargetType: instance
+      Tags:
+        - Key: Name
+          Value: !Join
+            - ""
+            - - !Ref AWS::StackName
+              - "-tg1"
+  Listener:
+    Type: AWS::ElasticLoadBalancingV2::Listener
+    Properties:
+      DefaultActions:
+        - Type: forward
+          TargetGroupArn: !Ref TargetGroup
+      LoadBalancerArn: !Ref GatewayLoadBalancer
+  SecurityGatewaysStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gwlb/autoscale-gwlb.yaml
+      Parameters:
+        VPC: !Ref VPC
+        AutoScaleGroupName: !If [GenerateAutoScalingName, !Join ["-", [!Ref 'AWS::StackName', GatewayGroup]], !Ref AutoScaleGroupName]
+        GatewaysSubnets: !Join [',', !Ref GatewaysSubnets]
+        GatewayName: !Ref GatewayName
+        GatewayInstanceType: !Ref GatewayInstanceType
+        KeyName: !Ref KeyName
+        Shell: !Ref Shell
+        EnableVolumeEncryption: !Ref EnableVolumeEncryption
+        VolumeType: !Ref VolumeType
+        VolumeSize: !Ref VolumeSize
+        EnableInstanceConnect: !Ref EnableInstanceConnect
+        MetaDataToken: !Ref MetaDataToken
+        GatewaysMinSize: !Ref GatewaysMinSize
+        GatewaysMaxSize: !Ref GatewaysMaxSize
+        AdminEmail: !Ref AdminEmail
+        GatewaysTargetGroups: !Ref TargetGroup
+        GatewayVersion: !Ref GatewayVersion
+        GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+        GatewaySICKey: !Ref GatewaySICKey
+        AllowUploadDownload: !Ref AllowUploadDownload
+        ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress
+        AllocatePublicAddress: !Ref AllocatePublicAddress
+        CloudWatch: !Ref CloudWatch
+        GatewayBootstrapScript: !Ref GatewayBootstrapScript
+        ManagementServer: !Ref ManagementServer
+        ConfigurationTemplate: !Ref ConfigurationTemplate
+        IPMode: !Ref IPMode
+  ManagementStack:
+    Type: AWS::CloudFormation::Stack
+    Condition: DeployManagement
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gwlb/management-gwlb.yaml
+      Parameters:
+        VPC: !Ref VPC
+        ManagementSubnet: !Select [0, !Ref GatewaysSubnets]
+        ManagementName: !Ref ManagementServer
+        ManagementInstanceType: !Ref ManagementInstanceType
+        KeyName: !Ref KeyName
+        Shell: !Ref Shell
+        VolumeEncryption: !If [VolumeEncryption, alias/aws/ebs, '']
+        VolumeType: !Ref VolumeType
+        VolumeSize: !Ref VolumeSize
+        EnableInstanceConnect: !Ref EnableInstanceConnect
+        ManagementPermissions: Create with read-write permissions
+        ManagementVersion: !Ref ManagementVersion
+        ManagementPasswordHash: !Ref ManagementPasswordHash
+        ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash
+        AllowUploadDownload: !Ref AllowUploadDownload
+        AdminCIDR: !Ref AdminCIDR
+        GatewayManagement: !Ref GatewayManagement
+        GatewaysAddresses: !Ref GatewaysAddresses
+        TerminationProtection: !Ref TerminationProtection
+        MetaDataToken: !Ref MetaDataToken
+        ManagementBootstrapScript: !Join
+          - ';'
+          - - 'echo -e "\nStarting Bootstrap script\n"'
+            - !Sub 'policy=${GatewaysPolicy} ; region=${AWS::Region} ; conf_template=${ConfigurationTemplate} ; mgmt=${ManagementServer}'
+            - !Sub ['version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+            - !Join ['', ['sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ' | base64 -d)"']]
+            - 'controller="gwlb-controller"'
+            - 'echo "Creating CME configuration"'
+            - 'autoprov_cfg -f init AWS -mn "${mgmt}" -tn "${conf_template}" -cn "${controller}" -po "${policy}" -otp "${sic}" -r "${region}" -ver "${version}" -iam'
+            - 'echo -e "\nFinished Bootstrap script\n"'
+Outputs:
+  VPCID:
+    Description: VPC ID.
+    Value: !Ref VPC
+  ManagementPublicAddress:
+    Description: The public address of the management server.
+    Value: !GetAtt ManagementStack.Outputs.PublicAddress
+    Condition: DeployManagement
+  ConfigurationTemplateName:
+    Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name.
+    Value: !Ref ConfigurationTemplate
+  ControllerName:
+    Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name.
+    Value: gwlb-controller
+  GWLBName:
+    Description: Gateway Load Balancer Name.
+    Value: !Ref GWLBName
+  GWLBServiceName:
+    Description: Gateway Load Balancer Service Name.
+    Value: !Sub ['cn.com.amazonaws.vpce.${AWS::Region}.${Service}', {Service: !Ref VpcEndpointService}]
+Rules:
+  GatewayAddressAllocationRule:
+    RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] 
+    Assertions:  
+      - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false"
+        Assert: !Equals [!Ref AllocatePublicAddress, 'true']
diff --git a/china/aws/templates/gwlb-asg/management-gwlb.yaml b/china/aws/templates/gwlb-asg/management-gwlb.yaml
new file mode 100644
index 00000000..fc824c8b
--- /dev/null
+++ b/china/aws/templates/gwlb-asg/management-gwlb.yaml
@@ -0,0 +1,578 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: |
+  Deploys a Check Point Management Server (20250617)
+  See sk130372 administration guide for detailed deployment and configuration steps.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: VPC Network Configuration
+        Parameters:
+          - VPC
+          - ManagementSubnet
+      - Label:
+          default: EC2 Instance Configuration
+        Parameters:
+          - ManagementName
+          - ManagementInstanceType
+          - KeyName
+          - AllocatePublicAddress
+          - VolumeSize
+          - VolumeType
+          - VolumeEncryption
+          - EnableInstanceConnect
+          - TerminationProtection
+          - MetaDataToken
+      - Label:
+          default: IAM Permissions (ignored when the installation is not Primary Management
+            Server)
+        Parameters:
+          - ManagementPermissions
+          - ManagementPredefinedRole
+          - ManagementSTSRoles
+      - Label:
+          default: Check Point Settings
+        Parameters:
+          - ManagementVersion
+          - Shell
+          - ManagementPasswordHash
+          - ManagementMaintenancePasswordHash
+      - Label:
+          default: Security Management Server Settings
+        Parameters:
+          - ManagementHostname
+          - PrimaryManagement
+          - ManagementSICKey
+          - AllowUploadDownload
+          - AdminCIDR
+          - GatewayManagement
+          - GatewaysAddresses
+          - ManagementBootstrapScript
+          - NTPPrimary
+          - NTPSecondary
+    ParameterLabels:
+      VPC:
+        default: VPC
+      ManagementSubnet:
+        default: Management subnet
+      ManagementName:
+        default: Management name
+      ManagementInstanceType:
+        default: Instance type
+      KeyName:
+        default: Key name
+      AllocatePublicAddress:
+        default: Allocate an Elastic IP
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeType:
+        default: Volume Type
+      VolumeEncryption:
+        default: Volume encryption KMS key identifier
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      TerminationProtection:
+        default: Termination Protection
+      MetaDataToken:
+        default: Metadata HTTP token
+      ManagementPermissions:
+        default: IAM role
+      ManagementPredefinedRole:
+        default: Existing IAM role name
+      ManagementSTSRoles:
+        default: STS roles
+      ManagementVersion:
+        default: Version & license
+      Shell:
+        default: Admin shell
+      ManagementPasswordHash:
+        default: Password hash
+      ManagementMaintenancePasswordHash:
+        default: Management Maintenance Password hash
+      ManagementHostname:
+        default: Management hostname
+      PrimaryManagement:
+        default: Primary management
+      ManagementSICKey:
+        default: SIC key
+      AllowUploadDownload:
+        default: Allow upload & download
+      AdminCIDR:
+        default: Administrator addresses
+      GatewayManagement:
+        default: Gateways management
+      GatewaysAddresses:
+        default: Gateways addresses
+      ManagementBootstrapScript:
+        default: Management bootstrap script
+      NTPPrimary:
+        default: Primary NTP server
+      NTPSecondary:
+        default: Secondary NTP server
+Parameters:
+  VPC:
+    Description: Select an existing VPC.
+    Type: AWS::EC2::VPC::Id
+    MinLength: 1
+  ManagementSubnet:
+    Description: To access the instance from the internet, make sure the subnet has
+      a route to the internet
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+  ManagementName:
+    Description: The Management name tag.
+    Type: String
+    Default: Check-Point-Management
+  ManagementInstanceType:
+    Description: The instance type of the Security Management Server.
+    Type: String
+    Default: m5.xlarge
+    AllowedValues:
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: must be a valid EC2 instance type.
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the instance.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+    ConstraintDescription: must be the name of an existing EC2 KeyPair.
+  AllocatePublicAddress:
+    Description: Allocate an elastic IP for the Management.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  VolumeSize:
+    Type: Number
+    MinValue: 100
+    Default: 100
+  VolumeType:
+    Description: General Purpose SSD Volume Type
+    Type: String
+    Default: gp3
+    AllowedValues:
+      - gp3
+      - gp2
+  VolumeEncryption:
+    Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+    Type: String
+    Default: alias/aws/ebs
+  EnableInstanceConnect:
+    Description: Enable SSH connection over AWS web console.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  TerminationProtection:
+    Description: Prevents an instance from accidental termination.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  ManagementPermissions:
+    Description: IAM role to attach to the instance profile.
+    Type: String
+    Default: Create with read permissions
+    AllowedValues:
+      - None (configure later)
+      - Use existing (specify an existing IAM role name)
+      - Create with assume role permissions (specify an STS role ARN)
+      - Create with read permissions
+      - Create with read-write permissions
+  ManagementPredefinedRole:
+    Description: A predefined IAM role to attach to the instance profile. Ignored
+      if IAM role is not set to 'Use existing'.
+    Type: String
+    Default: ''
+  ManagementSTSRoles:
+    Description: The IAM role will be able to assume these STS Roles (comma separated
+      list of ARNs, without spaces). Ignored if IAM role is set to 'None' or 'Use
+      existing'.
+    Type: CommaDelimitedList
+    Default: ''
+  ManagementVersion:
+    Description: The license to install on the Security Management Server.
+    Type: String
+    Default: R81.20-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R81.20-BYOL
+      - R82-BYOL
+  Shell:
+    Description: Change the admin shell to enable advanced command line configuration.
+    Type: String
+    Default: /etc/cli.sh
+    AllowedValues:
+      - /etc/cli.sh
+      - /bin/bash
+      - /bin/csh
+      - /bin/tcsh
+  ManagementPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+      to get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  ManagementMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  ManagementHostname:
+    Description: (optional)
+    Type: String
+    Default: mgmt-aws
+    AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$'
+    ConstraintDescription: A valid hostname label or an empty string.
+  PrimaryManagement:
+    Description: Determines if this is the primary Management Server or not.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  ManagementSICKey:
+    Description: >-
+      Mandatory only if deploying a secondary Management Server, the Secure Internal
+      Communication key creates trusted connections between Check Point components.
+      Choose a random string consisting of at least 8 alphanumeric characters.
+    Type: String
+    Default: ''
+    AllowedPattern: '(|[a-zA-Z0-9]{8,})'
+    ConstraintDescription: Can be empty if this is a primary Management Server. Otherwise,
+      at least 8 alpha numeric characters.
+    NoEcho: true
+  AllowUploadDownload:
+    Description: Automatically download updates and share statistical data for product improvement purpose.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  AdminCIDR:
+    Description: Allow web, SSH, and graphical clients only from this network to communicate
+      with the Management Server.
+    Type: String
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+  GatewaysAddresses:
+    Description: Allow gateways only from this network to communicate with the Management.
+      Server
+    Type: String
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+  GatewayManagement:
+    Description: Select 'Over the internet' if any of the gateways you wish to manage
+      are not directly accessed via their private IP address.
+    Type: String
+    Default: Locally managed
+    AllowedValues:
+      - Locally managed
+      - Over the internet
+  ManagementBootstrapScript:
+    Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+    Type: String
+    Default: ''
+    NoEcho: true
+  NTPPrimary:
+    Description: (optional)
+    Type: String
+    Default: 169.254.169.123
+    AllowedPattern: '[\.a-zA-Z0-9\-]*'
+  NTPSecondary:
+    Description: (optional)
+    Type: String
+    Default: 0.pool.ntp.org
+    AllowedPattern: '[\.a-zA-Z0-9\-]*'
+Conditions:
+  EIP: !Equals [!Ref AllocatePublicAddress, true]
+  ManageOverInternet: !Equals [!Ref GatewayManagement, Over the internet]
+  ManageOverInternetAndEIP: !And [!Condition EIP, !Condition ManageOverInternet]
+  CreateRole: !Or
+    - !Equals [!Ref ManagementPermissions, Create with assume role permissions (specify an STS role ARN)]
+    - !Equals [!Ref ManagementPermissions, Create with read permissions]
+    - !Equals [!Ref ManagementPermissions, Create with read-write permissions]
+  EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']]
+  UseRole: !Not [!Equals [!Ref ManagementPermissions, None (configure later)]]
+  NoSIC: !Equals [!Ref ManagementSICKey, '']
+  PreRole: !And [!Condition UseRole, !Not [!Condition CreateRole]]
+  EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+Resources:
+  AMI:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml
+      Parameters:
+        Version: !Join ['-', [!Ref ManagementVersion, MGMT]]
+  ManagementReadyHandle:
+    Type: AWS::CloudFormation::WaitConditionHandle
+    Condition: EIP
+    Properties: {}
+  ManagementReadyCondition:
+    Type: AWS::CloudFormation::WaitCondition
+    Condition: EIP
+    DependsOn: ManagementInstance
+    Properties:
+      Handle: !Ref ManagementReadyHandle
+      Timeout: 1800
+  ManagementSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: Management security group.
+      VpcId: !Ref VPC
+      SecurityGroupIngress:
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 257
+          ToPort: 257
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 8211
+          ToPort: 8211
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18191
+          ToPort: 18191
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18192
+          ToPort: 18192
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18208
+          ToPort: 18208
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18210
+          ToPort: 18210
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18211
+          ToPort: 18211
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18221
+          ToPort: 18221
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18264
+          ToPort: 18264
+        - CidrIp: !Ref AdminCIDR
+          IpProtocol: tcp
+          FromPort: 22
+          ToPort: 22
+        - CidrIp: !Ref AdminCIDR
+          IpProtocol: tcp
+          FromPort: 443
+          ToPort: 443
+        - CidrIp: !Ref AdminCIDR
+          IpProtocol: tcp
+          FromPort: 18190
+          ToPort: 18190
+        - CidrIp: !Ref AdminCIDR
+          IpProtocol: tcp
+          FromPort: 19009
+          ToPort: 19009
+  ManagementRoleStack:
+    Type: AWS::CloudFormation::Stack
+    Condition: CreateRole
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gwlb/cme-iam-role-gwlb.yaml
+      Parameters:
+        Permissions: !Ref ManagementPermissions
+        STSRoles: !Join [',', !Ref ManagementSTSRoles]
+  InstanceProfile:
+    Type: AWS::IAM::InstanceProfile
+    Condition: PreRole
+    Properties:
+      Path: /
+      Roles:
+        - !Ref ManagementPredefinedRole
+  ManagementInstance:
+    Type: AWS::EC2::Instance
+    DependsOn: ManagementLaunchTemplate
+    Properties:
+      LaunchTemplate:
+        LaunchTemplateId: !Ref ManagementLaunchTemplate
+        Version: !GetAtt ManagementLaunchTemplate.LatestVersionNumber
+      DisableApiTermination: !Ref TerminationProtection
+      Tags:
+        - Key: Name
+          Value: !Ref ManagementName
+      NetworkInterfaces:
+        - DeviceIndex: 0
+          AssociatePublicIpAddress: false
+          Description: eth0
+          GroupSet:
+            - !Ref ManagementSecurityGroup
+          DeleteOnTermination: true
+          SubnetId: !Ref ManagementSubnet
+  ManagementLaunchTemplate:
+    Type: AWS::EC2::LaunchTemplate
+    Properties:
+      LaunchTemplateData:
+        KeyName: !Ref KeyName
+        ImageId: !GetAtt AMI.Outputs.ImageId
+        InstanceType: !Ref ManagementInstanceType
+        MetadataOptions:
+          HttpTokens: !If [EnableMetaDataToken, required, optional]
+        BlockDeviceMappings:
+          - DeviceName: '/dev/xvda'
+            Ebs:
+              Encrypted: !If [ EncryptedVolume, true, false ]
+              KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+              VolumeType: !Ref VolumeType
+              VolumeSize: !Ref VolumeSize
+        IamInstanceProfile:
+          Name: !If [ UseRole, !If [ PreRole, !Ref InstanceProfile, !GetAtt ManagementRoleStack.Outputs.CMEIAMRole ], !Ref 'AWS::NoValue' ]
+        UserData:
+          'Fn::Base64':
+            !Join
+            - |+
+
+            - - '#cloud-config'
+              - 'runcmd:'
+              - '  - |'
+              - '    set -e'
+              - !Sub '    admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${ManagementHostname} ; primary_mgmt=${PrimaryManagement} ; eic=${EnableInstanceConnect} ; admin_subnet=${AdminCIDR} ; eip=${AllocatePublicAddress} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary}'
+              - !If [EIP, !Sub '    wait_handle=''${ManagementReadyHandle}''',!Ref 'AWS::NoValue']
+              - !If [NoSIC, '    sic=""', !Join ['', ['    sic="$(echo ', 'Fn::Base64': !Ref ManagementSICKey, ')"']]]
+              - !Join ['', ['    pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementPasswordHash, ')"']]
+              - !Join ['', ['    maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementMaintenancePasswordHash, ')"']]
+              - !If [ManageOverInternetAndEIP, '    pub_mgmt=true', '    pub_mgmt=false']
+              - !Join ['', ['    bootstrap="$(echo ', 'Fn::Base64': !Ref ManagementBootstrapScript, ')"']]
+              - !Sub ['    version=${Version}', {Version: !Select [0, !Split ['-', !Ref ManagementVersion]]}]
+              - '    python3 /etc/cloud_config.py waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" installationType=\"management\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"management_gwlb\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" primary=\"${primary_mgmt}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" overTheInternet=\"${pub_mgmt}\" bootstrapScript64=\"${bootstrap}\"'
+      VersionDescription: Initial template version
+  PublicAddress:
+    Type: AWS::EC2::EIP
+    Condition: EIP
+    Properties:
+      Domain: vpc
+  AddressAssoc:
+    Type: AWS::EC2::EIPAssociation
+    Condition: EIP
+    DependsOn: ManagementInstance
+    Properties:
+      InstanceId: !Ref ManagementInstance
+      AllocationId: !GetAtt PublicAddress.AllocationId
+Outputs:
+  PublicAddress:
+    Condition: EIP
+    Description: The public address of the Management Server.
+    Value: !Ref PublicAddress
+  SSH:
+    Condition: EIP
+    Description: SSH command.
+    Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref PublicAddress]]
+  URL:
+    Condition: EIP
+    Description: URL to the portal.
+    Value: !Join ['', ['https://', !Ref PublicAddress]]
diff --git a/china/aws/templates/gwlb-asg/tgw-gwlb-master.yaml b/china/aws/templates/gwlb-asg/tgw-gwlb-master.yaml
new file mode 100644
index 00000000..d400a5a0
--- /dev/null
+++ b/china/aws/templates/gwlb-asg/tgw-gwlb-master.yaml
@@ -0,0 +1,870 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: |
+  Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in a new VPC for Transit Gateway (20250617). 
+  See CloudGuard Network for AWS Gateway Load Balancer Auto Scaling Group deployment guide for detailed deployment and configuration steps.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: VPC Network Configuration
+        Parameters:
+          - AvailabilityZones
+          - NumberOfAZs
+          - VPCCIDR
+          - PublicSubnet1CIDR
+          - PublicSubnet2CIDR
+          - PublicSubnet3CIDR
+          - PublicSubnet4CIDR
+          - TgwSubnet1CIDR
+          - TgwSubnet2CIDR
+          - TgwSubnet3CIDR
+          - TgwSubnet4CIDR
+          - NatGwSubnet1CIDR
+          - NatGwSubnet2CIDR
+          - NatGwSubnet3CIDR
+          - NatGwSubnet4CIDR
+          - GWLBeSubnet1CIDR
+          - GWLBeSubnet2CIDR
+          - GWLBeSubnet3CIDR
+          - GWLBeSubnet4CIDR
+      - Label:
+          default: General Settings
+        Parameters:
+          - KeyName
+          - EnableVolumeEncryption
+          - VolumeSize
+          - VolumeType
+          - EnableInstanceConnect
+          - TerminationProtection
+          - MetaDataToken
+          - AllowUploadDownload
+          - ManagementServer
+          - ConfigurationTemplate
+          - AdminEmail
+          - Shell
+      - Label:
+          default: Gateway Load Balancer Configuration
+        Parameters:
+          - GWLBName
+          - TargetGroupName
+          - CrossZoneLoadBalancing
+      - Label:
+          default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration
+        Parameters:
+          - AutoScaleGroupName
+          - GatewayName
+          - GatewayInstanceType
+          - GatewaysMinSize
+          - GatewaysMaxSize
+          - GatewayVersion
+          - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
+          - GatewaySICKey
+          - ControlGatewayOverPrivateOrPublicAddress
+          - AllocatePublicAddress
+          - CloudWatch
+          - GatewayBootstrapScript
+      - Label:
+          default: Check Point CloudGuard IaaS Security Management Server Configuration
+        Parameters:
+          - ManagementDeploy
+          - ManagementInstanceType
+          - ManagementVersion
+          - ManagementPasswordHash
+          - ManagementMaintenancePasswordHash
+          - GatewaysPolicy
+          - AdminCIDR
+          - GatewayManagement
+          - GatewaysAddresses
+    ParameterLabels:
+      AvailabilityZones:
+        default: Availability Zones
+      NumberOfAZs:
+        default: Number of AZs
+      VPCCIDR:
+        default: VPC CIDR
+      PublicSubnet1CIDR:
+        default: Public subnet 1 CIDR
+      PublicSubnet2CIDR:
+        default: Public subnet 2 CIDR
+      PublicSubnet3CIDR:
+        default: Public subnet 3 CIDR
+      PublicSubnet4CIDR:
+        default: Public subnet 4 CIDR
+      TgwSubnet1CIDR:
+        default: TGW subnet 1 CIDR
+      TgwSubnet2CIDR:
+        default: TGW subnet 2 CIDR
+      TgwSubnet3CIDR:
+        default: TGW subnet 3 CIDR
+      TgwSubnet4CIDR:
+        default: TGW subnet 4 CIDR
+      NatGwSubnet1CIDR:
+        default: NAT subnet 1 CIDR
+      NatGwSubnet2CIDR:
+        default: NAT subnet 2 CIDR
+      NatGwSubnet3CIDR:
+        default: NAT subnet 3 CIDR
+      NatGwSubnet4CIDR:
+        default: NAT subnet 4 CIDR
+      GWLBeSubnet1CIDR:
+        default: Gateway Load Balancer Endpoint subnet 1 CIDR
+      GWLBeSubnet2CIDR:
+        default: Gateway Load Balancer Endpoint subnet 2 CIDR
+      GWLBeSubnet3CIDR:
+        default: Gateway Load Balancer Endpoint subnet 3 CIDR
+      GWLBeSubnet4CIDR:
+        default: Gateway Load Balancer Endpoint subnet 4 CIDR
+      KeyName:
+        default: Key name
+      EnableVolumeEncryption:
+        default: Enable environment volume encryption
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeType:
+        default: Volume Type
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      TerminationProtection:
+        default: Termination Protection
+      MetaDataToken:
+        default: Metadata HTTP token
+      AllowUploadDownload:
+        default: Allow upload & download
+      ManagementServer:
+        default: Management Server
+      ConfigurationTemplate:
+        default: Configuration template
+      AdminEmail:
+        default: Email address
+      Shell:
+        default: Admin shell
+      GWLBName:
+        default: Gateway Load Balancer Name
+      TargetGroupName:
+        default: Target Group Name
+      CrossZoneLoadBalancing:
+        default:  Enable Cross Zone Load Balancing
+      GatewayName:
+        default: Gateways instance name
+      GatewayInstanceType:
+        default: Gateways instance type
+      GatewaysMinSize:
+        default: Minimum group size
+      GatewaysMaxSize:
+        default: Maximum group size
+      GatewayVersion:
+        default: Gateways version & license
+      GatewayPasswordHash:
+        default: Gateways Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
+      GatewaySICKey:
+        default: Gateways SIC key
+      ControlGatewayOverPrivateOrPublicAddress:
+        default: Gateways addresses
+      AllocatePublicAddress:
+        default: Allocate Public IPs
+      CloudWatch:
+        default: CloudWatch metrics
+      GatewayBootstrapScript:
+        default: Gateways bootstrap script
+      ManagementDeploy:
+        default: Deploy Management Server
+      ManagementInstanceType:
+        default: Management instance type
+      ManagementVersion:
+        default: Management version & license
+      ManagementPasswordHash:
+        default: Management password hash
+      ManagementMaintenancePasswordHash:
+        default: Management Maintenance Password hash
+      GatewaysPolicy:
+        default: Security Policy
+      AdminCIDR:
+        default: Administrator addresses
+      GatewayManagement:
+        default: Manage Gateways
+      GatewaysAddresses:
+        default: Gateways addresses
+      AutoScaleGroupName:
+        default: Auto Scale Group name
+Parameters:
+  AvailabilityZones:
+    Description: The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved).
+    Type: List<AWS::EC2::AvailabilityZone::Name>
+    MinLength: 2
+  NumberOfAZs:
+    Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter.
+    Type: Number
+    Default: 2
+    MinValue: 2
+    MaxValue: 4
+  VPCCIDR:
+    Description: The CIDR block of the provided VPC.
+    Type: String
+    Default: 10.0.0.0/16
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet1CIDR:
+    Description: CIDR block for public subnet 1 located in the 1st Availability Zone.
+    Type: String
+    Default: 10.0.10.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet2CIDR:
+    Description: CIDR block for public subnet 2 located in the 2nd Availability Zone.
+    Type: String
+    Default: 10.0.20.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet3CIDR:
+    Description: CIDR block for public subnet 3 located in the 3rd Availability Zone.
+    Type: String
+    Default: 10.0.30.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet4CIDR:
+    Description: CIDR block for public subnet 4 located in the 4th Availability Zone.
+    Type: String
+    Default: 10.0.40.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  TgwSubnet1CIDR:
+    Description: CIDR block for TGW subnet 1 located in the 1st Availability Zone.
+    Type: String
+    Default: 10.0.12.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  TgwSubnet2CIDR:
+    Description: CIDR block for TGW subnet 2 located in the 2nd Availability Zone.
+    Type: String
+    Default: 10.0.22.0/24
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  TgwSubnet3CIDR:
+    Description: CIDR block for TGW subnet 3 located in the 3rd Availability Zone.
+    Type: String
+    Default: 10.0.32.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  TgwSubnet4CIDR:
+    Description: CIDR block for TGW subnet 4 located in the 4th Availability Zone.
+    Type: String
+    Default: 10.0.42.0/24
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  NatGwSubnet1CIDR:
+    Description: CIDR block for NAT subnet 1 located in the 1st Availability Zone.
+    Type: String
+    Default: 10.0.13.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  NatGwSubnet2CIDR:
+    Description: CIDR block for NAT subnet 2 located in the 2nd Availability Zone.
+    Type: String
+    Default: 10.0.23.0/24
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  NatGwSubnet3CIDR:
+    Description: CIDR block for NAT subnet 3 located in the 3rd Availability Zone.
+    Type: String
+    Default: 10.0.33.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  NatGwSubnet4CIDR:
+    Description: CIDR block for NAT subnet 4 located in the 4th Availability Zone.
+    Type: String
+    Default: 10.0.43.0/24
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  GWLBeSubnet1CIDR:
+    Description: CIDR block for GWLBe subnet 1 located in the 1st Availability Zone.
+    Type: String
+    Default: 10.0.14.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  GWLBeSubnet2CIDR:
+    Description: CIDR block for GWLBe subnet 2 located in the 2nd Availability Zone.
+    Type: String
+    Default: 10.0.24.0/24
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  GWLBeSubnet3CIDR:
+    Description: CIDR block for GWLBe subnet 3 located in the 3rd Availability Zone.
+    Type: String
+    Default: 10.0.34.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  GWLBeSubnet4CIDR:
+    Description: CIDR block for GWLBe subnet 4 located in the 4th Availability Zone.
+    Type: String
+    Default: 10.0.44.0/24
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the instances created by this stack.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+    ConstraintDescription: Must be the name of an existing EC2 KeyPair.
+  EnableVolumeEncryption:
+    Description: Encrypt Environment instances volume with default AWS KMS key.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  VolumeSize:
+    Type: Number
+    MinValue: 100
+    Default: 100
+  VolumeType:
+    Description: General Purpose SSD Volume Type
+    Type: String
+    Default: gp3
+    AllowedValues:
+      - gp3
+      - gp2
+  EnableInstanceConnect:
+    Description: Enable SSH connection over AWS web console.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  TerminationProtection:
+    Description: Prevents an instance from accidental termination.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  AllowUploadDownload:
+    Description: Automatically download updates and share statistical data for product improvement purpose.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  ManagementServer:
+    Description: The name that represents the Security Management Server in the automatic provisioning configuration.
+    Type: String
+    Default: gwlb-management-server
+    MinLength: 1
+  ConfigurationTemplate:
+    Description: A name of a gateway configuration template in the automatic provisioning configuration.
+    Type: String
+    Default: gwlb-ASG-configuration
+    MinLength: 1
+    MaxLength: 30
+  AdminEmail:
+    Description: Notifications about scaling events will be sent to this email address. (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$'
+  Shell:
+    Description: Change the admin shell to enable advanced command line configuration. Applies for Security Gateways and Security Management Server if deployed.
+    Type: String
+    Default: /etc/cli.sh
+    AllowedValues:
+      - /etc/cli.sh
+      - /bin/bash
+      - /bin/csh
+      - /bin/tcsh
+  GWLBName:
+    Description: Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen.
+    Type: String
+    AllowedPattern: '^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])$'
+    Default: gwlb1
+    MaxLength: 32
+    ConstraintDescription: Must be a valid GWLB Name
+  TargetGroupName:
+    Description: Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen.
+    Type: String
+    AllowedPattern: '^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])$'
+    Default: tg1
+    MaxLength: 32
+    ConstraintDescription: Must be a valid target group name.
+  CrossZoneLoadBalancing:
+    Description: Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  GatewayName:
+    Description: The name tag of the Security Gateway instances. (optional)
+    Type: String
+    Default: Check-Point-Gateway
+  GatewayInstanceType:
+    Description: The EC2 instance type for the Security Gateways
+    Type: String
+    Default: c6i.xlarge
+    AllowedValues:
+      - c4.large
+      - c4.xlarge
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: Must be a valid EC2 instance type
+  GatewaysMinSize:
+    Description: The minimal number of Security Gateways.
+    Type: Number
+    Default: 2
+    MinValue: 1
+  GatewaysMaxSize:
+    Description: The maximal number of Security Gateways.
+    Type: Number
+    Default: 10
+    MinValue: 1
+  GatewayVersion:
+    Description: The version and license to install on the Security Gateways.
+    Type: String
+    Default: R81.20-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  GatewayPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+    NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  GatewaySICKey:
+    Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters.
+    Type: String
+    AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+    ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long.
+    NoEcho: true
+  ControlGatewayOverPrivateOrPublicAddress:
+    Description: Determines if the gateways are provisioned using their private or public address.
+    Type: String
+    Default: private
+    AllowedValues:
+      - private
+      - public
+  AllocatePublicAddress:
+    Description: Allocate a Public IP for gateway members.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  CloudWatch:
+    Description: Report Check Point specific CloudWatch metrics.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  GatewayBootstrapScript:
+    Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+    Type: String
+    Default: ''
+    NoEcho: true
+  ManagementDeploy:
+    Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  ManagementInstanceType:
+    Description: The EC2 instance type of the Security Management Server.
+    Type: String
+    Default: m5.xlarge
+    AllowedValues:
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: Must be a valid EC2 instance type
+  ManagementVersion:
+    Description: The license to install on the Security Management Server.
+    Type: String
+    Default: R81.20-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  ManagementPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+    NoEcho: true
+  ManagementMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  GatewaysPolicy:
+    Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group.
+    Type: String
+    Default: Standard
+    MinLength: 1
+  AdminCIDR:
+    Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server.
+    Type: String
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+  GatewayManagement:
+    Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address.
+    Type: String
+    Default: Locally managed
+    AllowedValues:
+      - Locally managed
+      - Over the internet
+  GatewaysAddresses:
+    Description: Allow gateways only from this network to communicate with the Security Management Server.
+    Type: String
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+  AutoScaleGroupName:
+    Description: The Name of the Auto Scaling Group. (optional)
+    Type: String
+    Default: ""
+    MaxLength: 100
+Conditions:
+  4AZs: !Equals [!Ref NumberOfAZs, 4]
+  3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs]
+  DeployManagement: !Equals [!Ref ManagementDeploy, true]
+  VolumeEncryption: !Equals [!Ref EnableVolumeEncryption, true]
+  GenerateAutoScalingName: !Equals [!Ref AutoScaleGroupName, ""]
+Resources:
+  VPCStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc.yaml
+      Parameters:
+        AvailabilityZones: !Join [',', !Ref AvailabilityZones]
+        NumberOfAZs: !Ref NumberOfAZs
+        VPCCIDR: !Ref VPCCIDR
+        PublicSubnet1CIDR: !Ref PublicSubnet1CIDR
+        PublicSubnet2CIDR: !Ref PublicSubnet2CIDR
+        PublicSubnet3CIDR: !Ref PublicSubnet3CIDR
+        PublicSubnet4CIDR: !Ref PublicSubnet4CIDR
+        CreatePrivateSubnets: false
+        CreateAttachmentSubnets: true
+        AttachmentSubnet1CIDR: !Ref TgwSubnet1CIDR
+        AttachmentSubnet2CIDR: !Ref TgwSubnet2CIDR
+        AttachmentSubnet3CIDR: !Ref TgwSubnet3CIDR
+        AttachmentSubnet4CIDR: !Ref TgwSubnet4CIDR
+  TgwGwlbStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gwlb/tgw-gwlb.yaml
+      Parameters:
+        VPC: !GetAtt VPCStack.Outputs.VPCID
+        AutoScaleGroupName: !If [GenerateAutoScalingName, !Join ["-", [!Ref 'AWS::StackName', GatewayGroup]], !Ref AutoScaleGroupName]
+        IGWID: !GetAtt VPCStack.Outputs.IGWID
+        AvailabilityZones: !Join [',', !Ref AvailabilityZones]
+        NumberOfAZs: !Ref NumberOfAZs
+        GatewaysSubnets: !Join
+          - ','
+          - - !GetAtt VPCStack.Outputs.PublicSubnet1ID
+            - !GetAtt VPCStack.Outputs.PublicSubnet2ID
+            - !If [3AZs, !GetAtt VPCStack.Outputs.PublicSubnet3ID, !Ref 'AWS::NoValue']
+            - !If [4AZs, !GetAtt VPCStack.Outputs.PublicSubnet4ID, !Ref 'AWS::NoValue']
+        TgwSubnet1Id: !GetAtt VPCStack.Outputs.AttachmentSubnet1ID
+        TgwSubnet2Id: !GetAtt VPCStack.Outputs.AttachmentSubnet2ID
+        TgwSubnet3Id: !If [3AZs, !GetAtt VPCStack.Outputs.AttachmentSubnet3ID, ""]
+        TgwSubnet4Id: !If [4AZs, !GetAtt VPCStack.Outputs.AttachmentSubnet4ID, ""]
+        NatGwSubnet1CIDR: !Ref NatGwSubnet1CIDR
+        NatGwSubnet2CIDR: !Ref NatGwSubnet2CIDR
+        NatGwSubnet3CIDR: !Ref NatGwSubnet3CIDR
+        NatGwSubnet4CIDR: !Ref NatGwSubnet4CIDR
+        GWLBeSubnet1CIDR: !Ref GWLBeSubnet1CIDR
+        GWLBeSubnet2CIDR: !Ref GWLBeSubnet2CIDR
+        GWLBeSubnet3CIDR: !Ref GWLBeSubnet3CIDR
+        GWLBeSubnet4CIDR: !Ref GWLBeSubnet4CIDR
+        KeyName: !Ref KeyName
+        EnableVolumeEncryption: !Ref EnableVolumeEncryption
+        VolumeType: !Ref VolumeType
+        VolumeSize: !Ref VolumeSize
+        EnableInstanceConnect: !Ref EnableInstanceConnect
+        TerminationProtection: !Ref TerminationProtection
+        MetaDataToken: !Ref MetaDataToken
+        AllowUploadDownload: !Ref AllowUploadDownload
+        ManagementServer: !Ref ManagementServer
+        ConfigurationTemplate: !Ref ConfigurationTemplate
+        AdminEmail: !Ref AdminEmail
+        Shell: !Ref Shell
+        GatewayName: !Ref GatewayName
+        GatewayInstanceType: !Ref GatewayInstanceType
+        GatewaysMinSize: !Ref GatewaysMinSize
+        GatewaysMaxSize: !Ref GatewaysMaxSize
+        GatewayVersion: !Ref GatewayVersion
+        GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+        GatewaySICKey: !Ref GatewaySICKey
+        ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress
+        AllocatePublicAddress: !Ref AllocatePublicAddress
+        CloudWatch: !Ref CloudWatch
+        GatewayBootstrapScript: !Ref GatewayBootstrapScript
+        GWLBName: !Ref GWLBName
+        TargetGroupName: !Ref TargetGroupName
+        CrossZoneLoadBalancing: !Ref CrossZoneLoadBalancing
+        ManagementDeploy: !Ref ManagementDeploy
+        ManagementInstanceType: !Ref ManagementInstanceType
+        ManagementVersion: !Ref ManagementVersion
+        ManagementPasswordHash: !Ref ManagementPasswordHash
+        ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash
+        GatewaysPolicy: !Ref GatewaysPolicy
+        AdminCIDR: !Ref AdminCIDR
+        GatewayManagement: !Ref GatewayManagement
+        GatewaysAddresses: !Ref GatewaysAddresses
+Outputs:
+  VPCID:
+    Description: VPC ID.
+    Value: !GetAtt VPCStack.Outputs.VPCID
+  ManagementPublicAddress:
+    Description: The public address of the management server.
+    Value: !GetAtt TgwGwlbStack.Outputs.ManagementPublicAddress
+    Condition: DeployManagement
+  ConfigurationTemplateName:
+    Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name.
+    Value: !GetAtt TgwGwlbStack.Outputs.ConfigurationTemplateName
+  ControllerName:
+    Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name.
+    Value: !GetAtt TgwGwlbStack.Outputs.ControllerName
+  GWLBName:
+    Description: Gateway Load Balancer Name.
+    Value: !Ref GWLBName
+  GWLBServiceName:
+    Description: Gateway Load Balancer Service Name.
+    Value: !GetAtt TgwGwlbStack.Outputs.GWLBServiceName
+  TgwSubnet1ID:
+    Description: TGW subnet 1 ID in Availability Zone 1.
+    Value: !GetAtt VPCStack.Outputs.AttachmentSubnet1ID
+  TgwSubnet2ID:
+    Description: TGW subnet 2 ID in Availability Zone 2.
+    Value: !GetAtt VPCStack.Outputs.AttachmentSubnet2ID
+  TgwSubnet3ID:
+    Description: TGW subnet 3 ID in Availability Zone 3.
+    Value: !GetAtt VPCStack.Outputs.AttachmentSubnet3ID
+    Condition: 3AZs
+  TgwSubnet4ID:
+    Description: TGW subnet 4 ID in Availability Zone 4.
+    Value: !GetAtt VPCStack.Outputs.AttachmentSubnet4ID
+    Condition: 4AZs
+  TgwSubnet1CIDR:
+    Description: TGW subnet 1 CIDR in Availability Zone 1.
+    Value: !GetAtt VPCStack.Outputs.AttachmentSubnet1CIDR
+  TgwSubnet2CIDR:
+    Description: TGW subnet 2 CIDR in Availability Zone 2.
+    Value: !GetAtt VPCStack.Outputs.AttachmentSubnet2CIDR
+  TgwSubnet3CIDR:
+    Description: TGW subnet 3 CIDR in Availability Zone 3.
+    Value: !GetAtt VPCStack.Outputs.AttachmentSubnet3CIDR
+    Condition: 3AZs
+  TgwSubnet4CIDR:
+    Description: TGW subnet 4 CIDR in Availability Zone 4.
+    Value: !GetAtt VPCStack.Outputs.AttachmentSubnet4CIDR
+    Condition: 4AZs
+Rules:
+  GatewayAddressAllocationRule:
+    RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public']
+    Assertions:
+      - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false"
+        Assert: !Equals [!Ref AllocatePublicAddress, 'true']
diff --git a/china/aws/templates/gwlb-asg/tgw-gwlb.yaml b/china/aws/templates/gwlb-asg/tgw-gwlb.yaml
new file mode 100644
index 00000000..10ab39d3
--- /dev/null
+++ b/china/aws/templates/gwlb-asg/tgw-gwlb.yaml
@@ -0,0 +1,1218 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: |
+  Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in an existing VPC for Transit Gateway (20250617). 
+  See CloudGuard Network for AWS Gateway Load Balancer Auto Scaling Group deployment guide for detailed deployment and configuration steps.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: VPC Network Configuration
+        Parameters:
+          - VPC
+          - IGWID
+          - AvailabilityZones
+          - NumberOfAZs
+          - GatewaysSubnets
+          - TgwSubnet1Id
+          - TgwSubnet2Id
+          - TgwSubnet3Id
+          - TgwSubnet4Id
+          - NatGwSubnet1CIDR
+          - NatGwSubnet2CIDR
+          - NatGwSubnet3CIDR
+          - NatGwSubnet4CIDR
+          - GWLBeSubnet1CIDR
+          - GWLBeSubnet2CIDR
+          - GWLBeSubnet3CIDR
+          - GWLBeSubnet4CIDR
+      - Label:
+          default: General Settings
+        Parameters:
+          - KeyName
+          - EnableVolumeEncryption
+          - VolumeSize
+          - VolumeType
+          - EnableInstanceConnect
+          - TerminationProtection
+          - MetaDataToken
+          - AllowUploadDownload
+          - ManagementServer
+          - ConfigurationTemplate
+          - AdminEmail
+          - Shell
+      - Label:
+          default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration
+        Parameters:
+          - AutoScaleGroupName
+          - GatewayName
+          - GatewayInstanceType
+          - GatewaysMinSize
+          - GatewaysMaxSize
+          - GatewayVersion
+          - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
+          - GatewaySICKey
+          - ControlGatewayOverPrivateOrPublicAddress
+          - AllocatePublicAddress
+          - CloudWatch
+          - GatewayBootstrapScript
+      - Label:
+          default: Gateway Load Balancer Configuration
+        Parameters:
+          - GWLBName
+          - TargetGroupName
+          - CrossZoneLoadBalancing
+      - Label:
+          default: Check Point CloudGuard IaaS Security Management Server Configuration
+        Parameters:
+          - ManagementDeploy
+          - ManagementInstanceType
+          - ManagementVersion
+          - ManagementPasswordHash
+          - ManagementMaintenancePasswordHash
+          - GatewaysPolicy
+          - AdminCIDR
+          - GatewayManagement
+          - GatewaysAddresses
+    ParameterLabels:
+      VPC:
+        default: VPC
+      IGWID:
+        default: Internet Gateway ID
+      AvailabilityZones:
+        default: Availability Zones
+      NumberOfAZs:
+        default: Number of AZs
+      GatewaysSubnets:
+        default: Gateways subnets
+      TgwSubnet1Id:
+        default: Transit Gateway Attachment subnet 1 Id
+      TgwSubnet2Id:
+        default: Transit Gateway Attachment subnet 2 Id
+      TgwSubnet3Id:
+        default: Transit Gateway Attachment subnet 3 Id
+      TgwSubnet4Id:
+        default: Transit Gateway Attachment subnet 4 Id
+      NatGwSubnet1CIDR:
+        default: NAT subnet 1 CIDR
+      NatGwSubnet2CIDR:
+        default: NAT subnet 2 CIDR
+      NatGwSubnet3CIDR:
+        default: NAT subnet 3 CIDR
+      NatGwSubnet4CIDR:
+        default: NAT subnet 4 CIDR
+      GWLBeSubnet1CIDR:
+        default: Gateway Load Balancer Endpoint subnet 1 CIDR
+      GWLBeSubnet2CIDR:
+        default: Gateway Load Balancer Endpoint subnet 2 CIDR
+      GWLBeSubnet3CIDR:
+        default: Gateway Load Balancer Endpoint subnet 3 CIDR
+      GWLBeSubnet4CIDR:
+        default: Gateway Load Balancer Endpoint subnet 4 CIDR
+      KeyName:
+        default: Key name
+      EnableVolumeEncryption:
+        default: Enable environment volume encryption
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeType:
+        default: Volume Type
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      TerminationProtection:
+        default: Termination Protection
+      MetaDataToken:
+        default: Metadata HTTP token
+      AllowUploadDownload:
+        default: Allow upload & download
+      ManagementServer:
+        default: Management Server
+      ConfigurationTemplate:
+        default: Configuration template
+      AdminEmail:
+        default: Email address
+      Shell:
+        default: Admin shell
+      GatewayName:
+        default: Gateways instance name
+      GatewayInstanceType:
+        default: Gateways instance type
+      GatewaysMinSize:
+        default: Minimum group size
+      GatewaysMaxSize:
+        default: Maximum group size
+      GatewayVersion:
+        default: Gateways version & license
+      GatewayPasswordHash:
+        default: Gateways Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
+      GatewaySICKey:
+        default: Gateways SIC key
+      ControlGatewayOverPrivateOrPublicAddress:
+        default: Gateways addresses
+      AllocatePublicAddress:
+        default: Allocate Public IPs
+      CloudWatch:
+        default: CloudWatch metrics
+      GatewayBootstrapScript:
+        default: Gateways bootstrap script
+      GWLBName:
+        default: Gateway Load Balancer Name
+      TargetGroupName:
+        default: Target Group Name
+      CrossZoneLoadBalancing:
+        default:  Enable Cross Zone Load Balancing
+      ManagementDeploy:
+        default: Deploy Management Server
+      ManagementInstanceType:
+        default: Management instance type
+      ManagementVersion:
+        default: Management version & license
+      ManagementPasswordHash:
+        default: Management password hash
+      ManagementMaintenancePasswordHash:
+        default: Management Maintenance Password hash
+      GatewaysPolicy:
+        default: Security Policy
+      AdminCIDR:
+        default: Administrator addresses
+      GatewayManagement:
+        default: Manage Gateways
+      GatewaysAddresses:
+        default: Gateways addresses
+      AutoScaleGroupName:
+        default: Auto Scale Group name
+Parameters:
+  VPC:
+    Description: Select an existing VPC.
+    Type: AWS::EC2::VPC::Id
+    MinLength: 1
+    ConstraintDescription: You must select a VPC.
+  IGWID:
+    Description: VPC's Internet Gateway Id (e.g. igw-123a4567).
+    Type: String
+    MinLength: 1
+    ConstraintDescription: You must insert an Internet Gateway Id.
+  AvailabilityZones:
+    Description: The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved).
+    Type: List<AWS::EC2::AvailabilityZone::Name>
+    MinLength: 2
+  NumberOfAZs:
+    Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter.
+    Type: Number
+    Default: 2
+    MinValue: 2
+    MaxValue: 4
+  GatewaysSubnets:
+    Description: Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet.
+    Type: List<AWS::EC2::Subnet::Id>
+    MinLength: 2
+  TgwSubnet1Id:
+    Description: The TGW attachment subnet ID located in the 1st Availability Zone.
+    Type: String
+    MinLength: 1
+    ConstraintDescription: You must insert Tgw Subnet Id for Availability Zone 1.
+  TgwSubnet2Id:
+    Description: The TGW attachment subnet ID located in the 2nd Availability Zone.
+    Type: String
+    MinLength: 1
+    ConstraintDescription: You must insert Tgw Subnet Id for Availability Zone 2.
+  TgwSubnet3Id:
+    Description: The TGW attachment subnet ID located in the 3rd Availability Zone.
+    Type: String
+  TgwSubnet4Id:
+    Description: The TGW attachment subnet ID located in the 4th Availability Zone.
+    Type: String
+  NatGwSubnet1CIDR:
+    Description: CIDR block for NAT subnet 1 located in the 1st Availability Zone.
+    Type: String
+    Default: 10.0.13.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  NatGwSubnet2CIDR:
+    Description: CIDR block for NAT subnet 2 located in the 2nd Availability Zone.
+    Type: String
+    Default: 10.0.23.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  NatGwSubnet3CIDR:
+    Description: CIDR block for NAT subnet 3 located in the 3rd Availability Zone.
+    Type: String
+    Default: 10.0.33.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  NatGwSubnet4CIDR:
+    Description: CIDR block for NAT subnet 4 located in the 4th Availability Zone.
+    Type: String
+    Default: 10.0.43.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  GWLBeSubnet1CIDR:
+    Description: CIDR block for GWLBe subnet 1 located in the 1st Availability Zone.
+    Type: String
+    Default: 10.0.14.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  GWLBeSubnet2CIDR:
+    Description: CIDR block for GWLBe subnet 2 located in the 2nd Availability Zone.
+    Type: String
+    Default: 10.0.24.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  GWLBeSubnet3CIDR:
+    Description: CIDR block for GWLBe subnet 3 located in the 3rd Availability Zone.
+    Type: String
+    Default: 10.0.34.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  GWLBeSubnet4CIDR:
+    Description: CIDR block for GWLBe subnet 4 located in the 4th Availability Zone.
+    Type: String
+    Default: 10.0.44.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the instances created by this stack.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+    ConstraintDescription: Must be the name of an existing EC2 KeyPair.
+  EnableVolumeEncryption:
+    Description: Encrypt Environment instances volume with default AWS KMS key.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  VolumeSize:
+    Type: Number
+    MinValue: 100
+    Default: 100
+  VolumeType:
+    Description: General Purpose SSD Volume Type
+    Type: String
+    Default: gp3
+    AllowedValues:
+      - gp3
+      - gp2
+  EnableInstanceConnect:
+    Description: Enable SSH connection over AWS web console.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  TerminationProtection:
+    Description: Prevents an instance from accidental termination.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  AllowUploadDownload:
+    Description: Automatically download updates and share statistical data for product improvement purpose.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  ManagementServer:
+    Description: The name that represents the Security Management Server in the automatic provisioning configuration.
+    Type: String
+    Default: gwlb-management-server
+    MinLength: 1
+  ConfigurationTemplate:
+    Description: A name of a gateway configuration template in the automatic provisioning configuration.
+    Type: String
+    Default: gwlb-ASG-configuration
+    MinLength: 1
+    MaxLength: 30
+  AdminEmail:
+    Description: Notifications about scaling events will be sent to this email address. (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$'
+  Shell:
+    Description: Change the admin shell to enable advanced command line configuration. Applies for Security Gateways and Security Management Server if deployed.
+    Type: String
+    Default: /etc/cli.sh
+    AllowedValues:
+      - /etc/cli.sh
+      - /bin/bash
+      - /bin/csh
+      - /bin/tcsh
+  GatewayName:
+    Description: The name tag of the Security Gateway instances. (optional)
+    Type: String
+    Default: Check-Point-Gateway
+  GatewayInstanceType:
+    Description: The EC2 instance type for the Security Gateways.
+    Type: String
+    Default: c6i.xlarge
+    AllowedValues:
+      - c4.large
+      - c4.xlarge
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: Must be a valid EC2 instance type.
+  GatewaysMinSize:
+    Description: The minimal number of Security Gateways.
+    Type: Number
+    Default: 2
+    MinValue: 1
+  GatewaysMaxSize:
+    Description: The maximal number of Security Gateways.
+    Type: Number
+    Default: 10
+    MinValue: 1
+  GatewayVersion:
+    Description: The version and license to install on the Security Gateways.
+    Type: String
+    Default: R81.20-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  GatewayPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+    NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  GatewaySICKey:
+    Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters.
+    Type: String
+    AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+    ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long.
+    NoEcho: true
+  ControlGatewayOverPrivateOrPublicAddress:
+    Description: Determines if the gateways are provisioned using their private or public address.
+    Type: String
+    Default: private
+    AllowedValues:
+      - private
+      - public
+  AllocatePublicAddress:
+    Description: Allocate a Public IP for gateway members.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  CloudWatch:
+    Description: Report Check Point specific CloudWatch metrics.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  GatewayBootstrapScript:
+    Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+    Type: String
+    Default: ''
+    NoEcho: true
+  GWLBName:
+    Description: Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen.
+    Type: String
+    Default: gwlb1
+    ConstraintDescription: Must be a valid GWLB Name
+  TargetGroupName:
+    Description: Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen.
+    Type: String
+    Default: tg1
+    ConstraintDescription: Must be a valid target group name.
+  CrossZoneLoadBalancing:
+    Description: Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  ManagementDeploy:
+    Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  ManagementInstanceType:
+    Description: The EC2 instance type of the Security Management Server.
+    Type: String
+    Default: m5.xlarge
+    AllowedValues:
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: Must be a valid EC2 instance type.
+  ManagementVersion:
+    Description: The license to install on the Security Management Server.
+    Type: String
+    Default: R81.20-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  ManagementPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+    NoEcho: true
+  ManagementMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  GatewaysPolicy:
+    Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group.
+    Type: String
+    Default: Standard
+    MinLength: 1
+  AdminCIDR:
+    Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server.
+    Type: String
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+  GatewayManagement:
+    Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address.
+    Type: String
+    Default: Locally managed
+    AllowedValues:
+      - Locally managed
+      - Over the internet
+  GatewaysAddresses:
+    Description: Allow gateways only from this network to communicate with the Security Management Server.
+    Type: String
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+  AutoScaleGroupName:
+    Description: The Name of the Auto Scaling Group. (optional)
+    Type: String
+    Default: ""
+    MaxLength: 100
+Conditions:
+  4AZs: !Equals [!Ref NumberOfAZs, 4]
+  3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs]
+  DeployManagement: !Equals [!Ref ManagementDeploy, true]
+  VolumeEncryption: !Equals [!Ref EnableVolumeEncryption, true]
+  GenerateAutoScalingName: !Equals [!Ref AutoScaleGroupName, ""]
+Resources:
+  GWLBeSubnet1:
+    Type: AWS::EC2::Subnet
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !Ref GWLBeSubnet1CIDR
+      AvailabilityZone: !Select [0, !Ref AvailabilityZones]
+      Tags:
+        - Key: Name
+          Value: GWLBe subnet 1
+        - Key: Network
+          Value: Private
+  GWLBeSubnet2:
+    Type: AWS::EC2::Subnet
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !Ref GWLBeSubnet2CIDR
+      AvailabilityZone: !Select [1, !Ref AvailabilityZones]
+      Tags:
+        - Key: Name
+          Value: GWLBe subnet 2
+        - Key: Network
+          Value: Private
+  GWLBeSubnet3:
+    Type: AWS::EC2::Subnet
+    Condition: 3AZs
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !Ref GWLBeSubnet3CIDR
+      AvailabilityZone: !Select [2, !Ref AvailabilityZones]
+      Tags:
+        - Key: Name
+          Value: GWLBe subnet 3
+        - Key: Network
+          Value: Private
+  GWLBeSubnet4:
+    Type: AWS::EC2::Subnet
+    Condition: 4AZs
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !Ref GWLBeSubnet4CIDR
+      AvailabilityZone: !Select [3, !Ref AvailabilityZones]
+      Tags:
+        - Key: Name
+          Value: GWLBe subnet 4
+        - Key: Network
+          Value: Private
+  GWLBeSubnet1RouteTable:
+    Type: AWS::EC2::RouteTable
+    Properties:
+      VpcId: !Ref VPC
+      Tags:
+        - Key: Name
+          Value: GWLBe Subnet 1 Route Table
+        - Key: Network
+          Value: Private
+  GWLBeSubnet1NatGwDefaultRoute:
+    Type: AWS::EC2::Route
+    Properties:
+      DestinationCidrBlock: 0.0.0.0/0
+      NatGatewayId: !Ref NatGateway1
+      RouteTableId: !Ref GWLBeSubnet1RouteTable
+  GWLBeSubnet1RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Properties:
+      RouteTableId: !Ref GWLBeSubnet1RouteTable
+      SubnetId: !Ref GWLBeSubnet1
+  GWLBeSubnet2RouteTable:
+    Type: AWS::EC2::RouteTable
+    Properties:
+      VpcId: !Ref VPC
+      Tags:
+        - Key: Name
+          Value: GWLBe Subnet 2 Route Table
+        - Key: Network
+          Value: Private
+  GWLBeSubnet2NatGwDefaultRoute:
+    Type: AWS::EC2::Route
+    Properties:
+      DestinationCidrBlock: 0.0.0.0/0
+      NatGatewayId: !Ref NatGateway2
+      RouteTableId: !Ref GWLBeSubnet2RouteTable
+  GWLBeSubnet2RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Properties:
+      RouteTableId: !Ref GWLBeSubnet2RouteTable
+      SubnetId: !Ref GWLBeSubnet2
+  GWLBeSubnet3RouteTable:
+    Type: AWS::EC2::RouteTable
+    Condition: 3AZs
+    Properties:
+      VpcId: !Ref VPC
+      Tags:
+        - Key: Name
+          Value: GWLBe Subnet 3 Route Table
+        - Key: Network
+          Value: Private
+  GWLBeSubnet3NatGwDefaultRoute:
+    Type: AWS::EC2::Route
+    Condition: 3AZs
+    Properties:
+      DestinationCidrBlock: 0.0.0.0/0
+      NatGatewayId: !Ref NatGateway3
+      RouteTableId: !Ref GWLBeSubnet3RouteTable
+  GWLBeSubnet3RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Condition: 3AZs
+    Properties:
+      RouteTableId: !Ref GWLBeSubnet3RouteTable
+      SubnetId: !Ref GWLBeSubnet3
+  GWLBeSubnet4RouteTable:
+    Type: AWS::EC2::RouteTable
+    Condition: 4AZs
+    Properties:
+      VpcId: !Ref VPC
+      Tags:
+        - Key: Name
+          Value: GWLBe Subnet 4 Route Table
+        - Key: Network
+          Value: Private
+  GWLBeSubnet4NatGwDefaultRoute:
+    Type: AWS::EC2::Route
+    Condition: 4AZs
+    Properties:
+      DestinationCidrBlock: 0.0.0.0/0
+      NatGatewayId: !Ref NatGateway4
+      RouteTableId: !Ref GWLBeSubnet4RouteTable
+  GWLBeSubnet4RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Condition: 4AZs
+    Properties:
+      RouteTableId: !Ref GWLBeSubnet4RouteTable
+      SubnetId: !Ref GWLBeSubnet4
+  NatGwSubnet1:
+    Type: AWS::EC2::Subnet
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !Ref NatGwSubnet1CIDR
+      AvailabilityZone: !Select [0, !Ref AvailabilityZones]
+      Tags:
+        - Key: Name
+          Value: NAT subnet 1
+        - Key: Network
+          Value: Private
+  NatGwSubnet2:
+    Type: AWS::EC2::Subnet
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !Ref NatGwSubnet2CIDR
+      AvailabilityZone: !Select [1, !Ref AvailabilityZones]
+      Tags:
+        - Key: Name
+          Value: NAT subnet 2
+        - Key: Network
+          Value: Private
+  NatGwSubnet3:
+    Type: AWS::EC2::Subnet
+    Condition: 3AZs
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !Ref NatGwSubnet3CIDR
+      AvailabilityZone: !Select [2, !Ref AvailabilityZones]
+      Tags:
+        - Key: Name
+          Value: NAT subnet 3
+        - Key: Network
+          Value: Private
+  NatGwSubnet4:
+    Type: AWS::EC2::Subnet
+    Condition: 4AZs
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !Ref NatGwSubnet4CIDR
+      AvailabilityZone: !Select [3, !Ref AvailabilityZones]
+      Tags:
+        - Key: Name
+          Value: NAT subnet 4
+        - Key: Network
+          Value: Private
+  NatGwSubnet1RouteTable:
+    Type: AWS::EC2::RouteTable
+    Properties:
+      VpcId: !Ref VPC
+      Tags:
+        - Key: Name
+          Value: NAT Subnet 1 Route Table
+        - Key: Network
+          Value: Public
+  NatGwSubnet1NatGwDefaultRoute:
+    Type: AWS::EC2::Route
+    Properties:
+      DestinationCidrBlock: 0.0.0.0/0
+      GatewayId: !Ref IGWID
+      RouteTableId: !Ref NatGwSubnet1RouteTable
+  NatGwSubnet1RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Properties:
+      RouteTableId: !Ref NatGwSubnet1RouteTable
+      SubnetId: !Ref NatGwSubnet1
+  NatGwSubnet2RouteTable:
+    Type: AWS::EC2::RouteTable
+    Properties:
+      VpcId: !Ref VPC
+      Tags:
+        - Key: Name
+          Value: NAT Subnet 2 Route Table
+        - Key: Network
+          Value: Public
+  NatGwSubnet2NatGwDefaultRoute:
+    Type: AWS::EC2::Route
+    Properties:
+      DestinationCidrBlock: 0.0.0.0/0
+      GatewayId: !Ref IGWID
+      RouteTableId: !Ref NatGwSubnet2RouteTable
+  NatGwSubnet2RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Properties:
+      RouteTableId: !Ref NatGwSubnet2RouteTable
+      SubnetId: !Ref NatGwSubnet2
+  NatGwSubnet3RouteTable:
+    Type: AWS::EC2::RouteTable
+    Condition: 3AZs
+    Properties:
+      VpcId: !Ref VPC
+      Tags:
+        - Key: Name
+          Value: NAT Subnet 3 Route Table
+        - Key: Network
+          Value: Public
+  NatGwSubnet3NatGwDefaultRoute:
+    Type: AWS::EC2::Route
+    Condition: 3AZs
+    Properties:
+      DestinationCidrBlock: 0.0.0.0/0
+      GatewayId: !Ref IGWID
+      RouteTableId: !Ref NatGwSubnet3RouteTable
+  NatGwSubnet3RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Condition: 3AZs
+    Properties:
+      RouteTableId: !Ref NatGwSubnet3RouteTable
+      SubnetId: !Ref NatGwSubnet3
+  NatGwSubnet4RouteTable:
+    Type: AWS::EC2::RouteTable
+    Condition: 4AZs
+    Properties:
+      VpcId: !Ref VPC
+      Tags:
+        - Key: Name
+          Value: NAT Subnet 4 Route Table
+        - Key: Network
+          Value: Public
+  NatGwSubnet4NatGwDefaultRoute:
+    Type: AWS::EC2::Route
+    Condition: 4AZs
+    Properties:
+      DestinationCidrBlock: 0.0.0.0/0
+      GatewayId: !Ref IGWID
+      RouteTableId: !Ref NatGwSubnet4RouteTable
+  NatGwSubnet4RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Condition: 4AZs
+    Properties:
+      RouteTableId: !Ref NatGwSubnet4RouteTable
+      SubnetId: !Ref NatGwSubnet4
+  GWLBStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gwlb/gwlb.yaml
+      Parameters:
+        VPC: !Ref VPC
+        AutoScaleGroupName: !If [GenerateAutoScalingName, !Join ["-", [!Ref 'AWS::StackName', GatewayGroup]], !Ref AutoScaleGroupName]
+        GatewaysSubnets: !Join [',', !Ref GatewaysSubnets]
+        KeyName: !Ref KeyName
+        EnableVolumeEncryption: !Ref EnableVolumeEncryption
+        VolumeType: !Ref VolumeType
+        VolumeSize: !Ref VolumeSize
+        EnableInstanceConnect: !Ref EnableInstanceConnect
+        TerminationProtection: !Ref TerminationProtection
+        MetaDataToken: !Ref MetaDataToken
+        AllowUploadDownload: !Ref AllowUploadDownload
+        ManagementServer: !Ref ManagementServer
+        ConfigurationTemplate: !Ref ConfigurationTemplate
+        AdminEmail: !Ref AdminEmail
+        Shell: !Ref Shell
+        GWLBName: !Ref GWLBName
+        TargetGroupName: !Ref TargetGroupName
+        AcceptConnectionRequired: false
+        CrossZoneLoadBalancing: !Ref CrossZoneLoadBalancing
+        GatewayName: !Ref GatewayName
+        GatewayInstanceType: !Ref GatewayInstanceType
+        GatewaysMinSize: !Ref GatewaysMinSize
+        GatewaysMaxSize: !Ref GatewaysMaxSize
+        GatewayVersion: !Ref GatewayVersion
+        GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+        GatewaySICKey: !Ref GatewaySICKey
+        ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress
+        AllocatePublicAddress: !Ref AllocatePublicAddress
+        CloudWatch: !Ref CloudWatch
+        GatewayBootstrapScript: !Ref GatewayBootstrapScript
+        ManagementDeploy: !Ref ManagementDeploy
+        ManagementInstanceType: !Ref ManagementInstanceType
+        ManagementVersion: !Ref ManagementVersion
+        ManagementPasswordHash: !Ref ManagementPasswordHash
+        ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash
+        GatewaysPolicy: !Ref GatewaysPolicy
+        AdminCIDR: !Ref AdminCIDR
+        GatewayManagement: !Ref GatewayManagement
+        GatewaysAddresses: !Ref GatewaysAddresses
+  GWLBe1:
+    DependsOn: [GWLBStack, GWLBeSubnet1]
+    Type: AWS::EC2::VPCEndpoint
+    Properties:
+      VpcId: !Ref VPC
+      VpcEndpointType: GatewayLoadBalancer
+      SubnetIds:
+        - !Ref GWLBeSubnet1
+      ServiceName: !GetAtt GWLBStack.Outputs.GWLBServiceName
+  GWLBe2:
+    DependsOn: [GWLBStack, GWLBeSubnet2]
+    Type: AWS::EC2::VPCEndpoint
+    Properties:
+      VpcId: !Ref VPC
+      VpcEndpointType: GatewayLoadBalancer
+      SubnetIds:
+        - !Ref GWLBeSubnet2
+      ServiceName: !GetAtt GWLBStack.Outputs.GWLBServiceName
+  GWLBe3:
+    DependsOn: [GWLBStack, GWLBeSubnet3]
+    Type: AWS::EC2::VPCEndpoint
+    Condition: 3AZs
+    Properties:
+      VpcId: !Ref VPC
+      VpcEndpointType: GatewayLoadBalancer
+      SubnetIds:
+        - !Ref GWLBeSubnet3
+      ServiceName: !GetAtt GWLBStack.Outputs.GWLBServiceName
+  GWLBe4:
+    DependsOn: [GWLBStack, GWLBeSubnet4]
+    Type: AWS::EC2::VPCEndpoint
+    Condition: 4AZs
+    Properties:
+      VpcId: !Ref VPC
+      VpcEndpointType: GatewayLoadBalancer
+      SubnetIds:
+        - !Ref GWLBeSubnet4
+      ServiceName: !GetAtt GWLBStack.Outputs.GWLBServiceName
+  TGWAttachmentSubnet1RouteTable:
+    Type: AWS::EC2::RouteTable
+    Properties:
+      VpcId: !Ref VPC
+      Tags:
+        - Key: Name
+          Value: TGW Attachment Subnet 1 Route Table
+        - Key: Network
+          Value: Private
+  TGWAttachmentSubnet1GWLBeDefaultRoute:
+    Type: AWS::EC2::Route
+    Properties:
+      DestinationCidrBlock: 0.0.0.0/0
+      VpcEndpointId: !Ref GWLBe1
+      RouteTableId: !Ref TGWAttachmentSubnet1RouteTable
+  TGWAttachmentSubnet1RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Properties:
+      RouteTableId: !Ref TGWAttachmentSubnet1RouteTable
+      SubnetId: !Ref TgwSubnet1Id
+  TGWAttachmentSubnet2RouteTable:
+    Type: AWS::EC2::RouteTable
+    Properties:
+      VpcId: !Ref VPC
+      Tags:
+        - Key: Name
+          Value: TGW Attachment Subnet 2 Route Table
+        - Key: Network
+          Value: Private
+  TGWAttachmentSubnet2GWLBeDefaultRoute:
+    Type: AWS::EC2::Route
+    Properties:
+      DestinationCidrBlock: 0.0.0.0/0
+      VpcEndpointId: !Ref GWLBe2
+      RouteTableId: !Ref TGWAttachmentSubnet2RouteTable
+  TGWAttachmentSubnet2RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Properties:
+      RouteTableId: !Ref TGWAttachmentSubnet2RouteTable
+      SubnetId: !Ref TgwSubnet2Id
+  TGWAttachmentSubnet3RouteTable:
+    Type: AWS::EC2::RouteTable
+    Condition: 3AZs
+    Properties:
+      VpcId: !Ref VPC
+      Tags:
+        - Key: Name
+          Value: TGW Attachment Subnet 3 Route Table
+        - Key: Network
+          Value: Private
+  TGWAttachmentSubnet3GWLBeDefaultRoute:
+    Type: AWS::EC2::Route
+    Condition: 3AZs
+    Properties:
+      DestinationCidrBlock: 0.0.0.0/0
+      VpcEndpointId: !Ref GWLBe3
+      RouteTableId: !Ref TGWAttachmentSubnet3RouteTable
+  TGWAttachmentSubnet3RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Condition: 3AZs
+    Properties:
+      RouteTableId: !Ref TGWAttachmentSubnet3RouteTable
+      SubnetId: !Ref TgwSubnet3Id
+  TGWAttachmentSubnet4RouteTable:
+    Type: AWS::EC2::RouteTable
+    Condition: 4AZs
+    Properties:
+      VpcId: !Ref VPC
+      Tags:
+        - Key: Name
+          Value: TGW Attachment Subnet 4 Route Table
+        - Key: Network
+          Value: Private
+  TGWAttachmentSubnet4GWLBeDefaultRoute:
+    Type: AWS::EC2::Route
+    Condition: 4AZs
+    Properties:
+      DestinationCidrBlock: 0.0.0.0/0
+      VpcEndpointId: !Ref GWLBe4
+      RouteTableId: !Ref TGWAttachmentSubnet4RouteTable
+  TGWAttachmentSubnet4RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Condition: 4AZs
+    Properties:
+      RouteTableId: !Ref TGWAttachmentSubnet4RouteTable
+      SubnetId: !Ref TgwSubnet4Id
+  NatGwPublicAddress1:
+    Type: AWS::EC2::EIP
+    Properties:
+      Domain: vpc
+  NatGwPublicAddress2:
+    Type: AWS::EC2::EIP
+    Properties:
+      Domain: vpc
+  NatGwPublicAddress3:
+    Type: AWS::EC2::EIP
+    Condition: 3AZs
+    Properties:
+      Domain: vpc
+  NatGwPublicAddress4:
+    Type: AWS::EC2::EIP
+    Condition: 4AZs
+    Properties:
+      Domain: vpc
+  NatGateway1:
+    DependsOn: [GWLBStack, NatGwSubnet1]
+    Type: AWS::EC2::NatGateway
+    Properties:
+      AllocationId: !GetAtt NatGwPublicAddress1.AllocationId
+      SubnetId: !Ref NatGwSubnet1
+      Tags:
+        - Key: Name
+          Value: NatGW1
+  NatGateway2:
+    DependsOn: [GWLBStack, NatGwSubnet2]
+    Type: AWS::EC2::NatGateway
+    Properties:
+      AllocationId: !GetAtt NatGwPublicAddress2.AllocationId
+      SubnetId: !Ref NatGwSubnet2
+      Tags:
+        - Key: Name
+          Value: NatGW2
+  NatGateway3:
+    DependsOn: [GWLBStack, NatGwSubnet3]
+    Type: AWS::EC2::NatGateway
+    Condition: 3AZs
+    Properties:
+      AllocationId: !GetAtt NatGwPublicAddress3.AllocationId
+      SubnetId: !Ref NatGwSubnet3
+      Tags:
+        - Key: Name
+          Value: NatGW3
+  NatGateway4:
+    DependsOn: [GWLBStack, NatGwSubnet4]
+    Type: AWS::EC2::NatGateway
+    Condition: 4AZs
+    Properties:
+      AllocationId: !GetAtt NatGwPublicAddress4.AllocationId
+      SubnetId: !Ref NatGwSubnet4
+      Tags:
+        - Key: Name
+          Value: NatGW4
+Outputs:
+  ManagementPublicAddress:
+    Description: The public address of the management server.
+    Value: !GetAtt GWLBStack.Outputs.ManagementPublicAddress
+    Condition: DeployManagement
+  ConfigurationTemplateName:
+    Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name.
+    Value: !GetAtt GWLBStack.Outputs.ConfigurationTemplateName
+  ControllerName:
+    Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name.
+    Value: !GetAtt GWLBStack.Outputs.ControllerName
+  GWLBName:
+    Description: Gateway Load Balancer Name.
+    Value: !Ref GWLBName
+  GWLBServiceName:
+    Description: Gateway Load Balancer Service Name.
+    Value: !GetAtt GWLBStack.Outputs.GWLBServiceName
+Rules:
+  GatewayAddressAllocationRule:
+    RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] 
+    Assertions:  
+      - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false"
+        Assert: !Equals [!Ref AllocatePublicAddress, 'true']
diff --git a/china/aws/templates/launch.png b/china/aws/templates/launch.png
new file mode 100644
index 00000000..b16d779c
Binary files /dev/null and b/china/aws/templates/launch.png differ
diff --git a/china/aws/templates/management/README.md b/china/aws/templates/management/README.md
new file mode 100644
index 00000000..e8ffc710
--- /dev/null
+++ b/china/aws/templates/management/README.md
@@ -0,0 +1,35 @@
+
+## Security Management Server
+<table>
+    <thead>
+        <tr>
+            <th>Description</th>
+            <th>Notes</th>
+            <th>Direct Launch</th>
+        </tr>
+    </thead>
+    <tbody>
+        <tr>
+            <td width="40%">
+                Deploys and configures a Security Management Server.<br/><br/>For more details, refer to <a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk130372">sk130372</a>.
+            </td>
+            <td width="40%">Deploys a Security Management Server into an existing VPC.</td>
+            <td><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/management/management.yaml&stackName=Check-Point-Management"><img src="../../images/launch.png"/></a></td>
+        </tr>
+    </tbody>
+</table>
+<br/>
+<br/>
+## Revision History
+In order to check the template version, please refer to [sk125252](https://support.checkpoint.com/results/sk/sk125252#ToggleR8120gateway)
+
+| Template Version | Description                                                                                                   |
+|------------------|---------------------------------------------------------------------------------------------------------------|
+| 20240704         | - R80.40 version deprecation.<br/>- R81 version deprecation.                                                  |
+| 20240519         | Add support for requiring use instance metadata service version 2 (IMDSv2) only                               |
+| 20230923         | Add support for C5d instance type                                                                             | 
+| 20230521         | - Change default shell for the admin user to /etc/cli.sh<br/>- Add description for reserved words in hostname |
+| 20221123         | Templates version 20221120 and above support R81.20                                                           |
+| 20220606         | New instance type support                                                                                     |
+| 20210329         | Stability fixes                                                                                               |
+| 20210309         | First release of Check Point Security Management Server Terraform module for AWS                              |
diff --git a/china/aws/templates/management/management-master.yaml b/china/aws/templates/management/management-master.yaml
new file mode 100755
index 00000000..d0d5403e
--- /dev/null
+++ b/china/aws/templates/management/management-master.yaml
@@ -0,0 +1,601 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: |
+  Deploys a Check Point Management Server into a new VPC (20250617)
+  See sk130372 administration guide for detailed deployment and configuration steps.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: VPC Network Configuration
+        Parameters:
+          - AvailabilityZone
+          - VPCCIDR
+          - PublicSubnet1CIDR
+      - Label:
+          default: EC2 Instance Configuration
+        Parameters:
+          - ManagementName
+          - ManagementInstanceType
+          - KeyName
+          - AllocatePublicAddress
+          - VolumeSize
+          - VolumeType
+          - VolumeEncryption
+          - EnableInstanceConnect
+          - TerminationProtection
+          - MetaDataToken
+      - Label:
+          default: IAM Permissions (ignored when the installation is not Primary Management
+            Server)
+        Parameters:
+          - ManagementPermissions
+          - ManagementPredefinedRole
+          - ManagementSTSRoles
+      - Label:
+          default: Check Point Settings
+        Parameters:
+          - ManagementVersion
+          - Shell
+          - ManagementPasswordHash
+          - ManagementMaintenancePasswordHash
+      - Label:
+          default: Security Management Server Settings
+        Parameters:
+          - ManagementHostname
+          - ManagementInstallationType
+          - SICKey
+          - AllowUploadDownload
+          - AdminCIDR
+          - GatewayManagement
+          - GatewaysAddresses
+          - ManagementBootstrapScript
+          - NTPPrimary
+          - NTPSecondary
+    ParameterLabels:
+      AvailabilityZone:
+        default: Availability zone
+      VPCCIDR:
+        default: VPC CIDR
+      PublicSubnet1CIDR:
+        default: Management subnet CIDR
+      ManagementName:
+        default: Management name
+      ManagementInstanceType:
+        default: Instance type
+      KeyName:
+        default: Key name
+      AllocatePublicAddress:
+        default: Allocate an Elastic IP
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeType:
+        default: Volume Type
+      VolumeEncryption:
+        default: Volume encryption KMS key identifier
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      TerminationProtection:
+        default: Termination Protection
+      MetaDataToken:
+        default: Metadata HTTP token
+      ManagementPermissions:
+        default: IAM role
+      ManagementPredefinedRole:
+        default: Existing IAM role name
+      ManagementSTSRoles:
+        default: STS roles
+      ManagementVersion:
+        default: Version & license
+      Shell:
+        default: Admin shell
+      ManagementPasswordHash:
+        default: Password hash
+      ManagementMaintenancePasswordHash:
+        default:  Management Maintenance Password hash
+      ManagementHostname:
+        default: Management hostname
+      ManagementInstallationType:
+        default: Management installation type
+      SICKey:
+        default: SIC key
+      AllowUploadDownload:
+        default: Allow upload & download
+      AdminCIDR:
+        default: Administrator addresses
+      GatewayManagement:
+        default: Gateways management
+      GatewaysAddresses:
+        default: Gateways addresses
+      ManagementBootstrapScript:
+        default: Management bootstrap script
+      NTPPrimary:
+        default: Primary NTP server
+      NTPSecondary:
+        default: Secondary NTP server
+Parameters:
+  AvailabilityZone:
+    Description: The availability zone in which to deploy the instance.
+    Type: AWS::EC2::AvailabilityZone::Name
+    MinLength: 1
+  VPCCIDR:
+    Description: The CIDR block of the VPC.
+    Type: String
+    Default: 10.0.0.0/16
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet1CIDR:
+    Description: The CIDR block of the management subnet.
+    Type: String
+    Default: 10.0.10.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  ManagementName:
+    Description: The Management name tag.
+    Type: String
+    Default: Check-Point-Management
+  ManagementInstanceType:
+    Description: The instance type of the Security Management Server.
+    Type: String
+    Default: m5.xlarge
+    AllowedValues:
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: must be a valid EC2 instance type.
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the instance.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+    ConstraintDescription: must be the name of an existing EC2 KeyPair.
+  AllocatePublicAddress:
+    Description: Allocate an elastic IP for the Management.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  VolumeSize:
+    Type: Number
+    MinValue: 100
+    Default: 100
+  VolumeType:
+    Description: General Purpose SSD Volume Type
+    Type: String
+    Default: gp3
+    AllowedValues:
+      - gp3
+      - gp2
+  VolumeEncryption:
+    Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+    Type: String
+    Default: alias/aws/ebs
+  EnableInstanceConnect:
+    Description: Enable SSH connection over AWS web console.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  TerminationProtection:
+    Description: Prevents an instance from accidental termination.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  ManagementPermissions:
+    Description: IAM role to attach to the instance profile.
+    Type: String
+    Default: Create with read permissions
+    AllowedValues:
+      - None (configure later)
+      - Use existing (specify an existing IAM role name)
+      - Create with assume role permissions (specify an STS role ARN)
+      - Create with read permissions
+      - Create with read-write permissions
+  ManagementPredefinedRole:
+    Description: A predefined IAM role to attach to the instance profile. Ignored.
+      if IAM role is not set to 'Use existing'
+    Type: String
+    Default: ''
+  ManagementSTSRoles:
+    Description: The IAM role will be able to assume these STS Roles (comma separated
+      list of ARNs, without spaces). Ignored if IAM role is set to 'None' or 'Use
+      existing'.
+    Type: CommaDelimitedList
+    Default: ''
+  ManagementVersion:
+    Description: The license to install on the Security Management Server.
+    Type: String
+    Default: R81.20-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  Shell:
+    Description: Change the admin shell to enable advanced command line configuration.
+    Type: String
+    Default: /etc/cli.sh
+    AllowedValues:
+      - /etc/cli.sh
+      - /bin/bash
+      - /bin/csh
+      - /bin/tcsh
+  ManagementPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+      to get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  ManagementMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  ManagementHostname:
+    Description: The name must not contain reserved words. For details, refer to sk40179. (optional)
+    Type: String
+    Default: mgmt-aws
+    AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$'
+    ConstraintDescription: A valid hostname label or an empty string.
+  ManagementInstallationType:
+    Description: Determines the Management Server installation type.
+    Type: String
+    Default: Primary management
+    AllowedValues:
+      - Primary management
+      - Secondary management
+      - Log Server
+  SICKey:
+    Description: >-
+      Mandatory only if deploying a secondary Management Server or Log Server, the Secure Internal
+      Communication key creates trusted connections between Check Point components.
+      Choose a random string consisting of at least 8 alphanumeric characters.
+    Type: String
+    Default: ''
+    AllowedPattern: '(|[a-zA-Z0-9]{8,})'
+    ConstraintDescription: Can be empty if this is a primary Management Server. Otherwise,
+      at least 8 alpha numeric characters.
+    NoEcho: true
+  AllowUploadDownload:
+    Description: Automatically download updates and share statistical data for product improvement purpose.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  AdminCIDR:
+    Description: Allow web, SSH, and graphical clients only from this network to communicate
+      with the Management Server.
+    Type: String
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+  GatewaysAddresses:
+    Description: Allow gateways only from this network to communicate with the Management
+      Server.
+    Type: String
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+  GatewayManagement:
+    Description: Select 'Over the internet' if any of the gateways you wish to manage
+      are not directly accessed via their private IP address.
+    Type: String
+    Default: Locally managed
+    AllowedValues:
+      - Locally managed
+      - Over the internet
+  ManagementBootstrapScript:
+    Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+    Type: String
+    Default: ''
+    NoEcho: true
+  NTPPrimary:
+    Description: (optional)
+    Type: String
+    Default: 169.254.169.123
+    AllowedPattern: '[\.a-zA-Z0-9\-]*'
+  NTPSecondary:
+    Description: (optional)
+    Type: String
+    Default: 0.pool.ntp.org
+    AllowedPattern: '[\.a-zA-Z0-9\-]*'
+Conditions:
+  EIP: !Equals [!Ref AllocatePublicAddress, true]
+  ManageOverInternet: !Equals [!Ref GatewayManagement, Over the internet]
+  ManageOverInternetAndEIP: !And [!Condition EIP, !Condition ManageOverInternet]
+  CreateRole: !Or
+    - !Equals [!Ref ManagementPermissions, Create with assume role permissions (specify an STS role ARN)]
+    - !Equals [!Ref ManagementPermissions, Create with read permissions]
+    - !Equals [!Ref ManagementPermissions, Create with read-write permissions]
+  EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']]
+  UseRole: !Not [!Equals [!Ref ManagementPermissions, None (configure later)]]
+  NoSIC: !Equals [!Ref SICKey, '']
+  PreRole: !And [!Condition UseRole, !Not [!Condition CreateRole]]
+  EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+Resources:
+  VPCStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc.yaml
+      Parameters:
+        AvailabilityZones: !Ref AvailabilityZone
+        NumberOfAZs: 1
+        VPCCIDR: !Ref VPCCIDR
+        PublicSubnet1CIDR: !Ref PublicSubnet1CIDR
+        CreatePrivateSubnets: false
+        CreateAttachmentSubnets: false
+  AMI:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml
+      Parameters:
+        Version: !Join ['-', [!Ref ManagementVersion, MGMT]]
+  ManagementReadyHandle:
+    Type: AWS::CloudFormation::WaitConditionHandle
+    Condition: EIP
+    Properties: {}
+  ManagementReadyCondition:
+    Type: AWS::CloudFormation::WaitCondition
+    Condition: EIP
+    DependsOn: ManagementInstance
+    Properties:
+      Handle: !Ref ManagementReadyHandle
+      Timeout: 1800
+  ManagementSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: Management security group
+      VpcId: !GetAtt VPCStack.Outputs.VPCID
+      SecurityGroupIngress:
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 257
+          ToPort: 257
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 8211
+          ToPort: 8211
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18191
+          ToPort: 18191
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18192
+          ToPort: 18192
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18208
+          ToPort: 18208
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18210
+          ToPort: 18210
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18211
+          ToPort: 18211
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18221
+          ToPort: 18221
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18264
+          ToPort: 18264
+        - CidrIp: !Ref AdminCIDR
+          IpProtocol: tcp
+          FromPort: 22
+          ToPort: 22
+        - CidrIp: !Ref AdminCIDR
+          IpProtocol: tcp
+          FromPort: 443
+          ToPort: 443
+        - CidrIp: !Ref AdminCIDR
+          IpProtocol: tcp
+          FromPort: 18190
+          ToPort: 18190
+        - CidrIp: !Ref AdminCIDR
+          IpProtocol: tcp
+          FromPort: 19009
+          ToPort: 19009
+  ManagementRoleStack:
+    Type: AWS::CloudFormation::Stack
+    Condition: CreateRole
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cme-iam-role.yaml
+      Parameters:
+        Permissions: !Ref ManagementPermissions
+        STSRoles: !Join [',', !Ref ManagementSTSRoles]
+  InstanceProfile:
+    Type: AWS::IAM::InstanceProfile
+    Condition: PreRole
+    Properties:
+      Path: /
+      Roles:
+        - !Ref ManagementPredefinedRole
+  ManagementInstance:
+    Type: AWS::EC2::Instance
+    DependsOn: ManagementLaunchTemplate
+    Properties:
+      LaunchTemplate:
+        LaunchTemplateId: !Ref ManagementLaunchTemplate
+        Version: !GetAtt ManagementLaunchTemplate.LatestVersionNumber
+      DisableApiTermination: !Ref TerminationProtection
+      Tags:
+        - Key: Name
+          Value: !Ref ManagementName
+      NetworkInterfaces:
+        - DeviceIndex: 0
+          AssociatePublicIpAddress: false
+          Description: eth0
+          GroupSet:
+            - !Ref ManagementSecurityGroup
+          DeleteOnTermination: true
+          SubnetId: !GetAtt VPCStack.Outputs.PublicSubnet1ID
+  ManagementLaunchTemplate:
+    Type: AWS::EC2::LaunchTemplate
+    Properties:
+      LaunchTemplateData:
+        KeyName: !Ref KeyName
+        ImageId: !GetAtt AMI.Outputs.ImageId
+        InstanceType: !Ref ManagementInstanceType
+        MetadataOptions:
+          HttpTokens: !If [EnableMetaDataToken, required, optional]
+        BlockDeviceMappings:
+          - DeviceName: '/dev/xvda'
+            Ebs:
+              Encrypted: !If [ EncryptedVolume, true, false ]
+              KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+              VolumeType: !Ref VolumeType
+              VolumeSize: !Ref VolumeSize
+        IamInstanceProfile:
+          Name: !If [ UseRole, !If [ PreRole, !Ref InstanceProfile, !GetAtt ManagementRoleStack.Outputs.CMEIAMRole ], !Ref 'AWS::NoValue' ]
+        UserData:
+          'Fn::Base64':
+            !Join
+            - |+
+
+            - - '#cloud-config'
+              - 'runcmd:'
+              - '  - |'
+              - '    set -e'
+              - !Sub '    admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${ManagementHostname} ; eic=${EnableInstanceConnect} ; admin_subnet=${AdminCIDR} ; eip=${AllocatePublicAddress} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; mgmt_install_type=''${ManagementInstallationType}'''
+              - !If [EIP, !Sub '    wait_handle=''${ManagementReadyHandle}''',!Ref 'AWS::NoValue']
+              - !If [NoSIC, '    sic=""', !Join ['', ['    sic="$(echo ', 'Fn::Base64': !Ref SICKey, ')"']]]
+              - !If [ManageOverInternetAndEIP, '    pub_mgmt=true', '    pub_mgmt=false']
+              - !Join ['', ['    bootstrap="$(echo ', 'Fn::Base64': !Ref ManagementBootstrapScript, ')"']]
+              - !Join ['', ['    pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementPasswordHash, ')"']]
+              - !Join ['', ['    maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementMaintenancePasswordHash, ')"']]
+              - !Sub ['    version=${Version}', {Version: !Select [0, !Split ['-', !Ref ManagementVersion]]}]
+              - '    python3 /etc/cloud_config.py waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" installationType=\"management\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"management\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" "management_installation_type=\"${mgmt_install_type}\"" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" overTheInternet=\"${pub_mgmt}\" bootstrapScript64=\"${bootstrap}\"'
+      VersionDescription: Initial template version
+  PublicAddress:
+    Type: AWS::EC2::EIP
+    Condition: EIP
+    Properties:
+      Domain: vpc
+  AddressAssoc:
+    Type: AWS::EC2::EIPAssociation
+    Condition: EIP
+    DependsOn: ManagementInstance
+    Properties:
+      InstanceId: !Ref ManagementInstance
+      AllocationId: !GetAtt PublicAddress.AllocationId
+Outputs:
+  PublicAddress:
+    Condition: EIP
+    Description: The public address of the Management Server.
+    Value: !Ref PublicAddress
+  SSH:
+    Condition: EIP
+    Description: SSH command.
+    Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref PublicAddress]]
+  URL:
+    Condition: EIP
+    Description: URL to the portal.
+    Value: !Join ['', ['https://', !Ref PublicAddress]]
diff --git a/china/aws/templates/management/management.yaml b/china/aws/templates/management/management.yaml
new file mode 100644
index 00000000..0e787a9d
--- /dev/null
+++ b/china/aws/templates/management/management.yaml
@@ -0,0 +1,580 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: |
+  Deploys a Check Point Management Server into an existing VPC (20250617)
+  See sk130372 administration guide for detailed deployment and configuration steps.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: VPC Network Configuration
+        Parameters:
+          - VPC
+          - ManagementSubnet
+      - Label:
+          default: EC2 Instance Configuration
+        Parameters:
+          - ManagementName
+          - ManagementInstanceType
+          - KeyName
+          - AllocatePublicAddress
+          - VolumeSize
+          - VolumeType
+          - VolumeEncryption
+          - EnableInstanceConnect
+          - TerminationProtection
+          - MetaDataToken
+      - Label:
+          default: IAM Permissions (ignored when the installation is not Primary Management
+            Server)
+        Parameters:
+          - ManagementPermissions
+          - ManagementPredefinedRole
+          - ManagementSTSRoles
+      - Label:
+          default: Check Point Settings
+        Parameters:
+          - ManagementVersion
+          - Shell
+          - ManagementPasswordHash
+          - ManagementMaintenancePasswordHash
+      - Label:
+          default: Security Management Server Settings
+        Parameters:
+          - ManagementHostname
+          - ManagementInstallationType
+          - SICKey
+          - AllowUploadDownload
+          - AdminCIDR
+          - GatewayManagement
+          - GatewaysAddresses
+          - ManagementBootstrapScript
+          - NTPPrimary
+          - NTPSecondary
+    ParameterLabels:
+      VPC:
+        default: VPC
+      ManagementSubnet:
+        default: Management subnet
+      ManagementName:
+        default: Management name
+      ManagementInstanceType:
+        default: Instance type
+      KeyName:
+        default: Key name
+      AllocatePublicAddress:
+        default: Allocate an Elastic IP
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeType:
+        default: Volume Type
+      VolumeEncryption:
+        default: Volume encryption KMS key identifier
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      TerminationProtection:
+        default: Termination Protection
+      MetaDataToken:
+        default: Metadata HTTP token
+      ManagementPermissions:
+        default: IAM role
+      ManagementPredefinedRole:
+        default: Existing IAM role name
+      ManagementSTSRoles:
+        default: STS roles
+      ManagementVersion:
+        default: Version & license
+      Shell:
+        default: Admin shell
+      ManagementPasswordHash:
+        default: Password hash
+      ManagementMaintenancePasswordHash:
+        default:  Management Maintenance Password hash
+      ManagementHostname:
+        default: Management hostname
+      ManagementInstallationType:
+        default: Management installation type
+      SICKey:
+        default: SIC key
+      AllowUploadDownload:
+        default: Allow upload & download
+      AdminCIDR:
+        default: Administrator addresses
+      GatewayManagement:
+        default: Gateways management
+      GatewaysAddresses:
+        default: Gateways addresses
+      ManagementBootstrapScript:
+        default: Management bootstrap script
+      NTPPrimary:
+        default: Primary NTP server
+      NTPSecondary:
+        default: Secondary NTP server
+Parameters:
+  VPC:
+    Description: Select an existing VPC.
+    Type: AWS::EC2::VPC::Id
+    MinLength: 1
+  ManagementSubnet:
+    Description: To access the instance from the internet, make sure the subnet has
+      a route to the internet.
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+  ManagementName:
+    Description: The Management name tag.
+    Type: String
+    Default: Check-Point-Management
+  ManagementInstanceType:
+    Description: The instance type of the Security Management Server.
+    Type: String
+    Default: m5.xlarge
+    AllowedValues:
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: must be a valid EC2 instance type.
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the instance.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+    ConstraintDescription: must be the name of an existing EC2 KeyPair.
+  AllocatePublicAddress:
+    Description: Allocate an elastic IP for the Management.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  VolumeSize:
+    Type: Number
+    MinValue: 100
+    Default: 100
+  VolumeType:
+    Description: General Purpose SSD Volume Type
+    Type: String
+    Default: gp3
+    AllowedValues:
+      - gp3
+      - gp2
+  VolumeEncryption:
+    Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+    Type: String
+    Default: alias/aws/ebs
+  EnableInstanceConnect:
+    Description: Enable SSH connection over AWS web console.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  TerminationProtection:
+    Description: Prevents an instance from accidental termination.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  ManagementPermissions:
+    Description: IAM role to attach to the instance profile.
+    Type: String
+    Default: Create with read permissions
+    AllowedValues:
+      - None (configure later)
+      - Use existing (specify an existing IAM role name)
+      - Create with assume role permissions (specify an STS role ARN)
+      - Create with read permissions
+      - Create with read-write permissions
+  ManagementPredefinedRole:
+    Description: A predefined IAM role to attach to the instance profile. Ignored.
+      if IAM role is not set to 'Use existing'
+    Type: String
+    Default: ''
+  ManagementSTSRoles:
+    Description: The IAM role will be able to assume these STS Roles (comma separated
+      list of ARNs, without spaces). Ignored if IAM role is set to 'None' or 'Use
+      existing'.
+    Type: CommaDelimitedList
+    Default: ''
+  ManagementVersion:
+    Description: The license to install on the Security Management Server.
+    Type: String
+    Default: R81.20-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  Shell:
+    Description: Change the admin shell to enable advanced command line configuration.
+    Type: String
+    Default: /etc/cli.sh
+    AllowedValues:
+      - /etc/cli.sh
+      - /bin/bash
+      - /bin/csh
+      - /bin/tcsh
+  ManagementPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+      to get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  ManagementMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  ManagementHostname:
+    Description: The name must not contain reserved words. For details, refer to sk40179. (optional)
+    Type: String
+    Default: mgmt-aws
+    AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$'
+    ConstraintDescription: A valid hostname label or an empty string.
+  ManagementInstallationType:
+    Description: Determines the Management Server installation type.
+    Type: String
+    Default: Primary management
+    AllowedValues:
+      - Primary management
+      - Secondary management
+      - Log Server
+  SICKey:
+    Description: >-
+      Mandatory only if deploying a secondary Management Server or Log Server, the Secure Internal
+      Communication key creates trusted connections between Check Point components.
+      Choose a random string consisting of at least 8 alphanumeric characters.
+    Type: String
+    Default: ''
+    AllowedPattern: '(|[a-zA-Z0-9]{8,})'
+    ConstraintDescription: Can be empty if this is a primary Management Server. Otherwise,
+      at least 8 alpha numeric characters.
+    NoEcho: true
+  AllowUploadDownload:
+    Description: Automatically download updates and share statistical data for product improvement purpose.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  AdminCIDR:
+    Description: Allow web, SSH, and graphical clients only from this network to communicate
+      with the Management Server.
+    Type: String
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+  GatewaysAddresses:
+    Description: Allow gateways only from this network to communicate with the Management
+      Server.
+    Type: String
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+  GatewayManagement:
+    Description: Select 'Over the internet' if any of the gateways you wish to manage
+      are not directly accessed via their private IP address.
+    Type: String
+    Default: Locally managed
+    AllowedValues:
+      - Locally managed
+      - Over the internet
+  ManagementBootstrapScript:
+    Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+    Type: String
+    Default: ''
+    NoEcho: true
+  NTPPrimary:
+    Description: (optional)
+    Type: String
+    Default: 169.254.169.123
+    AllowedPattern: '[\.a-zA-Z0-9\-]*'
+  NTPSecondary:
+    Description: (optional)
+    Type: String
+    Default: 0.pool.ntp.org
+    AllowedPattern: '[\.a-zA-Z0-9\-]*'
+Conditions:
+  EIP: !Equals [!Ref AllocatePublicAddress, true]
+  ManageOverInternet: !Equals [!Ref GatewayManagement, Over the internet]
+  ManageOverInternetAndEIP: !And [!Condition EIP, !Condition ManageOverInternet]
+  CreateRole: !Or
+    - !Equals [!Ref ManagementPermissions, Create with assume role permissions (specify an STS role ARN)]
+    - !Equals [!Ref ManagementPermissions, Create with read permissions]
+    - !Equals [!Ref ManagementPermissions, Create with read-write permissions]
+  EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']]
+  UseRole: !Not [!Equals [!Ref ManagementPermissions, None (configure later)]]
+  NoSIC: !Equals [!Ref SICKey, '']
+  PreRole: !And [!Condition UseRole, !Not [!Condition CreateRole]]
+  EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+Resources:
+  AMI:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml
+      Parameters:
+        Version: !Join ['-', [!Ref ManagementVersion, MGMT]]
+  ManagementReadyHandle:
+    Type: AWS::CloudFormation::WaitConditionHandle
+    Condition: EIP
+    Properties: {}
+  ManagementReadyCondition:
+    Type: AWS::CloudFormation::WaitCondition
+    Condition: EIP
+    DependsOn: ManagementInstance
+    Properties:
+      Handle: !Ref ManagementReadyHandle
+      Timeout: 1800
+  ManagementSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: Management security group
+      VpcId: !Ref VPC
+      SecurityGroupIngress:
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 257
+          ToPort: 257
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 8211
+          ToPort: 8211
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18191
+          ToPort: 18191
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18192
+          ToPort: 18192
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18208
+          ToPort: 18208
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18210
+          ToPort: 18210
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18211
+          ToPort: 18211
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18221
+          ToPort: 18221
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18264
+          ToPort: 18264
+        - CidrIp: !Ref AdminCIDR
+          IpProtocol: tcp
+          FromPort: 22
+          ToPort: 22
+        - CidrIp: !Ref AdminCIDR
+          IpProtocol: tcp
+          FromPort: 443
+          ToPort: 443
+        - CidrIp: !Ref AdminCIDR
+          IpProtocol: tcp
+          FromPort: 18190
+          ToPort: 18190
+        - CidrIp: !Ref AdminCIDR
+          IpProtocol: tcp
+          FromPort: 19009
+          ToPort: 19009
+  ManagementRoleStack:
+    Type: AWS::CloudFormation::Stack
+    Condition: CreateRole
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cme-iam-role.yaml
+      Parameters:
+        Permissions: !Ref ManagementPermissions
+        STSRoles: !Join [',', !Ref ManagementSTSRoles]
+  InstanceProfile:
+    Type: AWS::IAM::InstanceProfile
+    Condition: PreRole
+    Properties:
+      Path: /
+      Roles:
+        - !Ref ManagementPredefinedRole
+  ManagementInstance:
+    Type: AWS::EC2::Instance
+    DependsOn: ManagementLaunchTemplate
+    Properties:
+      LaunchTemplate:
+        LaunchTemplateId: !Ref ManagementLaunchTemplate
+        Version: !GetAtt ManagementLaunchTemplate.LatestVersionNumber
+      DisableApiTermination: !Ref TerminationProtection
+      Tags:
+        - Key: Name
+          Value: !Ref ManagementName
+      NetworkInterfaces:
+        - DeviceIndex: 0
+          AssociatePublicIpAddress: false
+          Description: eth0
+          GroupSet:
+            - !Ref ManagementSecurityGroup
+          DeleteOnTermination: true
+          SubnetId: !Ref ManagementSubnet
+  ManagementLaunchTemplate:
+    Type: AWS::EC2::LaunchTemplate
+    Properties:
+      LaunchTemplateData:
+        KeyName: !Ref KeyName
+        ImageId: !GetAtt AMI.Outputs.ImageId
+        InstanceType: !Ref ManagementInstanceType
+        MetadataOptions:
+          HttpTokens: !If [EnableMetaDataToken, required, optional]
+        BlockDeviceMappings:
+          - DeviceName: '/dev/xvda'
+            Ebs:
+              Encrypted: !If [ EncryptedVolume, true, false ]
+              KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+              VolumeType: !Ref VolumeType
+              VolumeSize: !Ref VolumeSize
+        IamInstanceProfile:
+          Name: !If [ UseRole, !If [ PreRole, !Ref InstanceProfile, !GetAtt ManagementRoleStack.Outputs.CMEIAMRole ], !Ref 'AWS::NoValue' ]
+        UserData:
+          'Fn::Base64':
+            !Join
+            - |+
+
+            - - '#cloud-config'
+              - 'runcmd:'
+              - '  - |'
+              - '    set -e'
+              - !Sub '    admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${ManagementHostname} ; eic=${EnableInstanceConnect} ; admin_subnet=${AdminCIDR} ; eip=${AllocatePublicAddress} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; mgmt_install_type=''${ManagementInstallationType}'''
+              - !If [EIP, !Sub '    wait_handle=''${ManagementReadyHandle}''',!Ref 'AWS::NoValue']
+              - !If [NoSIC, '    sic=""', !Join ['', ['    sic="$(echo ', 'Fn::Base64': !Ref SICKey, ')"']]]
+              - !If [ManageOverInternetAndEIP, '    pub_mgmt=true', '    pub_mgmt=false']
+              - !Join ['', ['    bootstrap="$(echo ', 'Fn::Base64': !Ref ManagementBootstrapScript, ')"']]
+              - !Join ['', ['    pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementPasswordHash, ')"']]
+              - !Join ['', ['    maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementMaintenancePasswordHash, ')"']]
+              - !Sub ['    version=${Version}', {Version: !Select [0, !Split ['-', !Ref ManagementVersion]]}]
+              - '    python3 /etc/cloud_config.py waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" installationType=\"management\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"management\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" "management_installation_type=\"${mgmt_install_type}\"" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" overTheInternet=\"${pub_mgmt}\" bootstrapScript64=\"${bootstrap}\"'
+      VersionDescription: Initial template version
+  PublicAddress:
+    Type: AWS::EC2::EIP
+    Condition: EIP
+    Properties:
+      Domain: vpc
+  AddressAssoc:
+    Type: AWS::EC2::EIPAssociation
+    Condition: EIP
+    DependsOn: ManagementInstance
+    Properties:
+      InstanceId: !Ref ManagementInstance
+      AllocationId: !GetAtt PublicAddress.AllocationId
+Outputs:
+  PublicAddress:
+    Condition: EIP
+    Description: The public address of the Management Server.
+    Value: !Ref PublicAddress
+  SSH:
+    Condition: EIP
+    Description: SSH command.
+    Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref PublicAddress]]
+  URL:
+    Condition: EIP
+    Description: URL to the portal.
+    Value: !Join ['', ['https://', !Ref PublicAddress]]
diff --git a/china/aws/templates/mds/README.md b/china/aws/templates/mds/README.md
new file mode 100644
index 00000000..a4119680
--- /dev/null
+++ b/china/aws/templates/mds/README.md
@@ -0,0 +1,21 @@
+## Multi-Domain Management Server
+<table>
+    <thead>
+        <tr>
+            <th>Description</th>
+            <th>Notes</th>
+            <th>Direct Launch</th>
+        </tr>
+    </thead>
+    <tbody>
+        <tr>
+            <td width="40%">
+           Deploys and configures a Multi-Domain Security Management Server. <br/><br/> For more details, refer to <a href="https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk143213">sk143213</a>.
+            </td>
+            <td width="40%">Deploys a Multi-Domain Security Management Server into an existing VPC.</td>
+            <td><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/management/mds.yaml&stackName=Check-Point-MDS"><img src="../../images/launch.png"/></a></td>
+        </tr>
+    </tbody>
+</table>
+<br/>
+<br/>
diff --git a/china/aws/templates/mds/mds-master.yaml b/china/aws/templates/mds/mds-master.yaml
new file mode 100755
index 00000000..f29d5f9b
--- /dev/null
+++ b/china/aws/templates/mds/mds-master.yaml
@@ -0,0 +1,573 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: |
+  Deploys a Check Point Multi-Domain Server into a new VPC (20250617)
+  See sk130372 administration guide for detailed deployment and configuration steps.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: VPC Network Configuration
+        Parameters:
+          - AvailabilityZone
+          - VPCCIDR
+          - PublicSubnet1CIDR
+      - Label:
+          default: EC2 Instance Configuration
+        Parameters:
+          - MDSName
+          - MDSInstanceType
+          - KeyName
+          - VolumeSize
+          - VolumeType
+          - VolumeEncryption
+          - EnableInstanceConnect
+          - TerminationProtection
+          - MetaDataToken
+      - Label:
+          default: IAM Permissions (ignored when the installation type is not Primary
+            Multi-Domain Server)
+        Parameters:
+          - MDSPermissions
+          - MDSPredefinedRole
+          - MDSSTSRoles
+      - Label:
+          default: Check Point Settings
+        Parameters:
+          - MDSVersion
+          - Shell
+          - MDSPasswordHash
+          - MDSMaintenancePasswordHash
+      - Label:
+          default: Multi-Domain Server Settings
+        Parameters:
+          - MDSHostname
+          - MDSInstallationType
+          - MDSSICKey
+          - AllowUploadDownload
+          - AdminCIDR
+          - GatewaysAddresses
+          - MDSBootstrapScript
+          - NTPPrimary
+          - NTPSecondary
+    ParameterLabels:
+      AvailabilityZone:
+        default: Availability zone
+      VPCCIDR:
+        default: VPC CIDR
+      PublicSubnet1CIDR:
+        default: MDS subnet CIDR
+      MDSName:
+        default: MDS name
+      MDSInstanceType:
+        default: Instance type
+      KeyName:
+        default: Key name
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeType:
+        default: Volume Type
+      VolumeEncryption:
+        default: Volume encryption KMS key identifier
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      TerminationProtection:
+        default: Termination Protection
+      MetaDataToken:
+        default: Metadata HTTP token
+      MDSPermissions:
+        default: IAM role
+      MDSPredefinedRole:
+        default: Existing IAM role name
+      MDSSTSRoles:
+        default: STS roles
+      MDSVersion:
+        default: Version & license
+      Shell:
+        default: Admin shell
+      MDSPasswordHash:
+        default: Password hash
+      MDSMaintenancePasswordHash:
+        default: MDS Maintenance Password hash
+      MDSHostname:
+        default: MDS hostname
+      MDSInstallationType:
+        default: MDS installation type
+      MDSSICKey:
+        default: SIC key
+      AllowUploadDownload:
+        default: Allow upload & download
+      AdminCIDR:
+        default: Administrator addresses
+      GatewaysAddresses:
+        default: Gateways addresses
+      MDSBootstrapScript:
+        default: MDS Bootstrap script
+      NTPPrimary:
+        default: Primary NTP server
+      NTPSecondary:
+        default: Secondary NTP server
+Parameters:
+  AvailabilityZone:
+    Description: The availability zone in which to deploy the instance.
+    Type: AWS::EC2::AvailabilityZone::Name
+    MinLength: 1
+  VPCCIDR:
+    Description: The CIDR block of the VPC.
+    Type: String
+    Default: 10.0.0.0/16
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet1CIDR:
+    Description: The CIDR block of the management subnet.
+    Type: String
+    Default: 10.0.10.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  MDSName:
+    Description: The MDS name tag.
+    Type: String
+    Default: Check-Point-MDS
+  MDSInstanceType:
+    Description: The instance type of the Multi-Domain Server.
+    Type: String
+    Default: m5.2xlarge
+    AllowedValues:
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - c6in.xlarge
+      - c6in.2xlarge
+      - c6in.4xlarge
+      - c6in.8xlarge
+      - c6in.12xlarge
+      - c6in.16xlarge
+      - c6in.24xlarge
+      - c6in.32xlarge
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+      - r7a.xlarge
+      - r7a.2xlarge
+      - r7a.4xlarge
+      - r7a.8xlarge
+      - r7a.12xlarge
+      - r7a.16xlarge
+      - r7a.24xlarge
+      - r7a.32xlarge
+      - r7a.48xlarge
+      - c7i-flex.xlarge
+      - c7i-flex.2xlarge
+      - c7i-flex.4xlarge
+      - c7i-flex.8xlarge
+      - m7a.xlarge
+      - m7a.2xlarge
+      - m7a.4xlarge
+      - m7a.8xlarge
+      - m7a.12xlarge
+      - m7a.16xlarge
+      - m7a.24xlarge
+      - m7a.32xlarge
+      - m7a.48xlarge
+      - c7i.xlarge
+      - c7i.2xlarge
+      - c7i.4xlarge
+      - c7i.8xlarge
+      - c7i.12xlarge
+      - c7i.16xlarge
+      - c7i.24xlarge
+      - c7i.32xlarge
+      - c7i.48xlarge
+    ConstraintDescription: must be a valid EC2 instance type.
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the instance.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+    ConstraintDescription: must be the name of an existing EC2 KeyPair.
+  VolumeSize:
+    Type: Number
+    MinValue: 100
+    Default: 100
+  VolumeType:
+    Description: General Purpose SSD Volume Type
+    Type: String
+    Default: gp3
+    AllowedValues:
+      - gp3
+      - gp2
+  VolumeEncryption:
+    Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+    Type: String
+    Default: alias/aws/ebs
+  EnableInstanceConnect:
+    Description: Enable SSH connection over AWS web console.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  TerminationProtection:
+    Description: Prevents an instance from accidental termination.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  MDSPermissions:
+    Description: IAM role to attach to the instance profile.
+    Type: String
+    Default: Create with read permissions
+    AllowedValues:
+      - None (configure later)
+      - Use existing (specify an existing IAM role name)
+      - Create with assume role permissions (specify an STS role ARN)
+      - Create with read permissions
+      - Create with read-write permissions
+  MDSPredefinedRole:
+    Description: A predefined IAM role to attach to the instance profile. Ignored
+      if IAM role is not set to 'Use existing'.
+    Type: String
+    Default: ''
+  MDSSTSRoles:
+    Description: The IAM role will be able to assume these STS Roles (comma separated
+      list of ARNs, without spaces). Ignored if IAM role is set to 'None' or 'Use
+      existing'.
+    Type: CommaDelimitedList
+    Default: ''
+  MDSVersion:
+    Description: The license to install on the Multi-Domain Server.
+    Type: String
+    Default: R81.20-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  Shell:
+    Description: Change the admin shell to enable advanced command line configuration.
+    Type: String
+    Default: /etc/cli.sh
+    AllowedValues:
+      - /etc/cli.sh
+      - /bin/bash
+      - /bin/csh
+      - /bin/tcsh
+  MDSPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+      to get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  MDSMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  MDSHostname:
+    Description: The name must not contain reserved words. For details, refer to sk40179. (optional)
+    Type: String
+    Default: mds-aws
+    AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$'
+    ConstraintDescription: A valid hostname label or an empty string.
+  MDSInstallationType:
+    Description: Determines the Multi-Domain Server installation type.
+    Type: String
+    Default: Primary Multi-Domain Server
+    AllowedValues:
+      - Primary Multi-Domain Server
+      - Secondary Multi-Domain Server
+      - Multi-Domain Log Server
+  MDSSICKey:
+    Description: >-
+      Mandatory if deploying a Secondary Multi-Domain Server or Multi-Domain Log Server,
+      the Secure Internal Communication key creates trusted connections between Check
+      Point components. Choose a random string consisting of at least 8 alphanumeric
+      characters.
+    Type: String
+    Default: ''
+    AllowedPattern: '(|[a-zA-Z0-9]{8,})'
+    ConstraintDescription: Can be empty if this is a Primary Multi-Domain Server.
+      Otherwise, at least 8 alpha numeric characters.
+    NoEcho: true
+  AllowUploadDownload:
+    Description: Automatically download updates and share statistical data for product improvement purpose.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  AdminCIDR:
+    Description: Allow web, SSH, and graphical clients only from this network to communicate
+      with the Multi-Domain Server. The address should be either 0.0.0.0/0 (any address) or <IP>/32 (specific address)
+    Type: String
+    AllowedPattern: '^((0.0.0.0\/0)|)$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/32)$'
+    ConstraintDescription: Administrator address must be either 0.0.0.0/0 or <IP>/32
+  GatewaysAddresses:
+    Description: Allow gateways only from this network to communicate with the Multi-Domain.
+      Server
+    Type: String
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+  MDSBootstrapScript:
+    Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+    Type: String
+    Default: ''
+    NoEcho: true
+  NTPPrimary:
+    Description: (optional)
+    Type: String
+    Default: 169.254.169.123
+    AllowedPattern: '[\.a-zA-Z0-9\-]*'
+  NTPSecondary:
+    Description: (optional)
+    Type: String
+    Default: '0.pool.ntp.org'
+    AllowedPattern: '[\.a-zA-Z0-9\-]*'
+Conditions:
+  EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']]
+  CreateRole: !And
+    - !Or
+      - !Condition PrimaryMDS
+      - !Condition SecondaryMDS
+    - !Or
+      - !Equals [!Ref MDSPermissions, Create with assume role permissions (specify an STS role ARN)]
+      - !Equals [!Ref MDSPermissions, Create with read permissions]
+      - !Equals [!Ref MDSPermissions, Create with read-write permissions]
+  UseRole: !And [!Or [!Condition PrimaryMDS, !Condition SecondaryMDS], !Not [!Equals [!Ref MDSPermissions, None (configure later)]]]
+  PrimaryMDS: !Equals [!Ref MDSInstallationType, Primary Multi-Domain Server]
+  SecondaryMDS: !Equals [!Ref MDSInstallationType, Secondary Multi-Domain Server]
+  PreRole: !And [!Condition UseRole, !Not [!Condition CreateRole]]
+  EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+Resources:
+  VPCStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc.yaml
+      Parameters:
+        AvailabilityZones: !Ref AvailabilityZone
+        NumberOfAZs: 1
+        VPCCIDR: !Ref VPCCIDR
+        PublicSubnet1CIDR: !Ref PublicSubnet1CIDR
+        CreatePrivateSubnets: false
+        CreateAttachmentSubnets: false
+  AMI:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml
+      Parameters:
+        Version: !Join ['-', [!Ref MDSVersion, MGMT]]
+  MDSSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: MDS security group
+      VpcId: !GetAtt VPCStack.Outputs.VPCID
+      SecurityGroupIngress:
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 257
+          ToPort: 257
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 8211
+          ToPort: 8211
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18191
+          ToPort: 18191
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18192
+          ToPort: 18192
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18208
+          ToPort: 18208
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18210
+          ToPort: 18210
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18211
+          ToPort: 18211
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18221
+          ToPort: 18221
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18264
+          ToPort: 18264
+        - CidrIp: !Ref AdminCIDR
+          IpProtocol: tcp
+          FromPort: 22
+          ToPort: 22
+        - CidrIp: !Ref AdminCIDR
+          IpProtocol: tcp
+          FromPort: 443
+          ToPort: 443
+        - CidrIp: !Ref AdminCIDR
+          IpProtocol: tcp
+          FromPort: 18190
+          ToPort: 18190
+        - CidrIp: !Ref AdminCIDR
+          IpProtocol: tcp
+          FromPort: 19009
+          ToPort: 19009
+  MDSRoleStack:
+    Type: AWS::CloudFormation::Stack
+    Condition: CreateRole
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cme-iam-role.yaml
+      Parameters:
+        Permissions: !Ref MDSPermissions
+        STSRoles: !Join [',', !Ref MDSSTSRoles]
+  InstanceProfile:
+    Type: AWS::IAM::InstanceProfile
+    Condition: PreRole
+    Properties:
+      Path: /
+      Roles:
+        - !Ref MDSPredefinedRole
+  MDSInstance:
+    Type: AWS::EC2::Instance
+    DependsOn: [MDSSecurityGroup, MDSLaunchTemplate]
+    Properties:
+      LaunchTemplate:
+        LaunchTemplateId: !Ref MDSLaunchTemplate
+        Version: !GetAtt MDSLaunchTemplate.LatestVersionNumber
+      DisableApiTermination: !Ref TerminationProtection
+      Tags:
+        - Key: Name
+          Value: !Ref MDSName
+      NetworkInterfaces:
+        - DeviceIndex: 0
+          AssociatePublicIpAddress: false
+          Description: eth0
+          GroupSet:
+            - !Ref MDSSecurityGroup
+          DeleteOnTermination: true
+          SubnetId: !GetAtt VPCStack.Outputs.PublicSubnet1ID
+  MDSLaunchTemplate:
+    Type: AWS::EC2::LaunchTemplate
+    Properties:
+      LaunchTemplateData:
+        KeyName: !Ref KeyName
+        ImageId: !GetAtt AMI.Outputs.ImageId
+        InstanceType: !Ref MDSInstanceType
+        MetadataOptions:
+          HttpTokens: !If [EnableMetaDataToken, required, optional]
+        BlockDeviceMappings:
+          - DeviceName: '/dev/xvda'
+            Ebs:
+              Encrypted: !If [ EncryptedVolume, true, false ]
+              KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+              VolumeType: !Ref VolumeType
+              VolumeSize: !Ref VolumeSize
+        IamInstanceProfile:
+          Name: !If [ UseRole, !If [ PreRole, !Ref InstanceProfile, !GetAtt MDSRoleStack.Outputs.CMEIAMRole ], !Ref 'AWS::NoValue' ]
+        UserData: !Base64
+          Fn::Join:
+            - |+
+
+            - - '#cloud-config'
+              - 'runcmd:'
+              - '  - |'
+              - '    set -e'
+              - !Sub '    admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${MDSHostname} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; admin_subnet=${AdminCIDR}'
+              - !If [PrimaryMDS, '    primary=true ; secondary=false', !If [SecondaryMDS, '    primary=false ; secondary=true', '    primary=false ; secondary=false']]
+              - !If [PrimaryMDS, '    sic=notused', !Join ['', ['    sic="$(echo ', 'Fn::Base64': !Ref MDSSICKey, ')"']]]
+              - !Join ['', ['    bootstrap="$(echo ', 'Fn::Base64': !Ref MDSBootstrapScript, ')"']]
+              - !Join ['', ['    pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSPasswordHash, ')"']]
+              - !Join ['', ['    maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSMaintenancePasswordHash, ')"']]
+              - !Sub ['    version=${Version}', {Version: !Select [0, !Split ['-', !Ref MDSVersion]]}]
+              - '    python3 /etc/cloud_config.py sicKey=\"${sic}\" installationType=\"mds\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"mds\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" primary=\"${primary}\" secondary=\"${secondary}\" adminSubnet=\"${admin_subnet}\" bootstrapScript64=\"${bootstrap}\"'
+      VersionDescription: Initial template version
\ No newline at end of file
diff --git a/china/aws/templates/mds/mds.yaml b/china/aws/templates/mds/mds.yaml
new file mode 100644
index 00000000..c78741c7
--- /dev/null
+++ b/china/aws/templates/mds/mds.yaml
@@ -0,0 +1,525 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: |
+  Deploys a Check Point Multi-Domain Server into an existing VPC (20250617)
+  See sk130372 administration guide for detailed deployment and configuration steps.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: VPC Network Configuration
+        Parameters:
+          - VPC
+          - MDSSubnet
+      - Label:
+          default: EC2 Instance Configuration
+        Parameters:
+          - MDSName
+          - MDSInstanceType
+          - KeyName
+          - VolumeSize
+          - VolumeType
+          - VolumeEncryption
+          - EnableInstanceConnect
+          - TerminationProtection
+          - MetaDataToken
+      - Label:
+          default: IAM Permissions (ignored when the installation type is not Primary
+            Multi-Domain Server)
+        Parameters:
+          - MDSPermissions
+          - MDSPredefinedRole
+          - MDSSTSRoles
+      - Label:
+          default: Check Point Settings
+        Parameters:
+          - MDSVersion
+          - Shell
+          - MDSPasswordHash
+          - MDSMaintenancePasswordHash
+      - Label:
+          default: Multi-Domain Server Settings
+        Parameters:
+          - MDSHostname
+          - MDSInstallationType
+          - MDSSICKey
+          - AllowUploadDownload
+          - AdminCIDR
+          - GatewaysAddresses
+          - MDSBootstrapScript
+          - NTPPrimary
+          - NTPSecondary
+    ParameterLabels:
+      VPC:
+        default: VPC
+      MDSSubnet:
+        default: MDS subnet
+      MDSName:
+        default: MDS name
+      MDSInstanceType:
+        default: Instance type
+      KeyName:
+        default: Key name
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeType:
+        default: Volume Type
+      VolumeEncryption:
+        default: Volume encryption KMS key identifier
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      TerminationProtection:
+        default: Termination Protection
+      MetaDataToken:
+        default: Metadata HTTP token
+      MDSPermissions:
+        default: IAM role
+      MDSPredefinedRole:
+        default: Existing IAM role name
+      MDSSTSRoles:
+        default: STS roles
+      MDSVersion:
+        default: Version & license
+      Shell:
+        default: Admin shell
+      MDSPasswordHash:
+        default: Password hash
+      MDSMaintenancePasswordHash:
+        default: MDS Maintenance Password hash
+      MDSHostname:
+        default: MDS hostname
+      MDSInstallationType:
+        default: MDS installation type
+      MDSSICKey:
+        default: SIC key
+      AllowUploadDownload:
+        default: Allow upload & download
+      AdminCIDR:
+        default: Administrator addresses
+      GatewaysAddresses:
+        default: Gateways addresses
+      MDSBootstrapScript:
+        default: MDS Bootstrap script
+      NTPPrimary:
+        default: Primary NTP server
+      NTPSecondary:
+        default: Secondary NTP server
+Parameters:
+  VPC:
+    Description: Select an existing VPC.
+    Type: AWS::EC2::VPC::Id
+    MinLength: 1
+  MDSSubnet:
+    Description: To access the instance from the internet, make sure the subnet has.
+      a route to the internet
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+  MDSName:
+    Description: The MDS name tag.
+    Type: String
+    Default: Check-Point-MDS
+  MDSInstanceType:
+    Description: The instance type of the Multi-Domain Server.
+    Type: String
+    Default: m5.2xlarge
+    AllowedValues:
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: must be a valid EC2 instance type.
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the instance.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+    ConstraintDescription: must be the name of an existing EC2 KeyPair.
+  VolumeSize:
+    Type: Number
+    MinValue: 100
+    Default: 100
+  VolumeType:
+    Description: General Purpose SSD Volume Type
+    Type: String
+    Default: gp3
+    AllowedValues:
+      - gp3
+      - gp2
+  VolumeEncryption:
+    Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+    Type: String
+    Default: alias/aws/ebs
+  EnableInstanceConnect:
+    Description: Enable SSH connection over AWS web console.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  TerminationProtection:
+    Description: Prevents an instance from accidental termination.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  MDSPermissions:
+    Description: IAM role to attach to the instance profile.
+    Type: String
+    Default: Create with read permissions
+    AllowedValues:
+      - None (configure later)
+      - Use existing (specify an existing IAM role name)
+      - Create with assume role permissions (specify an STS role ARN)
+      - Create with read permissions
+      - Create with read-write permissions
+  MDSPredefinedRole:
+    Description: A predefined IAM role to attach to the instance profile. Ignored
+      if IAM role is not set to 'Use existing'.
+    Type: String
+    Default: ''
+  MDSSTSRoles:
+    Description: The IAM role will be able to assume these STS Roles (comma separated
+      list of ARNs, without spaces). Ignored if IAM role is set to 'None' or 'Use
+      existing'.
+    Type: CommaDelimitedList
+    Default: ''
+  MDSVersion:
+    Description: The license to install on the Multi-Domain Server.
+    Type: String
+    Default: R81.20-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  Shell:
+    Description: Change the admin shell to enable advanced command line configuration.
+    Type: String
+    Default: /etc/cli.sh
+    AllowedValues:
+      - /etc/cli.sh
+      - /bin/bash
+      - /bin/csh
+      - /bin/tcsh
+  MDSPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+      to get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  MDSMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  MDSHostname:
+    Description: The name must not contain reserved words. For details, refer to sk40179. (optional)
+    Type: String
+    Default: mds-aws
+    AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$'
+    ConstraintDescription: A valid hostname label or an empty string.
+  MDSInstallationType:
+    Description: Determines the Multi-Domain Server installation type.
+    Type: String
+    Default: Primary Multi-Domain Server
+    AllowedValues:
+      - Primary Multi-Domain Server
+      - Secondary Multi-Domain Server
+      - Multi-Domain Log Server
+  MDSSICKey:
+    Description: >-
+      Mandatory if deploying a Secondary Multi-Domain Server or Multi-Domain Log Server,
+      the Secure Internal Communication key creates trusted connections between Check
+      Point components. Choose a random string consisting of at least 8 alphanumeric
+      characters.
+    Type: String
+    Default: ''
+    AllowedPattern: '(|[a-zA-Z0-9]{8,})'
+    ConstraintDescription: Can be empty if this is a Primary Multi-Domain Server.
+      Otherwise, at least 8 alpha numeric characters.
+    NoEcho: true
+  AllowUploadDownload:
+    Description: Automatically download updates and share statistical data for product improvement purpose.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  AdminCIDR:
+    Description: Allow web, SSH, and graphical clients only from this network to communicate
+      with the Multi-Domain Server. The address should be either 0.0.0.0/0 (any address) or <IP>/32 (specific address)
+    Type: String
+    AllowedPattern: '^((0.0.0.0\/0)|)$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/32)$'
+    ConstraintDescription: Administrator address must be either 0.0.0.0/0 or <IP>/32
+  GatewaysAddresses:
+    Description: Allow gateways only from this network to communicate with the Multi-Domain.
+      Server
+    Type: String
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+  MDSBootstrapScript:
+    Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+    Type: String
+    Default: ''
+    NoEcho: true
+  NTPPrimary:
+    Description: (optional)
+    Type: String
+    Default: 169.254.169.123
+    AllowedPattern: '[\.a-zA-Z0-9\-]*'
+  NTPSecondary:
+    Description: (optional)
+    Type: String
+    Default: '0.pool.ntp.org'
+    AllowedPattern: '[\.a-zA-Z0-9\-]*'
+Conditions:
+  EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']]
+  CreateRole: !And
+    - !Or
+      - !Condition PrimaryMDS
+      - !Condition SecondaryMDS
+    - !Or
+      - !Equals [!Ref MDSPermissions, Create with assume role permissions (specify an STS role ARN)]
+      - !Equals [!Ref MDSPermissions, Create with read permissions]
+      - !Equals [!Ref MDSPermissions, Create with read-write permissions]
+  UseRole: !And [!Or [!Condition PrimaryMDS, !Condition SecondaryMDS], !Not [!Equals [!Ref MDSPermissions, None (configure later)]]]
+  PrimaryMDS: !Equals [!Ref MDSInstallationType, Primary Multi-Domain Server]
+  SecondaryMDS: !Equals [!Ref MDSInstallationType, Secondary Multi-Domain Server]
+  PreRole: !And [!Condition UseRole, !Not [!Condition CreateRole]]
+  EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+Resources:
+  AMI:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml
+      Parameters:
+        Version: !Join ['-', [!Ref MDSVersion, MGMT]]
+  MDSSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: MDS security group
+      VpcId: !Ref VPC
+      SecurityGroupIngress:
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 257
+          ToPort: 257
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 8211
+          ToPort: 8211
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18191
+          ToPort: 18191
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18192
+          ToPort: 18192
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18208
+          ToPort: 18208
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18210
+          ToPort: 18210
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18211
+          ToPort: 18211
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18221
+          ToPort: 18221
+        - CidrIp: !Ref GatewaysAddresses
+          IpProtocol: tcp
+          FromPort: 18264
+          ToPort: 18264
+        - CidrIp: !Ref AdminCIDR
+          IpProtocol: tcp
+          FromPort: 22
+          ToPort: 22
+        - CidrIp: !Ref AdminCIDR
+          IpProtocol: tcp
+          FromPort: 443
+          ToPort: 443
+        - CidrIp: !Ref AdminCIDR
+          IpProtocol: tcp
+          FromPort: 18190
+          ToPort: 18190
+        - CidrIp: !Ref AdminCIDR
+          IpProtocol: tcp
+          FromPort: 19009
+          ToPort: 19009
+  MDSRoleStack:
+    Type: AWS::CloudFormation::Stack
+    Condition: CreateRole
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cme-iam-role.yaml
+      Parameters:
+        Permissions: !Ref MDSPermissions
+        STSRoles: !Join [',', !Ref MDSSTSRoles]
+  InstanceProfile:
+    Type: AWS::IAM::InstanceProfile
+    Condition: PreRole
+    Properties:
+      Path: /
+      Roles:
+        - !Ref MDSPredefinedRole
+  MDSInstance:
+    Type: AWS::EC2::Instance
+    DependsOn: [MDSSecurityGroup, MDSLaunchTemplate]
+    Properties:
+      LaunchTemplate:
+        LaunchTemplateId: !Ref MDSLaunchTemplate
+        Version: !GetAtt MDSLaunchTemplate.LatestVersionNumber
+      DisableApiTermination: !Ref TerminationProtection
+      Tags:
+        - Key: Name
+          Value: !Ref MDSName
+      NetworkInterfaces:
+        - DeviceIndex: 0
+          AssociatePublicIpAddress: false
+          Description: eth0
+          GroupSet:
+            - !Ref MDSSecurityGroup
+          DeleteOnTermination: true
+          SubnetId: !Ref MDSSubnet
+  MDSLaunchTemplate:
+    Type: AWS::EC2::LaunchTemplate
+    Properties:
+      LaunchTemplateData:
+        KeyName: !Ref KeyName
+        ImageId: !GetAtt AMI.Outputs.ImageId
+        InstanceType: !Ref MDSInstanceType
+        MetadataOptions:
+          HttpTokens: !If [EnableMetaDataToken, required, optional]
+        BlockDeviceMappings:
+          - DeviceName: '/dev/xvda'
+            Ebs:
+              Encrypted: !If [ EncryptedVolume, true, false ]
+              KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+              VolumeType: !Ref VolumeType
+              VolumeSize: !Ref VolumeSize
+        IamInstanceProfile:
+          Name: !If [ UseRole, !If [ PreRole, !Ref InstanceProfile, !GetAtt MDSRoleStack.Outputs.CMEIAMRole ], !Ref 'AWS::NoValue' ]
+        UserData: !Base64
+          Fn::Join:
+            - |+
+
+            - - '#cloud-config'
+              - 'runcmd:'
+              - '  - |'
+              - '    set -e'
+              - !Sub '    admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${MDSHostname} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; admin_subnet=${AdminCIDR}'
+              - !If [PrimaryMDS, '    primary=true ; secondary=false', !If [SecondaryMDS, '    primary=false ; secondary=true', '    primary=false ; secondary=false']]
+              - !If [PrimaryMDS, '    sic=notused', !Join ['', ['    sic="$(echo ', 'Fn::Base64': !Ref MDSSICKey, ')"']]]
+              - !Join ['', ['    bootstrap="$(echo ', 'Fn::Base64': !Ref MDSBootstrapScript, ')"']]
+              - !Join ['', ['    pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSPasswordHash, ')"']]
+              - !Join ['', ['    maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSMaintenancePasswordHash, ')"']]
+              - !Sub ['    version=${Version}', {Version: !Select [0, !Split ['-', !Ref MDSVersion]]}]
+              - '    python3 /etc/cloud_config.py sicKey=\"${sic}\" installationType=\"mds\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"mds\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" primary=\"${primary}\" secondary=\"${secondary}\" adminSubnet=\"${admin_subnet}\" bootstrapScript64=\"${bootstrap}\"'
+      VersionDescription: Initial template version
\ No newline at end of file
diff --git a/china/aws/templates/single-gw/README.md b/china/aws/templates/single-gw/README.md
new file mode 100644
index 00000000..696ddebd
--- /dev/null
+++ b/china/aws/templates/single-gw/README.md
@@ -0,0 +1,40 @@
+## Security Gateway
+<table>
+    <thead>
+        <tr>
+            <th>Description</th>
+            <th>Notes</th>
+            <th>Direct Launch</th>
+        </tr>
+    </thead>
+    <tbody>
+        <tr>
+            <td rowspan="2" width="40%">
+            Deploys and configures a Security Gateway. <br/><br/> To deploy the Security Gateway so that it will be automatically provisioned, refer to <a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk131434">sk131434</a>. 
+            </td>
+            <td width="40%">Creates a new VPC and deploys a Security Gateway into it.</td>
+            <td><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gateway/gateway-master.yaml&stackName=Check-Point-Gateway"><img src="../../images/launch.png"/></a></td>
+        </tr>
+        <tr>
+            <td width="40%">Deploys a Security Gateway into an existing VPC.</td>
+            <td><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gateway/gateway.yaml&stackName=Check-Point-Gateway"><img src="../../images/launch.png"/></a></td>
+        </tr>
+    </tbody>
+</table>
+<br/>
+<br/>
+
+## Revision History
+In order to check the template version, please refer to [sk125252](https://support.checkpoint.com/results/sk/sk125252#ToggleR8120gateway)
+
+| Template Version | Description                                                                                                   |
+|------------------|---------------------------------------------------------------------------------------------------------------|
+| 20240704         | - R80.40 version deprecation.<br/>- R81 version deprecation.                                                  |
+| 20240519         | Add support for requiring use instance metadata service version 2 (IMDSv2) only                               |
+| 20231113         | Stability fixes.                                                                                              |
+| 20230923         | Add support for C5d instance type.                                                                            |
+| 20230521         | - Change default shell for the admin user to /etc/cli.sh<br/>- Add description for reserved words in hostname |
+| 20230503         | Template version 20230503 and above supports Smart-1 Cloud token validation.                                  |
+| 20230411         | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud                             |
+| 20221123         | Templates version 20221120 and above support R81.20                                                           |
+| 20220606         | New instance type support.                                                                                    |
diff --git a/china/aws/templates/single-gw/gateway-master.yaml b/china/aws/templates/single-gw/gateway-master.yaml
new file mode 100644
index 00000000..5f0fd22a
--- /dev/null
+++ b/china/aws/templates/single-gw/gateway-master.yaml
@@ -0,0 +1,489 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: |
+  Deploys a Check Point Security Gateway into a new VPC (20250617)
+  See sk175207 for Gateway administration guide deployment and configuration steps.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: VPC Network Configuration
+        Parameters:
+          - AvailabilityZone
+          - VPCCIDR
+          - PublicSubnetCIDR
+          - PrivateSubnetCIDR
+      - Label:
+          default: EC2 Instance Configuration
+        Parameters:
+          - GatewayName
+          - GatewayInstanceType
+          - KeyName
+          - AllocatePublicAddress
+          - VolumeSize
+          - VolumeType
+          - VolumeEncryption
+          - EnableInstanceConnect
+          - TerminationProtection
+          - MetaDataToken
+      - Label:
+          default: Check Point Settings
+        Parameters:
+          - GatewayVersion
+          - Shell
+          - GatewaySICKey
+          - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
+      - Label:
+          default: Quick connect to Smart-1 Cloud (Recommended)
+        Parameters:
+          - GatewayToken
+      - Label:
+          default: Advanced Settings
+        Parameters:
+          - ResourcesTagName
+          - GatewayHostname
+          - AllowUploadDownload
+          - CloudWatch
+          - GatewayBootstrapScript
+          - NTPPrimary
+          - NTPSecondary
+      - Label:
+          default: Automatic Provisioning with Security Management Server Settings (optional)
+        Parameters:
+          - ControlGatewayOverPrivateOrPublicAddress
+          - ManagementServer
+          - ConfigurationTemplate
+    ParameterLabels:
+      AvailabilityZone:
+        default: Availability zone
+      VPCCIDR:
+        default: VPC CIDR
+      PublicSubnetCIDR:
+        default: Public subnet CIDR
+      PrivateSubnetCIDR:
+        default: Private subnet CIDR
+      GatewayName:
+        default: Gateway Name
+      GatewayInstanceType:
+        default: Gateway Instance type
+      KeyName:
+        default: Key name
+      AllocatePublicAddress:
+        default: Allocate an Elastic IP
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeType:
+        default: Volume Type
+      VolumeEncryption:
+        default: Volume encryption KMS key identifier
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      TerminationProtection:
+        default: Termination Protection
+      MetaDataToken:
+        default: Metadata HTTP token
+      GatewayVersion:
+        default: Gateway Version & license
+      Shell:
+        default: Admin shell
+      GatewaySICKey:
+        default: Gateway SIC key
+      GatewayToken:
+        default: Smart-1 Cloud Token
+      GatewayPasswordHash:
+        default: Gateway Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
+      ResourcesTagName:
+        default: Resources prefix tag
+      GatewayHostname:
+        default: Gateway Hostname
+      AllowUploadDownload:
+        default: Allow upload & download
+      CloudWatch:
+        default: CloudWatch metrics
+      GatewayBootstrapScript:
+        default: Bootstrap Script
+      NTPPrimary:
+        default: Primary NTP server
+      NTPSecondary:
+        default: Secondary NTP server
+      ControlGatewayOverPrivateOrPublicAddress:
+        default: Gateway address
+      ManagementServer:
+        default: Management Server
+      ConfigurationTemplate:
+        default: Configuration template
+Parameters:
+  AvailabilityZone:
+    Description: The availability zone in which to deploy the instance.
+    Type: AWS::EC2::AvailabilityZone::Name
+    MinLength: 1
+  VPCCIDR:
+    Description: The CIDR block of the VPC.
+    Type: String
+    Default: 10.0.0.0/16
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnetCIDR:
+    Description: The public subnet of the Security Gateway.
+    Type: String
+    Default: 10.0.10.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PrivateSubnetCIDR:
+    Description: The private subnet of the Security Gateway.
+    Type: String
+    Default: 10.0.11.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  GatewayName:
+    Type: String
+    Default: Check-Point-Gateway
+  GatewayInstanceType:
+    Description: The instance type of the Secutiry Gateways.
+    Type: String
+    Default: c6i.xlarge
+    AllowedValues:
+      - c4.large
+      - c4.xlarge
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: Must be a valid EC2 instance type
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the instance.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+    ConstraintDescription: must be the name of an existing EC2 KeyPair.
+  AllocatePublicAddress:
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  VolumeSize:
+    Type: Number
+    Default: 100
+    MinValue: 100
+  VolumeType:
+    Description: General Purpose SSD Volume Type
+    Type: String
+    Default: gp3
+    AllowedValues:
+      - gp3
+      - gp2
+  VolumeEncryption:
+    Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+    Type: String
+    Default: alias/aws/ebs
+  EnableInstanceConnect:
+    Description: Ec2 Instance Connect is not supported with versions prior to R80.40.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  TerminationProtection:
+    Description: Prevents an instance from accidental termination.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  GatewayVersion:
+    Type: String
+    Default: R81.20-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  Shell:
+    Description: Change the admin shell to enable advanced command line configuration.
+    Type: String
+    Default: /etc/cli.sh
+    AllowedValues:
+      - /etc/cli.sh
+      - /bin/bash
+      - /bin/csh
+      - /bin/tcsh
+  GatewaySICKey:
+    Description: The Secure Internal Communication key creates trusted connections
+      between Check Point components. Choose a random string consisting of at least
+      8 alphanumeric characters.
+    Type: String
+    AllowedPattern: '[a-zA-Z0-9]{8,}'
+    NoEcho: true
+  GatewayToken:
+    Description: Follow the instructions in sk180501 to quickly connect this Gateway to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+    AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+    Type: String
+    NoEcho: true
+  GatewayPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+      to get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  ResourcesTagName:
+    Description: The name tag of the resources. (optional)
+    Type: String
+    Default: ''
+  GatewayHostname:
+    Description: The name must not contain reserved words. For details, refer to sk40179. (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$'
+    ConstraintDescription: A valid hostname label or an empty string.
+  AllowUploadDownload:
+    Description: Automatically download updates and share statistical data for product improvement purpose.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  CloudWatch:
+    Description: Report Check Point specific CloudWatch metrics.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  GatewayBootstrapScript:
+    Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+    Type: String
+    Default: ''
+    NoEcho: true
+  NTPPrimary:
+    Description: (optional)
+    Type: String
+    Default: 169.254.169.123
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+  NTPSecondary:
+    Description: (optional)
+    Type: String
+    Default: 0.pool.ntp.org
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+  ControlGatewayOverPrivateOrPublicAddress:
+    Description: Determines if the Security Gateway is provisioned using its private.
+      or public address
+    Type: String
+    Default: private
+    AllowedValues:
+      - private
+      - public
+  ManagementServer:
+    Description: The name that represents the Security Management Server in the automatic.
+      provisioning configuration.
+    Type: String
+  ConfigurationTemplate:
+    Description: A name of a Security Gateway configuration template in the automatic.
+      provisioning configuration.
+    Type: String
+    MaxLength: 30
+Conditions:
+  AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+  ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']]
+Resources:
+  VPCStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc.yaml
+      Parameters:
+        AvailabilityZones: !Ref AvailabilityZone
+        NumberOfAZs: 1
+        VPCCIDR: !Ref VPCCIDR
+        PublicSubnet1CIDR: !Ref PublicSubnetCIDR
+        CreatePrivateSubnets: true
+        PrivateSubnet1CIDR: !Ref PrivateSubnetCIDR
+        CreateAttachmentSubnets: false
+  InternalRoutingTable:
+    Type: AWS::EC2::RouteTable
+    Properties:
+      VpcId: !GetAtt VPCStack.Outputs.VPCID
+      Tags:
+        - Key: Name
+          Value:
+            !Join
+            - _
+            - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+              - InternalRoutingTable
+  InternalNetworkRouteAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Properties:
+      RouteTableId: !Ref InternalRoutingTable
+      SubnetId: !GetAtt VPCStack.Outputs.PrivateSubnet1ID
+  GatewayStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gateway/gateway.yaml
+      Parameters:
+        VPC: !GetAtt VPCStack.Outputs.VPCID
+        PublicSubnet: !GetAtt VPCStack.Outputs.PublicSubnet1ID
+        PrivateSubnet: !GetAtt VPCStack.Outputs.PrivateSubnet1ID
+        InternalRouteTable: !Ref InternalRoutingTable
+        GatewayName: !Ref GatewayName
+        GatewayInstanceType: !Ref GatewayInstanceType
+        KeyName: !Ref KeyName
+        AllocatePublicAddress: !Ref AllocatePublicAddress
+        VolumeSize: !Ref VolumeSize
+        VolumeType: !Ref VolumeType
+        VolumeEncryption: !Ref VolumeEncryption
+        EnableInstanceConnect: !Ref EnableInstanceConnect
+        TerminationProtection: !Ref TerminationProtection
+        MetaDataToken: !Ref MetaDataToken
+        GatewayVersion: !Ref GatewayVersion
+        Shell: !Ref Shell
+        GatewaySICKey: !Ref GatewaySICKey
+        GatewayToken: !Ref GatewayToken
+        GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+        ResourcesTagName: !Ref ResourcesTagName
+        GatewayHostname: !Ref GatewayHostname
+        AllowUploadDownload: !Ref AllowUploadDownload
+        CloudWatch: !Ref CloudWatch
+        GatewayBootstrapScript: !Ref GatewayBootstrapScript
+        NTPPrimary: !Ref NTPPrimary
+        NTPSecondary: !Ref NTPSecondary
+        ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress
+        ManagementServer: !Ref ManagementServer
+        ConfigurationTemplate: !Ref ConfigurationTemplate
+Outputs:
+  CheckPointInstancePublicAddress:
+    Condition: AllocateAddress
+    Description: The public address of the Check Point instance.
+    Value: !GetAtt GatewayStack.Outputs.PublicAddress
+  CheckPointInstancePrivateExternalAddress:
+    Description: The private external address of the Check Point instance.
+    Value: !GetAtt GatewayStack.Outputs.PrivateExternalAddress
+  CheckPointInstancePrivateInternalAddress:
+    Description: The private internal address of the Check Point instance.
+    Value: !GetAtt GatewayStack.Outputs.PrivateInternalAddress
+  CheckPointInstanceSSH:
+    Condition: AllocateAddress
+    Description: SSH command to the Check Point instance.
+    Value: !GetAtt GatewayStack.Outputs.SSH
+  CheckPointInstanceURL:
+    Condition: AllocateAddress
+    Description: URL to the portal
+    Value: !GetAtt GatewayStack.Outputs.URL
+  ManagementName:
+    Description: The name that represents the Security Management Server.
+    Value: !Ref ManagementServer
+  ConfigurationTemplateName:
+    Description: The name that represents the configuration template. Configurations
+      required to automatically provision the Gateways in the Auto Scaling Group,
+      such as what Security Policy to install and which Blades to enable, will be
+      placed under this template name.
+    Value: !Ref ConfigurationTemplate
diff --git a/china/aws/templates/single-gw/gateway.yaml b/china/aws/templates/single-gw/gateway.yaml
new file mode 100644
index 00000000..a695639b
--- /dev/null
+++ b/china/aws/templates/single-gw/gateway.yaml
@@ -0,0 +1,595 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: |
+  Deploys a Check Point Security Gateway into an existing VPC (20250617)
+  See sk175207 for Gateway administration guide deployment and configuration steps.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: VPC Network Configuration
+        Parameters:
+          - VPC
+          - PublicSubnet
+          - PrivateSubnet
+          - InternalRouteTable
+      - Label:
+          default: EC2 Instance Configuration
+        Parameters:
+          - GatewayName
+          - GatewayInstanceType
+          - KeyName
+          - AllocatePublicAddress
+          - VolumeSize
+          - VolumeType
+          - VolumeEncryption
+          - EnableInstanceConnect
+          - TerminationProtection
+          - MetaDataToken
+      - Label:
+          default: Check Point Settings
+        Parameters:
+          - GatewayVersion
+          - Shell
+          - GatewaySICKey
+          - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
+      - Label:
+          default: Quick connect to Smart-1 Cloud (Recommended)
+        Parameters:
+          - GatewayToken
+      - Label:
+          default: Advanced Settings
+        Parameters:
+          - ResourcesTagName
+          - GatewayHostname
+          - AllowUploadDownload
+          - CloudWatch
+          - GatewayBootstrapScript
+          - NTPPrimary
+          - NTPSecondary
+      - Label:
+          default: Automatic Provisioning with Security Management Server Settings (optional)
+        Parameters:
+          - ControlGatewayOverPrivateOrPublicAddress
+          - ManagementServer
+          - ConfigurationTemplate
+    ParameterLabels:
+      VPC:
+        default: VPC
+      PublicSubnet:
+        default: Public subnet
+      PrivateSubnet:
+        default: Private subnet
+      InternalRouteTable:
+        default: Internal route table
+      GatewayName:
+        default: Gateway Name
+      GatewayInstanceType:
+        default: Gateway Instance type
+      KeyName:
+        default: Key name
+      AllocatePublicAddress:
+        default: Allocate an Elastic IP
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeType:
+        default: Volume Type
+      VolumeEncryption:
+        default: Volume encryption KMS key identifier
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      TerminationProtection:
+        default: Termination Protection
+      MetaDataToken:
+        default: Metadata HTTP token
+      GatewayVersion:
+        default: Gateway Version & license
+      Shell:
+        default: Admin shell
+      GatewaySICKey:
+        default: Gateway SIC key
+      GatewayToken:
+        default: Smart-1 Cloud Token
+      GatewayPasswordHash:
+        default: Gateway Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
+      ResourcesTagName:
+        default: Resources prefix tag
+      GatewayHostname:
+        default: Gateway Hostname
+      AllowUploadDownload:
+        default: Allow upload & download
+      CloudWatch:
+        default: CloudWatch metrics
+      GatewayBootstrapScript:
+        default: Bootstrap Script
+      NTPPrimary:
+        default: Primary NTP server
+      NTPSecondary:
+        default: Secondary NTP server
+      ControlGatewayOverPrivateOrPublicAddress:
+        default: Gateway address
+      ManagementServer:
+        default: Management Server
+      ConfigurationTemplate:
+        default: Configuration template
+Parameters:
+  VPC:
+    Type: AWS::EC2::VPC::Id
+    MinLength: 1
+  PublicSubnet:
+    Description: The public subnet of the security gateway.
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+  PrivateSubnet:
+    Description: The private subnet of the security gateway.
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+  InternalRouteTable:
+    Description: The route table id in which to set 0.0.0.0/0 route to the Gateway instance (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Gateway, this requires manual configuration in the route table. (optional)
+    Type: String
+    Default: ''
+  GatewayName:
+    Description: The name tag of the Security Gateway instances. (optional)
+    Type: String
+    Default: Check-Point-Gateway
+  GatewayInstanceType:
+    Description: The instance type of the Secutiry Gateway.
+    Type: String
+    Default: c6i.xlarge
+    AllowedValues:
+      - c4.large
+      - c4.xlarge
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: Must be a valid EC2 instance type
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the instance.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+    ConstraintDescription: must be the name of an existing EC2 KeyPair.
+  AllocatePublicAddress:
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  VolumeSize:
+    Type: Number
+    Default: 100
+    MinValue: 100
+  VolumeType:
+    Description: General Purpose SSD Volume Type
+    Type: String
+    Default: gp3
+    AllowedValues:
+      - gp3
+      - gp2
+  VolumeEncryption:
+    Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+    Type: String
+    Default: alias/aws/ebs
+  EnableInstanceConnect:
+    Description: Ec2 Instance Connect is not supported with versions prior to R80.40.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  TerminationProtection:
+    Description: Prevents an instance from accidental termination.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  GatewayVersion:
+    Type: String
+    Default: R81.20-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  Shell:
+    Description: Change the admin shell to enable advanced command line configuration.
+    Type: String
+    Default: /etc/cli.sh
+    AllowedValues:
+      - /etc/cli.sh
+      - /bin/bash
+      - /bin/csh
+      - /bin/tcsh
+  GatewaySICKey:
+    Description: The Secure Internal Communication key creates trusted connections
+      between Check Point components. Choose a random string consisting of at least
+      8 alphanumeric characters.
+    Type: String
+    AllowedPattern: '[a-zA-Z0-9]{8,}'
+    NoEcho: true
+  GatewayToken:
+      Description: Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+      Type: String
+      AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+      NoEcho: true
+  GatewayPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+      to get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  ResourcesTagName:
+    Description: The name tag of the resources. (optional)
+    Type: String
+    Default: ''
+  GatewayHostname:
+    Description: The name must not contain reserved words. For details, refer to sk40179. (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$'
+    ConstraintDescription: A valid hostname label or an empty string.
+  AllowUploadDownload:
+    Description: Automatically download updates and share statistical data for product improvement purpose.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  CloudWatch:
+    Description: Report Check Point specific CloudWatch metrics.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  GatewayBootstrapScript:
+    Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+    Type: String
+    Default: ''
+    NoEcho: true
+  NTPPrimary:
+    Description: (optional)
+    Type: String
+    Default: 169.254.169.123
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+  NTPSecondary:
+    Description: (optional)
+    Type: String
+    Default: 0.pool.ntp.org
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+  ControlGatewayOverPrivateOrPublicAddress:
+    Description: Determines if the Security Gateway is provisioned using its private
+      or public address.
+    Type: String
+    Default: private
+    AllowedValues:
+      - private
+      - public
+  ManagementServer:
+    Description: The name that represents the Security Management Server in the automatic
+      provisioning configuration.
+    Type: String
+  ConfigurationTemplate:
+    Description: A name of a Security Gateway configuration template in the automatic
+      provisioning configuration.
+    Type: String
+    MaxLength: 30
+Conditions:
+  ProvidedRouteTable: !Not [!Equals [!Ref InternalRouteTable, '']]
+  AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+  EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']]
+  ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']]
+  ProvidedManagementParameters: !And [!Not [!Equals [!Ref ManagementServer, '']], !Not [!Equals [!Ref ConfigurationTemplate, '']]]
+  EnableCloudWatch: !Equals [!Ref CloudWatch, true]
+  EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+Resources:
+  ReadyHandle:
+    Type: AWS::CloudFormation::WaitConditionHandle
+    Condition: AllocateAddress
+    Properties: {}
+  ReadyCondition:
+    Type: AWS::CloudFormation::WaitCondition
+    Condition: AllocateAddress
+    DependsOn: GatewayInstance
+    Properties:
+      Handle: !Ref ReadyHandle
+      Timeout: 1800
+  GatewayIAMRole:
+    Condition: EnableCloudWatch
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: [ ec2.amazonaws.com.cn ]
+            Action: sts:AssumeRole
+      Path: /
+  GatewayInstanceProfile:
+    Condition: EnableCloudWatch
+    Type: AWS::IAM::InstanceProfile
+    Properties:
+      Path: /
+      Roles: [!Ref GatewayIAMRole]
+  CloudwatchPolicy:
+    Condition: EnableCloudWatch
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cloudwatch-policy.yaml
+      Parameters:
+        PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ]
+        PolicyRole: !Ref GatewayIAMRole
+  AMI:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml
+      Parameters:
+        Version: !Join ['-', [!Ref GatewayVersion,GW]]
+  ExternalNetworkInterface:
+    Type: AWS::EC2::NetworkInterface
+    Properties:
+      Tags:
+        - Key: Name
+          Value:
+            !Join
+            - _
+            - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+              - ExternalNetworkInterface
+      Description: eth0
+      SourceDestCheck: false
+      GroupSet:
+        - !Ref PermissiveSecurityGroup
+      SubnetId: !Ref PublicSubnet
+  InternalNetworkInterface:
+    Type: AWS::EC2::NetworkInterface
+    Properties:
+      Tags:
+        - Key: Name
+          Value:
+            !Join
+            - _
+            - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+              - InternalNetworkInterface
+      Description: eth1
+      SourceDestCheck: false
+      GroupSet:
+        - !Ref PermissiveSecurityGroup
+      SubnetId: !Ref PrivateSubnet
+  PermissiveSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      Tags:
+        - Key: Name
+          Value:
+            !Join
+            - _
+            - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+              - PermissiveSecurityGroup
+      GroupDescription: Permissive security group.
+      VpcId: !Ref VPC
+      SecurityGroupIngress:
+        - IpProtocol: -1
+          CidrIp: 0.0.0.0/0
+  InternalDefaultRoute:
+    Type: AWS::EC2::Route
+    Condition: ProvidedRouteTable
+    Properties:
+      DestinationCidrBlock: 0.0.0.0/0
+      NetworkInterfaceId: !Ref InternalNetworkInterface
+      RouteTableId: !Ref InternalRouteTable
+  GatewayInstance:
+    Type: AWS::EC2::Instance
+    DependsOn: GatewayLaunchTemplate
+    Properties:
+      LaunchTemplate:
+        LaunchTemplateId: !Ref GatewayLaunchTemplate
+        Version: !GetAtt GatewayLaunchTemplate.LatestVersionNumber
+      DisableApiTermination: !Ref TerminationProtection
+      Tags:
+        - Key: Name
+          Value: !Ref GatewayName
+        - !If
+          - ProvidedManagementParameters
+          - Key: x-chkp-tags
+            Value:
+              !Join
+              - ':'
+              - - !Join ['=', [management, !Ref ManagementServer]]
+                - !Join ['=', [template,!Ref ConfigurationTemplate]]
+                - !Join ['=',[ip-address, !Ref ControlGatewayOverPrivateOrPublicAddress]]
+          - !Ref 'AWS::NoValue'
+  GatewayLaunchTemplate:
+    Type: AWS::EC2::LaunchTemplate
+    Properties:
+      LaunchTemplateData:
+        NetworkInterfaces:
+          - DeviceIndex: 0
+            NetworkInterfaceId: !Ref ExternalNetworkInterface
+          - DeviceIndex: 1
+            NetworkInterfaceId: !Ref InternalNetworkInterface
+        KeyName: !Ref KeyName
+        ImageId: !GetAtt AMI.Outputs.ImageId
+        InstanceType: !Ref GatewayInstanceType
+        MetadataOptions:
+          HttpTokens: !If [EnableMetaDataToken, required, optional]
+        BlockDeviceMappings:
+            - DeviceName: '/dev/xvda'
+              Ebs:
+                Encrypted: !If [ EncryptedVolume, true, false ]
+                KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+                VolumeType: !Ref VolumeType
+                VolumeSize: !Ref VolumeSize
+        IamInstanceProfile:
+          Name: !If [EnableCloudWatch, !Ref GatewayInstanceProfile, !Ref 'AWS::NoValue']
+        UserData:
+          'Fn::Base64':
+            !Join
+            - |+
+
+            - - '#cloud-config'
+              - 'runcmd:'
+              - '  - |'
+              - '    set -e'
+              - !Sub '    admin_shell=${Shell} ; hostname=${GatewayHostname} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; eic=${EnableInstanceConnect} ; eip=${AllocatePublicAddress} ; token=''${GatewayToken}'''
+              - !If [AllocateAddress, !Sub '    wait_handle=''${ReadyHandle}''',!Ref 'AWS::NoValue']
+              - !Join ['', ['    sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
+              - !Join ['', ['    pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+              - !Join ['', ['    maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']]
+              - !Join ['', ['    bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
+              - !Sub ['    version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+              - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${token}\"" installationType=\"gateway\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"gateway\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"'
+      VersionDescription: Initial template version
+  PublicAddress:
+    Type: AWS::EC2::EIP
+    Condition: AllocateAddress
+    Properties:
+      Domain: vpc
+  AddressAssoc:
+    Type: AWS::EC2::EIPAssociation
+    Condition: AllocateAddress
+    DependsOn: GatewayInstance
+    Properties:
+      NetworkInterfaceId: !Ref ExternalNetworkInterface
+      AllocationId: !GetAtt PublicAddress.AllocationId
+      PrivateIpAddress: !GetAtt ExternalNetworkInterface.PrimaryPrivateIpAddress
+Outputs:
+  PublicAddress:
+    Description: The public address of the Check Point instance.
+    Value: !Ref PublicAddress
+    Condition: AllocateAddress
+  PrivateExternalAddress:
+    Description: The private external address of the Check Point instance.
+    Value: !GetAtt ExternalNetworkInterface.PrimaryPrivateIpAddress
+  PrivateInternalAddress:
+    Description: The private internal address of the Check Point instance.
+    Value: !GetAtt InternalNetworkInterface.PrimaryPrivateIpAddress
+  SSH:
+    Description: SSH command to the Check Point instance.
+    Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref PublicAddress]]
+    Condition: AllocateAddress
+  URL:
+    Description: URL to the portal.
+    Value: !Join ['', ['https://', !Ref PublicAddress]]
+    Condition: AllocateAddress
+  ManagementName:
+    Description: The name that represents the Security Management Server.
+    Value: !Ref ManagementServer
+  ConfigurationTemplateName:
+    Description: The name that represents the configuration template. Configurations
+      required to automatically provision the Gateways in the Auto Scaling Group,
+      such as what Security Policy to install and which Blades to enable, will be
+      placed under this template name.
+    Value: !Ref ConfigurationTemplate
diff --git a/china/aws/templates/standalone/README.md b/china/aws/templates/standalone/README.md
new file mode 100644
index 00000000..012afd92
--- /dev/null
+++ b/china/aws/templates/standalone/README.md
@@ -0,0 +1,41 @@
+
+## Security Management Server & Security Gateway (Standalone Deployment)
+<table>
+    <thead>
+        <tr>
+            <th>Description</th>
+            <th>Notes</th>
+            <th>Direct Launch</th>
+        </tr>
+    </thead>
+    <tbody>
+        <tr>
+            <td rowspan="2" width="40%">
+                Deploys and configures Standalone or a manually configurable instance.
+            </td>
+            <td width="40%">Creates a new VPC and deploys a Standalone or a manually configurable instance into it.</td>
+            <td><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gateway/standalone-master.yaml&stackName=Check-Point-Standalone"><img src="../../images/launch.png"/></a></td>
+        </tr>
+        <tr>
+            <td width="40%">Deploys a Standalone or a manually configurable instance into an existing VPC.</td>
+            <td><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gateway/standalone.yaml&stackName=Check-Point-Standalone"><img src="../../images/launch.png"/></a></td>
+        </tr>
+    </tbody>
+</table>
+<br/>
+<br/>
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description                                                                                                       |
+|------------------|-------------------------------------------------------------------------------------------------------------------|
+| 20240704         | - R80.40 version deprecation.<br/>- R81 version deprecation.                                                      |
+| 20240519         | Add support for requiring use instance metadata service version 2 (IMDSv2) only                                   |
+| 20231113         | - Stability fixes.<br/>- Add support for BYOL license type for Standalone.                                        |
+| 20230923         | Add support for C5d instance type                                                                                 |
+| 20230521         | - Change default shell for the admin user to /etc/cli.sh<br/>- Add description for reserved words in hostname     |
+| 20221123         | Templates version 20221120 and above support R81.20                                                               |
+| 20220606         | New instance type support                                                                                         |
+| 20210329         | Stability fixes                                                                                                   |
+| 20210309         | First release of Check Point Security Management Server & Security Gateway (Standalone) Terraform module for AWS  |
diff --git a/china/aws/templates/standalone/standalone-master.yaml b/china/aws/templates/standalone/standalone-master.yaml
new file mode 100644
index 00000000..bb7fa1ee
--- /dev/null
+++ b/china/aws/templates/standalone/standalone-master.yaml
@@ -0,0 +1,436 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploys either a manually configurable or a Check Point CloudGuard IaaS
+  Security Gateway & Management (Standalone) instance in a new VPC (20250617)
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: VPC Network Configuration
+        Parameters:
+          - AvailabilityZone
+          - VPCCIDR
+          - PublicSubnetCIDR
+          - PrivateSubnetCIDR
+      - Label:
+          default: EC2 Instance Configuration
+        Parameters:
+          - StandaloneName
+          - StandaloneInstanceType
+          - KeyName
+          - AllocatePublicAddress
+          - VolumeSize
+          - VolumeType
+          - VolumeEncryption
+          - EnableInstanceConnect
+          - TerminationProtection
+          - MetaDataToken
+      - Label:
+          default: Check Point Settings
+        Parameters:
+          - StandaloneVersion
+          - Shell
+          - StandalonePasswordHash
+          - StandaloneMaintenancePasswordHash
+      - Label:
+          default: Advanced Settings
+        Parameters:
+          - ResourcesTagName
+          - StandaloneHostname
+          - AllowUploadDownload
+          - CloudWatch
+          - StandaloneBootstrapScript
+          - NTPPrimary
+          - NTPSecondary
+          - AdminCIDR
+          - GatewaysAddresses
+    ParameterLabels:
+      AvailabilityZone:
+        default: Availability zone
+      VPCCIDR:
+        default: VPC CIDR
+      PublicSubnetCIDR:
+        default: Public subnet CIDR
+      PrivateSubnetCIDR:
+        default: Private subnet CIDR
+      StandaloneName:
+        default: Standalone Name
+      StandaloneInstanceType:
+        default: Instance type
+      KeyName:
+        default: Key name
+      AllocatePublicAddress:
+        default: Allocate an Elastic IP
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeType:
+        default: Volume Type
+      VolumeEncryption:
+        default: Volume encryption KMS key identifier
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      TerminationProtection:
+        default: Termination Protection
+      MetaDataToken:
+        default: Metadata HTTP token
+      StandaloneVersion:
+        default: License
+      Shell:
+        default: Admin shell
+      StandalonePasswordHash:
+        default: Standalone Password hash
+      StandaloneMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
+      ResourcesTagName:
+        default: Resources prefix tag
+      StandaloneHostname:
+        default: Standalone Hostname
+      AllowUploadDownload:
+        default: Allow upload & download
+      CloudWatch:
+        default: CloudWatch metrics
+      StandaloneBootstrapScript:
+        default: Bootstrap Script
+      NTPPrimary:
+        default: Primary NTP server
+      NTPSecondary:
+        default: Secondary NTP server
+      AdminCIDR:
+        default: Administrator addresses
+      GatewaysAddresses:
+        default: Gateways addresses
+Parameters:
+  AvailabilityZone:
+    Description: The availability zone in which to deploy the instance.
+    Type: AWS::EC2::AvailabilityZone::Name
+    MinLength: 1
+  VPCCIDR:
+    Description: The CIDR block of the VPC.
+    Type: String
+    Default: 10.0.0.0/16
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnetCIDR:
+    Description: The public subnet of the Security Gateway.
+    Type: String
+    Default: 10.0.10.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PrivateSubnetCIDR:
+    Description: The private subnet of the Security Gateway.
+    Type: String
+    Default: 10.0.11.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  StandaloneName:
+    Type: String
+    Default: Check-Point-Instance
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the instance.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+    ConstraintDescription: must be the name of an existing EC2 KeyPair.
+  AllocatePublicAddress:
+    Default: true
+    Type: String
+    AllowedValues:
+      - true
+      - false
+  VolumeSize:
+    Type: Number
+    MinValue: 100
+    Default: 100
+  VolumeType:
+    Description: General Purpose SSD Volume Type
+    Type: String
+    Default: gp3
+    AllowedValues:
+      - gp3
+      - gp2
+  VolumeEncryption:
+    Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+    Type: String
+    Default: alias/aws/ebs
+  EnableInstanceConnect:
+    Description: Ec2 Instance Connect is not supported with versions prior to R80.40.
+    Default: false
+    Type: String
+    AllowedValues:
+      - true
+      - false
+  TerminationProtection:
+    Description: Prevents an instance from accidental termination.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  StandaloneVersion:
+    Description: Standalone Version & License.
+    Type: String
+    Default: R81.20-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  Shell:
+    Description: Change the admin shell to enable advanced command line configuration.
+    Type: String
+    Default: /etc/cli.sh
+    AllowedValues:
+      - /etc/cli.sh
+      - /bin/bash
+      - /bin/csh
+      - /bin/tcsh
+  StandalonePasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+      to get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  StandaloneMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  StandaloneInstanceType:
+    Description: The instance type of the Security Gateway & Management (Standalone) instance.
+    Type: String
+    Default: c5.xlarge
+    AllowedValues:
+      - c4.large
+      - c4.xlarge
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: Must be a valid EC2 instance type
+  ResourcesTagName:
+    Description: The name tag of the resources. (optional)
+    Type: String
+    Default: ''
+  StandaloneHostname:
+    Description: (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$'
+    ConstraintDescription: A valid hostname label or an empty string.
+  AllowUploadDownload:
+    Description: Automatically download updates and share statistical data for product improvement purpose.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  CloudWatch:
+    Description: Report Check Point specific CloudWatch metrics.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  StandaloneBootstrapScript:
+    Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+    Type: String
+    Default: ''
+    NoEcho: true
+  NTPPrimary:
+    Description: (optional)
+    Type: String
+    Default: 169.254.169.123
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+  NTPSecondary:
+    Description: (optional)
+    Type: String
+    Default: 0.pool.ntp.org
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+  AdminCIDR:
+    Description: Allow web, SSH, and graphical clients only from this network to communicate.
+      with the Management Server
+    Type: String
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+  GatewaysAddresses:
+    Description: Allow gateways only from this network to communicate with the Management.
+      Server. (optional)
+    Type: String
+    AllowedPattern: '^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2])))?$'
+Conditions:
+  AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+  ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']]
+Resources:
+  VPCStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc.yaml
+      Parameters:
+        AvailabilityZones: !Ref AvailabilityZone
+        NumberOfAZs: 1
+        VPCCIDR: !Ref VPCCIDR
+        PublicSubnet1CIDR: !Ref PublicSubnetCIDR
+        CreatePrivateSubnets: true
+        PrivateSubnet1CIDR: !Ref PrivateSubnetCIDR
+        CreateAttachmentSubnets: false
+  InternalRoutingTable:
+    Type: AWS::EC2::RouteTable
+    Properties:
+      VpcId: !GetAtt VPCStack.Outputs.VPCID
+      Tags:
+        - Key: Name
+          Value: !Join
+            - _
+            - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+              - InternalRoutingTable
+  InternalNetworkRouteAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Properties:
+      RouteTableId: !Ref InternalRoutingTable
+      SubnetId: !GetAtt VPCStack.Outputs.PrivateSubnet1ID
+  StandaloneStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gateway/standalone.yaml
+      Parameters:
+        VPC: !GetAtt VPCStack.Outputs.VPCID
+        PublicSubnet: !GetAtt VPCStack.Outputs.PublicSubnet1ID
+        PrivateSubnet: !GetAtt VPCStack.Outputs.PrivateSubnet1ID
+        InternalRouteTable: !Ref InternalRoutingTable
+        StandaloneName: !Ref StandaloneName
+        StandaloneInstanceType: !Ref StandaloneInstanceType
+        KeyName: !Ref KeyName
+        AllocatePublicAddress: !Ref AllocatePublicAddress
+        VolumeSize: !Ref VolumeSize
+        VolumeType: !Ref VolumeType
+        VolumeEncryption: !Ref VolumeEncryption
+        EnableInstanceConnect: !Ref EnableInstanceConnect
+        TerminationProtection: !Ref TerminationProtection
+        MetaDataToken: !Ref MetaDataToken
+        StandaloneVersion: !Ref StandaloneVersion
+        Shell: !Ref Shell
+        StandalonePasswordHash: !Ref StandalonePasswordHash
+        StandaloneMaintenancePasswordHash: !Ref StandaloneMaintenancePasswordHash
+        ResourcesTagName: !Ref ResourcesTagName
+        StandaloneHostname: !Ref StandaloneHostname
+        AllowUploadDownload: !Ref AllowUploadDownload
+        CloudWatch: !Ref CloudWatch
+        StandaloneBootstrapScript: !Ref StandaloneBootstrapScript
+        NTPPrimary: !Ref NTPPrimary
+        NTPSecondary: !Ref NTPSecondary
+        AdminCIDR: !Ref AdminCIDR
+        GatewaysAddresses: !Ref GatewaysAddresses
+Outputs:
+  CheckPointInstancePublicAddress:
+    Condition: AllocateAddress
+    Description: The public address of the Check Point instance.
+    Value: !GetAtt StandaloneStack.Outputs.PublicAddress
+  CheckPointInstanceSSH:
+    Condition: AllocateAddress
+    Description: SSH command to the Check Point instance.
+    Value: !GetAtt StandaloneStack.Outputs.SSH
+  CheckPointInstanceURL:
+    Condition: AllocateAddress
+    Description: URL to the portal.
+    Value: !GetAtt StandaloneStack.Outputs.URL
diff --git a/china/aws/templates/standalone/standalone.yaml b/china/aws/templates/standalone/standalone.yaml
new file mode 100644
index 00000000..94a6bf0a
--- /dev/null
+++ b/china/aws/templates/standalone/standalone.yaml
@@ -0,0 +1,531 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploys either a manually configurable or a Check Point CloudGuard IaaS
+  Security Gateway & Management (Standalone) instance into an existing VPC (20250617)
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: VPC Network Configuration
+        Parameters:
+          - VPC
+          - PublicSubnet
+          - PrivateSubnet
+          - InternalRouteTable
+      - Label:
+          default: EC2 Instance Configuration
+        Parameters:
+          - StandaloneName
+          - StandaloneInstanceType
+          - KeyName
+          - AllocatePublicAddress
+          - VolumeSize
+          - VolumeType
+          - VolumeEncryption
+          - EnableInstanceConnect
+          - TerminationProtection
+          - MetaDataToken
+      - Label:
+          default: Check Point Settings
+        Parameters:
+          - StandaloneVersion
+          - Shell
+          - StandalonePasswordHash
+          - StandaloneMaintenancePasswordHash
+      - Label:
+          default: Advanced Settings
+        Parameters:
+          - ResourcesTagName
+          - StandaloneHostname
+          - AllowUploadDownload
+          - CloudWatch
+          - StandaloneBootstrapScript
+          - NTPPrimary
+          - NTPSecondary
+          - AdminCIDR
+          - GatewaysAddresses
+    ParameterLabels:
+      VPC:
+        default: VPC
+      PublicSubnet:
+        default: Public subnet
+      PrivateSubnet:
+        default: Private subnet
+      InternalRouteTable:
+        default: Internal route table
+      StandaloneName:
+        default: Standalone Name
+      StandaloneInstanceType:
+        default: Standalone Instance type
+      KeyName:
+        default: Key name
+      AllocatePublicAddress:
+        default: Allocate an Elastic IP
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeType:
+        default: Volume Type
+      VolumeEncryption:
+        default: Volume encryption KMS key identifier
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      TerminationProtection:
+        default: Termination Protection
+      MetaDataToken:
+        default: Metadata HTTP token
+      StandaloneVersion:
+        default: License
+      Shell:
+        default: Admin shell
+      StandalonePasswordHash:
+        default: Standalone Password hash
+      StandaloneMaintenancePasswordHash:
+        default: Standalone Maintenance Password hash
+      ResourcesTagName:
+        default: Resources prefix tag
+      StandaloneHostname:
+        default: Standalone Hostname
+      AllowUploadDownload:
+        default: Allow upload & download
+      CloudWatch:
+        default: CloudWatch metrics
+      StandaloneBootstrapScript:
+        default: Bootstrap Script
+      NTPPrimary:
+        default: Primary NTP server
+      NTPSecondary:
+        default: Secondary NTP server
+      AdminCIDR:
+        default: Administrator addresses
+      GatewaysAddresses:
+        default: Gateways addresses
+Parameters:
+  VPC:
+    Type: AWS::EC2::VPC::Id
+    MinLength: 1
+  PublicSubnet:
+    Description: The public subnet of the Security Gateway.
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+  PrivateSubnet:
+    Description: The private subnet of the Security Gateway.
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+  InternalRouteTable:
+    Description: The route table id in which to set 0.0.0.0/0 route to the Security Gateway instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Gateway, this requires manual configuration in the route table. (optional)
+    Type: String
+    Default: ''
+  StandaloneName:
+    Type: String
+    Default: Check-Point-Instance
+  StandaloneInstanceType:
+    Description: The instance type of the Security Gateway & Management (Standalone) instance.
+    Type: String
+    Default: c5.xlarge
+    AllowedValues:
+      - c4.large
+      - c4.xlarge
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: Must be a valid EC2 instance type
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the instance.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+    ConstraintDescription: must be the name of an existing EC2 KeyPair.
+  AllocatePublicAddress:
+    Default: true
+    Type: String
+    AllowedValues:
+      - true
+      - false
+  VolumeSize:
+    Type: Number
+    MinValue: 100
+    Default: 100
+  VolumeType:
+    Description: General Purpose SSD Volume Type
+    Type: String
+    Default: gp3
+    AllowedValues:
+      - gp3
+      - gp2
+  VolumeEncryption:
+    Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+    Type: String
+    Default: alias/aws/ebs
+  EnableInstanceConnect:
+    Description: Ec2 Instance Connect is not supported with versions prior to R80.40.
+    Default: false
+    Type: String
+    AllowedValues:
+      - true
+      - false
+  TerminationProtection:
+    Description: Prevents an instance from accidental termination.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  StandaloneVersion:
+    Description: Standalone Version & License.
+    Type: String
+    Default: R81.20-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  Shell:
+    Description: Change the admin shell to enable advanced command line configuration.
+    Type: String
+    Default: /etc/cli.sh
+    AllowedValues:
+      - /etc/cli.sh
+      - /bin/bash
+      - /bin/csh
+      - /bin/tcsh
+  StandalonePasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+      to get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  StandaloneMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  ResourcesTagName:
+    Description: The name tag of the resources. (optional)
+    Type: String
+    Default: ''
+  StandaloneHostname:
+    Description: (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$'
+    ConstraintDescription: A valid hostname label or an empty string.
+  AllowUploadDownload:
+    Description: Automatically download updates and share statistical data for product improvement purpose.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  CloudWatch:
+    Description: Report Check Point specific CloudWatch metrics.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  StandaloneBootstrapScript:
+    Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+    Type: String
+    Default: ''
+    NoEcho: true
+  NTPPrimary:
+    Description: (optional)
+    Type: String
+    Default: 169.254.169.123
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+  NTPSecondary:
+    Description: (optional)
+    Type: String
+    Default: 0.pool.ntp.org
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+  AdminCIDR:
+    Description: Allow web, SSH, and graphical clients only from this network to communicate.
+      with the Management Server.
+    Type: String
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+  GatewaysAddresses:
+    Description: Allow gateways only from this network to communicate with the Management.
+      Server. (optional)
+    Type: String
+    AllowedPattern: '^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2])))?$'
+Conditions:
+  ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']]
+  AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+  EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']]
+  ProvidedRouteTable: !Not [!Equals [!Ref InternalRouteTable, '']]
+  EnableCloudWatch: !Equals [!Ref CloudWatch, true]
+  IsBYOL: !Equals [!Select [1, !Split ['-', !Ref StandaloneVersion]], 'BYOL']
+  EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+Resources:
+  ReadyHandle:
+    Type: AWS::CloudFormation::WaitConditionHandle
+    Condition: AllocateAddress
+    Properties: {}
+  ReadyCondition:
+    Type: AWS::CloudFormation::WaitCondition
+    Condition: AllocateAddress
+    DependsOn: StandaloneInstance
+    Properties:
+      Handle: !Ref ReadyHandle
+      Timeout: 1800
+  StandaloneIAMRole:
+    Condition: EnableCloudWatch
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: [ ec2.amazonaws.com.cn ]
+            Action: sts:AssumeRole
+      Path: /
+  StandaloneInstanceProfile:
+    Condition: EnableCloudWatch
+    Type: AWS::IAM::InstanceProfile
+    Properties:
+      Path: /
+      Roles: [ !Ref StandaloneIAMRole ]
+  CloudwatchPolicy:
+    Condition: EnableCloudWatch
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cloudwatch-policy.yaml
+      Parameters:
+        PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ]
+        PolicyRole: !Ref StandaloneIAMRole
+  AMI:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml
+      Parameters:
+        Version: !If [IsBYOL, !Join ['-', [!Ref StandaloneVersion,MGMT]], !Ref StandaloneVersion]
+  ExternalNetworkInterface:
+    Type: AWS::EC2::NetworkInterface
+    Properties:
+      Tags:
+        - Key: Name
+          Value: !Join
+            - _
+            - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+              - ExternalNetworkInterface
+      Description: eth0
+      SourceDestCheck: false
+      GroupSet:
+        - !Ref PermissiveSecurityGroup
+      SubnetId: !Ref PublicSubnet
+  InternalNetworkInterface:
+    Type: AWS::EC2::NetworkInterface
+    Properties:
+      Tags:
+        - Key: Name
+          Value: !Join
+            - _
+            - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+              - InternalNetworkInterface
+      Description: eth1
+      SourceDestCheck: false
+      GroupSet:
+        - !Ref PermissiveSecurityGroup
+      SubnetId: !Ref PrivateSubnet
+  PermissiveSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      Tags:
+        - Key: Name
+          Value: !Join
+            - _
+            - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+              - PermissiveSecurityGroup
+      GroupDescription: Permissive security group.
+      VpcId: !Ref VPC
+      SecurityGroupIngress:
+        - IpProtocol: -1
+          CidrIp: 0.0.0.0/0
+  InternalDefaultRoute:
+    Type: AWS::EC2::Route
+    Condition: ProvidedRouteTable
+    Properties:
+      DestinationCidrBlock: 0.0.0.0/0
+      NetworkInterfaceId: !Ref InternalNetworkInterface
+      RouteTableId: !Ref InternalRouteTable
+  StandaloneInstance:
+    Type: AWS::EC2::Instance
+    DependsOn: GatewayLaunchTemplate
+    Properties:
+      LaunchTemplate:
+        LaunchTemplateId: !Ref GatewayLaunchTemplate
+        Version: !GetAtt GatewayLaunchTemplate.LatestVersionNumber
+      DisableApiTermination: !Ref TerminationProtection
+      Tags:
+        - Key: Name
+          Value: !Ref StandaloneName
+  GatewayLaunchTemplate:
+    Type: AWS::EC2::LaunchTemplate
+    Properties:
+      LaunchTemplateData:
+        NetworkInterfaces:
+          - DeviceIndex: 0
+            NetworkInterfaceId: !Ref ExternalNetworkInterface
+          - DeviceIndex: 1
+            NetworkInterfaceId: !Ref InternalNetworkInterface
+        KeyName: !Ref KeyName
+        ImageId: !GetAtt AMI.Outputs.ImageId
+        InstanceType: !Ref StandaloneInstanceType
+        MetadataOptions:
+          HttpTokens: !If [EnableMetaDataToken, required, optional]
+        BlockDeviceMappings:
+          - DeviceName: '/dev/xvda'
+            Ebs:
+              Encrypted: !If [ EncryptedVolume, true, false ]
+              KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+              VolumeType: !Ref VolumeType
+              VolumeSize: !Ref VolumeSize
+        IamInstanceProfile:
+          Name: !If [ EnableCloudWatch, !Ref StandaloneInstanceProfile, !Ref 'AWS::NoValue' ]
+        UserData:
+          'Fn::Base64':
+            !Join
+            - |+
+
+            - - '#cloud-config'
+              - 'runcmd:'
+              - '  - |'
+              - '    set -e'
+              - !Sub '    admin_shell=${Shell} ; hostname=${StandaloneHostname} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; eic=${EnableInstanceConnect} ; eip=${AllocatePublicAddress} ; admin_subnet=${AdminCIDR}'
+              - !If [ AllocateAddress, !Sub '    wait_handle=''${ReadyHandle}''',!Ref 'AWS::NoValue' ]
+              - !Join [ '', [ '    bootstrap="$(echo ', 'Fn::Base64': !Ref StandaloneBootstrapScript, ')"' ] ]
+              - !Join [ '', [ '    pwd_hash="$(echo ', 'Fn::Base64': !Ref StandalonePasswordHash, ')"' ] ]
+              - !Join [ '', [ '    maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref StandaloneMaintenancePasswordHash, ')"' ] ]
+              - !Sub [ '    version=${Version}', { Version: !Select [ 0, !Split [ '-', !Ref StandaloneVersion ] ] } ]
+              - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" installationType=\"standalone\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"standalone\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"'
+      VersionDescription: Initial template version
+  PublicAddress:
+    Type: AWS::EC2::EIP
+    Condition: AllocateAddress
+    Properties:
+      Domain: vpc
+  AddressAssoc:
+    Type: AWS::EC2::EIPAssociation
+    DependsOn: StandaloneInstance
+    Condition: AllocateAddress
+    Properties:
+      NetworkInterfaceId: !Ref ExternalNetworkInterface
+      AllocationId: !GetAtt PublicAddress.AllocationId
+      PrivateIpAddress: !GetAtt ExternalNetworkInterface.PrimaryPrivateIpAddress
+Outputs:
+  PublicAddress:
+    Condition: AllocateAddress
+    Description: The public address of the Check Point instance.
+    Value: !Ref PublicAddress
+  SSH:
+    Condition: AllocateAddress
+    Description: SSH command to the Check Point instance.
+    Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref PublicAddress]]
+  URL:
+    Condition: AllocateAddress
+    Description: URL to the portal.
+    Value: !Join ['', ['https://', !Ref PublicAddress ]]
diff --git a/china/aws/templates/tgw-asg/README.md b/china/aws/templates/tgw-asg/README.md
new file mode 100644
index 00000000..3a8d94bb
--- /dev/null
+++ b/china/aws/templates/tgw-asg/README.md
@@ -0,0 +1,40 @@
+
+## Transit Gateway Auto Scaling Group
+<table>
+    <thead>
+        <tr>
+            <th>Description</th>
+            <th>Notes</th>
+            <th>Direct Launch</th>
+        </tr>
+    </thead>
+    <tbody>
+        <tr>
+            <td rowspan="2" width="40%">
+           Deploys and configured the Security Gateways as an AWS Auto Scaling group configured for Transit Gateway.<br/><br/> For more details, refer to <a href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_AWS_Transit_Gateway/Default.htm" >AWS Transit Gateway R80.10 and above Deployment Guide</a>.
+            </td>
+            <td width="40%">Creates a new VPC and deploys an Auto Scaling group of Security Gateways configured for Transit Gateway into it, and an optional, preconfigured Security Management Server to manage them.</td>
+            <td><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/autoscale/tgw-asg-master.yaml&stackName=Check-Point-TGW-AutoScaling"><img src="../../images/launch.png"/></a></td>
+        </tr>
+        <tr>
+            <td width="40%">Deploys an Auto Scaling group of Security Gateways configured for Transit Gateway into an existing VPC, and an optional, preconfigured Security Management Server to manage them.	</td>
+            <td><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/autoscale/tgw-asg.yaml&stackName=Check-Point-TGW-AutoScaling"><img src="../../images/launch.png"/></a></td>
+        </tr>
+    </tbody>
+</table>
+<br/>
+<br/>
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description                                                                              |
+|------------------|------------------------------------------------------------------------------------------|
+| 20240704         | - R80.40 version deprecation.<br/>- R81 version deprecation.                             |
+| 20240519         | Add support for requiring use instance metadata service version 2 (IMDSv2) only          |
+| 20240414         | Add support for Elastic Load Balancer Health Checks.                                     |
+| 20230923         | Add support for C5d instance type.                                                       |
+| 20221226         | Support ASG Launch Template instead of Launch Configuration.                             |
+| 20221123         | Templates version 20221120 and above support R81.20                                      |
+| 20220606         | New instance type support.                                                               |
+| 20210329         | First release of Check Point Transit Gateway Auto Scaling Group Terraform module for AWS |
diff --git a/china/aws/templates/tgw-asg/tgw-asg-master.yaml b/china/aws/templates/tgw-asg/tgw-asg-master.yaml
new file mode 100644
index 00000000..0d54f802
--- /dev/null
+++ b/china/aws/templates/tgw-asg/tgw-asg-master.yaml
@@ -0,0 +1,681 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: |
+  Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server in a new VPC (20250617). 
+  See CloudGuard Network for AWS Auto Scale Group with Transit Gateway deployment guide for detailed deployment and configuration steps.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: Network Configuration
+        Parameters:
+          - AvailabilityZones
+          - NumberOfAZs
+          - VPCCIDR
+          - PublicSubnet1CIDR
+          - PublicSubnet2CIDR
+          - PublicSubnet3CIDR
+          - PublicSubnet4CIDR
+      - Label:
+          default: General Settings
+        Parameters:
+          - KeyName
+          - EnableVolumeEncryption
+          - VolumeSize
+          - VolumeType
+          - EnableInstanceConnect
+          - TerminationProtection
+          - MetaDataToken
+          - AllowUploadDownload
+      - Label:
+          default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration
+        Parameters:
+          - AutoScaleGroupName
+          - GatewayName
+          - GatewayInstanceType
+          - GatewaysMinSize
+          - GatewaysMaxSize
+          - GatewayVersion
+          - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
+          - GatewaySICKey
+          - CloudWatch
+          - ASN
+          - AdminEmail
+      - Label:
+          default: Check Point CloudGuard IaaS Security Management Server Configuration
+        Parameters:
+          - ManagementDeploy
+          - ManagementInstanceType
+          - ManagementVersion
+          - ManagementPasswordHash
+          - ManagementMaintenancePasswordHash
+          - ManagementPermissions
+          - ManagementPredefinedRole
+          - GatewaysBlades
+          - AdminCIDR
+          - GatewayManagement
+          - GatewaysAddresses
+      - Label:
+          default: Automatic Provisioning with Security Management Server Settings
+        Parameters:
+          - ControlGatewayOverPrivateOrPublicAddress
+          - ManagementServer
+          - ConfigurationTemplate
+    ParameterLabels:
+      AvailabilityZones:
+        default: Availability Zones
+      NumberOfAZs:
+        default: Number of AZs
+      VPCCIDR:
+        default: VPC CIDR
+      PublicSubnet1CIDR:
+        default: Public Subnet 1
+      PublicSubnet2CIDR:
+        default: Public Subnet 2
+      PublicSubnet3CIDR:
+        default: Public Subnet 3
+      PublicSubnet4CIDR:
+        default: Public Subnet 4
+      KeyName:
+        default: Key name
+      EnableVolumeEncryption:
+        default: Enable environment volume encryption
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeType:
+        default: Volume Type
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      TerminationProtection:
+        default: Termination Protection
+      MetaDataToken:
+        default: Metadata HTTP token
+      AllowUploadDownload:
+        default: Allow upload & download
+      GatewayName:
+        default: GatewayName
+      GatewayInstanceType:
+        default: Gateways instance type
+      GatewaysMinSize:
+        default: Minimum group size
+      GatewaysMaxSize:
+        default: Maximum group size
+      GatewayVersion:
+        default: Gateways version & license
+      GatewayPasswordHash:
+        default: Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
+      GatewaySICKey:
+        default: SIC key
+      CloudWatch:
+        default: CloudWatch metrics
+      ASN:
+        default: BGP ASN
+      AdminEmail:
+        default: Email address
+      ManagementDeploy:
+        default: Deploy Management Server
+      ManagementInstanceType:
+        default: Instance type
+      ManagementVersion:
+        default: Version & license
+      ManagementPasswordHash:
+        default: Password hash
+      ManagementMaintenancePasswordHash:
+        default: Management Maintenance Password hash
+      ManagementPermissions:
+        default: IAM role
+      ManagementPredefinedRole:
+        default: Existing IAM role name
+      GatewaysBlades:
+        default: Default Blades
+      AdminCIDR:
+        default: Administrator addresses
+      GatewayManagement:
+        default: Manage Gateways
+      GatewaysAddresses:
+        default: Gateways addresses
+      ControlGatewayOverPrivateOrPublicAddress:
+        default: Gateways addresses
+      ManagementServer:
+        default: Management Server
+      ConfigurationTemplate:
+        default: Configuration template
+      AutoScaleGroupName:
+        default: Auto Scale Group name
+Parameters:
+  AvailabilityZones:
+    Description: List of Availability Zones (AZs) to use for the subnets in the VPC. Select at least two.
+    Type: List<AWS::EC2::AvailabilityZone::Name>
+    MinLength: 2
+  NumberOfAZs:
+    Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter.
+    Type: Number
+    Default: 2
+    MinValue: 2
+    MaxValue: 4
+  VPCCIDR:
+    Description: CIDR block for the VPC.
+    Type: String
+    Default: 10.0.0.0/16
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet1CIDR:
+    Description: CIDR block for public subnet 1 located in the 1st Availability Zone. If you choose to deploy a Security Management Server it will be deployed in this subnet.
+    Type: String
+    Default: 10.0.10.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet2CIDR:
+    Description: CIDR block for public subnet 2 located in the 2nd Availability Zone.
+    Type: String
+    Default: 10.0.20.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet3CIDR:
+    Description: CIDR block for public subnet 3 located in the 3rd Availability Zone.
+    Type: String
+    Default: 10.0.30.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet4CIDR:
+    Description: CIDR block for public subnet 4 located in the 4th Availability Zone.
+    Type: String
+    Default: 10.0.40.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the instances created by this stack.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+    ConstraintDescription: Must be the name of an existing EC2 KeyPair.
+  EnableVolumeEncryption:
+    Description: Encrypt Environment instances volume with default AWS KMS key.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  VolumeSize:
+    Type: Number
+    MinValue: 100
+    Default: 100
+  VolumeType:
+    Description: General Purpose SSD Volume Type
+    Type: String
+    Default: gp3
+    AllowedValues:
+      - gp3
+      - gp2
+  EnableInstanceConnect:
+    Description: Enable SSH connection over AWS web console.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  TerminationProtection:
+    Description: Prevents an instance from accidental termination.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  AllowUploadDownload:
+    Description: Automatically download updates and share statistical data for product improvement purpose.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  GatewayName:
+    Description: The name tag of the Security Gateway instances. (optional)
+    Type: String
+    Default: Check-Point-Gateway
+  GatewayInstanceType:
+    Description: The EC2 instance type for the Security Gateways.
+    Type: String
+    Default: c6i.xlarge
+    AllowedValues:
+      - c4.large
+      - c4.xlarge
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: Must be a valid EC2 instance type
+  GatewaysMinSize:
+    Description: The minimal number of Security Gateways.
+    Type: Number
+    Default: 2
+    MinValue: 1
+  GatewaysMaxSize:
+    Description: The maximal number of Security Gateways.
+    Type: Number
+    Default: 10
+    MinValue: 1
+  GatewayVersion:
+    Description: The version and license to install on the Security Gateways.
+    Type: String
+    Default: R81.20-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  GatewayPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+    NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  GatewaySICKey:
+    Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters.
+    Type: String
+    AllowedPattern: '[a-zA-Z0-9]{8,}'
+    ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long.
+    NoEcho: true
+  CloudWatch:
+    Description: Report Check Point specific CloudWatch metrics.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  ASN:
+    Description: The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways.
+    Type: String
+    AllowedPattern: '^[0-9]+$'
+    Default: 65000
+  AdminEmail:
+    Description: Notifications about scaling events will be sent to this email address. (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$'
+    ConstraintDescription: Must be a valid email address.
+  ManagementDeploy:
+    Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  ManagementInstanceType:
+    Description: The EC2 instance type of the Security Management Server.
+    Type: String
+    Default: m5.xlarge
+    AllowedValues:
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: Must be a valid EC2 instance type
+  ManagementVersion:
+    Description: The version and license to install on the Security Management Server.
+    Type: String
+    Default: R81.20-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  ManagementPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+    NoEcho: true
+  ManagementMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  ManagementPermissions:
+    Description: IAM role to attach to the instance profile.
+    Type: String
+    Default: Create with read-write permissions
+    AllowedValues:
+      - None (configure later)
+      - Use existing (specify an existing IAM role name)
+      - Create with assume role permissions (specify an STS role ARN)
+      - Create with read permissions
+      - Create with read-write permissions
+  ManagementPredefinedRole:
+    Description: A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing'.
+    Type: String
+    Default: ''
+  GatewaysBlades:
+    Description: Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (these and additional Blades can be manually turned on or off later).
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  AdminCIDR:
+    Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server.
+    Type: String
+    AllowedPattern: '^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2])))?$'
+  GatewayManagement:
+    Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address.
+    Type: String
+    Default: Locally managed
+    AllowedValues:
+      - Locally managed
+      - Over the internet
+  GatewaysAddresses:
+    Description: Allow gateways only from this network to communicate with the Security Management Server.
+    Type: String
+    AllowedPattern: '^$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+  ControlGatewayOverPrivateOrPublicAddress:
+    Description: Determines if the gateways are provisioned using their private or public address.
+    Type: String
+    Default: private
+    AllowedValues:
+      - private
+      - public
+  ManagementServer:
+    Description: The name that represents the Security Management Server in the automatic provisioning configuration.
+    Type: String
+    Default: management-server
+    MinLength: 1
+  ConfigurationTemplate:
+    Description: A name of a gateway configuration template in the automatic provisioning configuration.
+    Type: String
+    Default: TGW-ASG-configuration
+    MinLength: 1
+    MaxLength: 30
+  AutoScaleGroupName:
+    Description: The Name of the Auto Scaling Group. (optional)
+    Type: String
+    Default: ""
+    MaxLength: 100
+Conditions:
+  4AZs: !Equals [!Ref NumberOfAZs, 4]
+  3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs]
+  DeployManagement: !Equals [!Ref ManagementDeploy, true]
+  GenerateAutoScalingName: !Equals [!Ref AutoScaleGroupName, ""]
+Resources:
+  VPCStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc.yaml
+      Parameters:
+        AvailabilityZones: !Join [',', !Ref AvailabilityZones]
+        NumberOfAZs: !Ref NumberOfAZs
+        VPCCIDR: !Ref VPCCIDR
+        PublicSubnet1CIDR: !Ref PublicSubnet1CIDR
+        PublicSubnet2CIDR: !Ref PublicSubnet2CIDR
+        PublicSubnet3CIDR: !Ref PublicSubnet3CIDR
+        PublicSubnet4CIDR: !Ref PublicSubnet4CIDR
+        CreatePrivateSubnets: false
+  MainStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/autoscale/tgw-asg.yaml
+      Parameters:
+        VPC: !GetAtt VPCStack.Outputs.VPCID
+        AutoScaleGroupName: !If [GenerateAutoScalingName, !Join ["-", [!Ref 'AWS::StackName', GatewayGroup]], !Ref AutoScaleGroupName]
+        GatewaysSubnets: !Join
+          - ','
+          - - !GetAtt VPCStack.Outputs.PublicSubnet1ID
+            - !GetAtt VPCStack.Outputs.PublicSubnet2ID
+            - !If [3AZs, !GetAtt VPCStack.Outputs.PublicSubnet3ID, !Ref 'AWS::NoValue']
+            - !If [4AZs, !GetAtt VPCStack.Outputs.PublicSubnet4ID, !Ref 'AWS::NoValue']
+        KeyName: !Ref KeyName
+        EnableVolumeEncryption: !Ref EnableVolumeEncryption
+        VolumeType: !Ref VolumeType
+        VolumeSize: !Ref VolumeSize
+        EnableInstanceConnect: !Ref EnableInstanceConnect
+        TerminationProtection: !Ref TerminationProtection
+        MetaDataToken: !Ref MetaDataToken
+        AllowUploadDownload: !Ref AllowUploadDownload
+        GatewayName: !Ref GatewayName
+        GatewayInstanceType: !Ref GatewayInstanceType
+        GatewaysMinSize: !Ref GatewaysMinSize
+        GatewaysMaxSize: !Ref GatewaysMaxSize
+        GatewayVersion: !Ref GatewayVersion
+        GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+        GatewaySICKey: !Ref GatewaySICKey
+        CloudWatch: !Ref CloudWatch
+        ASN: !Ref ASN
+        AdminEmail: !Ref AdminEmail
+        ManagementDeploy: !Ref ManagementDeploy
+        ManagementInstanceType: !Ref ManagementInstanceType
+        ManagementVersion: !Ref ManagementVersion
+        ManagementPasswordHash: !Ref ManagementPasswordHash
+        ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash
+        ManagementPermissions: !Ref ManagementPermissions
+        ManagementPredefinedRole: !Ref ManagementPredefinedRole
+        GatewaysBlades: !Ref GatewaysBlades
+        AdminCIDR: !Ref AdminCIDR
+        GatewayManagement: !Ref GatewayManagement
+        GatewaysAddresses: !Ref GatewaysAddresses
+        ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress
+        ManagementServer: !Ref ManagementServer
+        ConfigurationTemplate: !Ref ConfigurationTemplate
+Outputs:
+  ManagementName:
+    Description: The name that represents the Security Management Server.
+    Value: !Ref ManagementServer
+  ConfigurationTemplateName:
+    Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name.
+    Value: !Ref ConfigurationTemplate
+  ControllerName:
+    Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name.
+    Value: !GetAtt MainStack.Outputs.ControllerName
+  ManagementPublicAddress:
+    Description: The public address of the management servers.
+    Value: !GetAtt MainStack.Outputs.ManagementPublicAddress
+    Condition: DeployManagement
+Rules:
+  GatewayAddressRule:
+    RuleCondition: !Equals [!Ref ManagementDeploy, 'true']
+    Assertions:
+      - AssertDescription: "Gateway's netowrk to communicate with the Security Management Server must be provided"
+        Assert: !Not [ !Equals [!Ref GatewaysAddresses, '']]
diff --git a/china/aws/templates/tgw-asg/tgw-asg.yaml b/china/aws/templates/tgw-asg/tgw-asg.yaml
new file mode 100644
index 00000000..731649ce
--- /dev/null
+++ b/china/aws/templates/tgw-asg/tgw-asg.yaml
@@ -0,0 +1,682 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: |
+  Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server into an existing VPC (20250617). 
+  See CloudGuard Network for AWS Auto Scale Group with Transit Gateway deployment guide for detailed deployment and configuration steps.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: Network Configuration
+        Parameters:
+          - VPC
+          - GatewaysSubnets
+      - Label:
+          default: General Settings
+        Parameters:
+          - KeyName
+          - EnableVolumeEncryption
+          - VolumeSize
+          - VolumeType
+          - EnableInstanceConnect
+          - TerminationProtection
+          - MetaDataToken
+          - AllowUploadDownload
+      - Label:
+          default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration
+        Parameters:
+          - AutoScaleGroupName
+          - GatewayName
+          - GatewayInstanceType
+          - GatewaysMinSize
+          - GatewaysMaxSize
+          - GatewayVersion
+          - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
+          - GatewaySICKey
+          - CloudWatch
+          - ASN
+          - AdminEmail
+      - Label:
+          default: Check Point CloudGuard IaaS Security Management Server Configuration
+        Parameters:
+          - ManagementDeploy
+          - ManagementInstanceType
+          - ManagementVersion
+          - ManagementPasswordHash
+          - ManagementMaintenancePasswordHash
+          - ManagementPermissions
+          - ManagementPredefinedRole
+          - GatewaysBlades
+          - AdminCIDR
+          - GatewayManagement
+          - GatewaysAddresses
+      - Label:
+          default: Automatic Provisioning with Security Management Server Settings
+        Parameters:
+          - ControlGatewayOverPrivateOrPublicAddress
+          - ManagementServer
+          - ConfigurationTemplate
+    ParameterLabels:
+      VPC:
+        default: VPC
+      GatewaysSubnets:
+        default: Subnets
+      KeyName:
+        default: Key name
+      EnableVolumeEncryption:
+        default: Enable environment volume encryption
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeType:
+        default: Volume Type
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      TerminationProtection:
+        default: Termination Protection
+      MetaDataToken:
+        default: Metadata HTTP token
+      AllowUploadDownload:
+        default: Allow upload & download
+      GatewayName:
+        default: Name
+      GatewayInstanceType:
+        default: Instance type
+      GatewaysMinSize:
+        default: Minimum group size
+      GatewaysMaxSize:
+        default: Maximum group size
+      GatewayVersion:
+        default: Version & license
+      GatewayPasswordHash:
+        default: Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
+      GatewaySICKey:
+        default: SIC key
+      CloudWatch:
+        default: CloudWatch metrics
+      ASN:
+        default: BGP ASN
+      AdminEmail:
+        default: Email address
+      ManagementDeploy:
+        default: Deploy Management Server
+      ManagementInstanceType:
+        default: Instance type
+      ManagementVersion:
+        default: Version & license
+      ManagementPasswordHash:
+        default: Password hash
+      ManagementMaintenancePasswordHash:
+        default: Management Maintenance Password hash
+      ManagementPermissions:
+        default: IAM role
+      ManagementPredefinedRole:
+        default: Existing IAM role name
+      GatewaysBlades:
+        default: Default Blades
+      AdminCIDR:
+        default: Administrator addresses
+      GatewaysAddresses:
+        default: Gateways addresses
+      GatewayManagement:
+        default: Manage Gateways
+      ControlGatewayOverPrivateOrPublicAddress:
+        default: Gateways addresses
+      ManagementServer:
+        default: Management Server
+      ConfigurationTemplate:
+        default: Configuration template
+      AutoScaleGroupName:
+        default: Auto Scale Group name
+Parameters:
+  VPC:
+    Description: Select an existing VPC.
+    Type: AWS::EC2::VPC::Id
+    MinLength: 1
+    ConstraintDescription: You must select a VPC.
+  GatewaysSubnets:
+    Description: Select at least 2 external subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet.
+    Type: List<AWS::EC2::Subnet::Id>
+    MinLength: 2
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the instances created by this stack.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+    ConstraintDescription: Must be the name of an existing EC2 KeyPair.
+  EnableVolumeEncryption:
+    Description: Encrypt Environment instances volume with default AWS KMS key.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  VolumeSize:
+    Type: Number
+    MinValue: 100
+    Default: 100
+  VolumeType:
+    Description: General Purpose SSD Volume Type
+    Type: String
+    Default: gp3
+    AllowedValues:
+      - gp3
+      - gp2
+  EnableInstanceConnect:
+    Description: Enable SSH connection over AWS web console.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  TerminationProtection:
+    Description: Prevents an instance from accidental termination.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  AllowUploadDownload:
+    Description: Automatically download updates and share statistical data for product improvement purpose.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  GatewayName:
+    Description: The name tag of the Security Gateway instances. (optional)
+    Type: String
+    Default: Check-Point-Gateway
+  GatewayInstanceType:
+    Description: The EC2 instance type for the Security Gateways.
+    Type: String
+    Default: c6i.xlarge
+    AllowedValues:
+      - c4.large
+      - c4.xlarge
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: Must be a valid EC2 instance type
+  GatewaysMinSize:
+    Description: The minimal number of Security Gateways.
+    Type: Number
+    Default: 2
+    MinValue: 1
+  GatewaysMaxSize:
+    Description: The maximal number of Security Gateways.
+    Type: Number
+    Default: 10
+    MinValue: 1
+  GatewayVersion:
+    Description: The version and license to install on the Security Gateways.
+    Type: String
+    Default: R81.20-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  GatewayPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+    NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  GatewaySICKey:
+    Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters.
+    Type: String
+    AllowedPattern: '[a-zA-Z0-9]{8,}'
+    ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long.
+    NoEcho: true
+  CloudWatch:
+    Description: Report Check Point specific CloudWatch metrics.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  ASN:
+    Description: The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways.
+    Type: String
+    Default: 65000
+    AllowedPattern: '^[0-9]+$'
+  AdminEmail:
+    Description: Notifications about scaling events will be sent to this email address. (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$'
+    ConstraintDescription: Must be a valid email address.
+  ManagementDeploy:
+    Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  ManagementInstanceType:
+    Description: The EC2 instance type of the Security Management Server.
+    Type: String
+    Default: m5.xlarge
+    AllowedValues:
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - c6in.large
+      - c6in.xlarge
+      - c6in.2xlarge
+      - c6in.4xlarge
+      - c6in.8xlarge
+      - c6in.12xlarge
+      - c6in.16xlarge
+      - c6in.24xlarge
+      - c6in.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: Must be a valid EC2 instance type
+  ManagementVersion:
+    Description: The version and license to install on the Security Management Server.
+    Type: String
+    Default: R81.20-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  ManagementPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  ManagementMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  ManagementPermissions:
+    Description: IAM role to attach to the instance profile.
+    Type: String
+    Default: Create with read-write permissions
+    AllowedValues:
+      - None (configure later)
+      - Use existing (specify an existing IAM role name)
+      - Create with assume role permissions (specify an STS role ARN)
+      - Create with read permissions
+      - Create with read-write permissions
+  ManagementPredefinedRole:
+    Description: A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing'.
+    Type: String
+    Default: ''
+  GatewaysBlades:
+    Description: Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (these and additional Blades can be manually turned on or off later).
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  AdminCIDR:
+    Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server.
+    Type: String
+    AllowedPattern: '^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2])))?$'
+  GatewayManagement:
+    Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address.
+    Type: String
+    Default: Locally managed
+    AllowedValues:
+      - Locally managed
+      - Over the internet
+  GatewaysAddresses:
+    Description: Allow gateways only from this network to communicate with the Security Management Server.
+    Type: String
+    AllowedPattern: '^$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+  ControlGatewayOverPrivateOrPublicAddress:
+    Description: Determines if the gateways are provisioned using their private or public address.
+    Type: String
+    Default: private
+    AllowedValues:
+      - private
+      - public
+  ManagementServer:
+    Description: The name that represents the Security Management Server in the automatic provisioning configuration.
+    Type: String
+    Default: management-server
+    MinLength: 1
+  ConfigurationTemplate:
+    Description: A name of a gateway configuration template in the automatic provisioning configuration.
+    Type: String
+    Default: TGW-ASG-configuration
+    MinLength: 1
+    MaxLength: 30
+  AutoScaleGroupName:
+    Description: The Name of the Auto Scaling Group. (optional)
+    Type: String
+    Default: ""
+    MaxLength: 100
+Conditions:
+  VolumeEncryption: !Equals [!Ref EnableVolumeEncryption, true]
+  DeployManagement: !Equals [!Ref ManagementDeploy, true]
+  GenerateAutoScalingName: !Equals [!Ref AutoScaleGroupName, ""]
+Resources:
+  ManagementStack:
+    Type: AWS::CloudFormation::Stack
+    Condition: DeployManagement
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/management/management.yaml
+      Parameters:
+        VPC: !Ref VPC
+        ManagementSubnet: !Select [0, !Ref GatewaysSubnets]
+        ManagementName: !Ref ManagementServer
+        ManagementInstanceType: !Ref ManagementInstanceType
+        KeyName: !Ref KeyName
+        AllocatePublicAddress: true
+        VolumeEncryption: !If [VolumeEncryption, alias/aws/ebs, '']
+        VolumeType: !Ref VolumeType
+        VolumeSize: !Ref VolumeSize
+        EnableInstanceConnect: !Ref EnableInstanceConnect
+        TerminationProtection: !Ref TerminationProtection
+        MetaDataToken: !Ref MetaDataToken
+        ManagementPermissions: !Ref ManagementPermissions
+        ManagementPredefinedRole: !Ref ManagementPredefinedRole
+        ManagementVersion: !Ref ManagementVersion
+        ManagementPasswordHash: !Ref ManagementPasswordHash
+        ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash
+        AllowUploadDownload: !Ref AllowUploadDownload
+        AdminCIDR: !Ref AdminCIDR
+        GatewayManagement: !Ref GatewayManagement
+        GatewaysAddresses: !Ref GatewaysAddresses
+        ManagementBootstrapScript: !Join
+          - ';'
+          - - 'echo -e "\nStarting Bootstrap script\n"'
+            - 'echo "Setting up bootstrap parameters"'
+            - !Sub 'conf_template=${ConfigurationTemplate} ; mgmt=${ManagementServer} ; region=${AWS::Region} ; blades=${GatewaysBlades}'
+            - !Sub ['version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+            - !Join ['', ['sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ' | base64 -d)"']]
+            - 'community="tgw-community" ; controller="tgw-controller"'
+            - 'echo "Adding tgw identifier to cloud-version"'
+            - 'template="management_tgw_asg"'
+            - 'cv_path="/etc/cloud-version"'
+            - 'if test -f ${cv_path}; then sed -i ''/template_name/c\template_name: ''"${template}"'''' /etc/cloud-version; fi'
+            - 'cv_json_path="/etc/cloud-version.json"'
+            - 'cv_json_path_tmp="/etc/cloud-version-tmp.json"'
+            - 'if test -f ${cv_json_path}; then cat ${cv_json_path} | jq ''.template_name = "''"${template}"''"'' > ${cv_json_path_tmp}; mv ${cv_json_path_tmp} ${cv_json_path}; fi'
+            - 'echo "Configuring VPN community: ${community}"'
+            - '[[ -d /opt/CPcme/menu/additions ]] && /opt/CPcme/menu/additions/config-community.sh "${community}" || /etc/fw/scripts/autoprovision/config-community.sh "${community}"'
+            - 'echo "Setting VPN rules"'
+            - 'mgmt_cli -r true add access-layer name "Inline"'
+            - 'mgmt_cli -r true add access-rule layer Network position 1 name "${community} VPN Traffic Rule" vpn.directional.1.from "${community}" vpn.directional.1.to "${community}" vpn.directional.2.from "${community}" vpn.directional.2.to External_clear action "Apply Layer" source "Any" destination "Any" service "Any" inline-layer "Inline"'
+            - 'mgmt_cli -r true add dynamic-object name "LocalGateway"'
+            - 'mgmt_cli -r true add nat-rule package standard position bottom install-on "Policy Targets" original-source All_Internet translated-source "LocalGateway" method hide'
+            - 'echo "Setting CME configurations"'
+            - 'autoprov_cfg -f init AWS -mn "${mgmt}" -tn "${conf_template}" -cn "${controller}" -po Standard -otp "${sic}" -r "${region}" -ver "${version}" -iam -dt TGW'
+            - 'autoprov_cfg -f set controller AWS -cn "${controller}" -sv -com "${community}"'
+            - 'autoprov_cfg -f set template -tn "${conf_template}" -vpn -vd "" -con "${community}"'
+            - '${blades} && autoprov_cfg -f set template -tn "${conf_template}" -ia -ips -appi -av -ab'
+            - 'echo -e "\nFinished Bootstrap script\n"'
+  SecurityGatewaysStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/autoscale/autoscale.yaml
+      Parameters:
+        VPC: !Ref VPC
+        AutoScaleGroupName: !If [GenerateAutoScalingName, !Join ["-", [!Ref 'AWS::StackName', GatewayGroup]], !Ref AutoScaleGroupName]
+        GatewaysSubnets: !Join [',', !Ref GatewaysSubnets]
+        GatewayName: !Ref GatewayName
+        GatewayInstanceType: !Ref GatewayInstanceType
+        KeyName: !Ref KeyName
+        EnableVolumeEncryption: !Ref EnableVolumeEncryption
+        VolumeType: !Ref VolumeType
+        VolumeSize: !Ref VolumeSize
+        EnableInstanceConnect: !Ref EnableInstanceConnect
+        MetaDataToken: !Ref MetaDataToken
+        GatewaysMinSize: !Ref GatewaysMinSize
+        GatewaysMaxSize: !Ref GatewaysMaxSize
+        AdminEmail: !Ref AdminEmail
+        GatewayVersion: !Ref GatewayVersion
+        GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+        GatewaySICKey: !Ref GatewaySICKey
+        AllowUploadDownload: !Ref AllowUploadDownload
+        CloudWatch: !Ref CloudWatch
+        GatewayBootstrapScript: !Join
+          - ';'
+          - - 'echo -e "\nStarting Bootstrap script\n"'
+            - 'echo "Setting up bootstrap parameters"'
+            - !Sub 'asn=${ASN}'
+            - 'echo "Adding tgw identifier to cloud-version"'
+            - 'template="autoscale_tgw"'
+            - 'cv_path="/etc/cloud-version"'
+            - 'if test -f ${cv_path}; then sed -i ''/template_name/c\template_name: ''"${template}"'''' /etc/cloud-version; fi'
+            - 'cv_json_path="/etc/cloud-version.json"'
+            - 'cv_json_path_tmp="/etc/cloud-version-tmp.json"'
+            - 'if test -f ${cv_json_path}; then cat ${cv_json_path} | jq ''.template_name = "''"${template}"''"'' > ${cv_json_path_tmp}; mv ${cv_json_path_tmp} ${cv_json_path}; fi'
+            - 'echo "Setting ASN to: ${asn}"'
+            - 'clish -c "set as ${asn}" -s'
+            - 'echo -e "\nFinished Bootstrap script\n"'
+        ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress
+        ManagementServer: !Ref ManagementServer
+        ConfigurationTemplate: !Ref ConfigurationTemplate
+Outputs:
+  ManagementName:
+    Description: The name that represents the Security Management Server.
+    Value: !Ref ManagementServer
+  ConfigurationTemplateName:
+    Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name.
+    Value: !Ref ConfigurationTemplate
+  ControllerName:
+    Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name.
+    Value: tgw-controller
+  ManagementPublicAddress:
+    Description: The public address of the management servers.
+    Value: !GetAtt ManagementStack.Outputs.PublicAddress
+    Condition: DeployManagement
+Rules:
+  GatewayAddressRule:
+    RuleCondition: !Equals [!Ref ManagementDeploy, 'true']
+    Assertions:
+      - AssertDescription: "Gateway's netowrk to communicate with the Security Management Server must be provided"
+        Assert: !Not [ !Equals [!Ref GatewaysAddresses, '']]
diff --git a/china/aws/templates/tgw-cross-az-cluster/README.md b/china/aws/templates/tgw-cross-az-cluster/README.md
new file mode 100644
index 00000000..638194c6
--- /dev/null
+++ b/china/aws/templates/tgw-cross-az-cluster/README.md
@@ -0,0 +1,38 @@
+
+## Transit Gateway Cross Availability Zone Cluster
+<table>
+    <thead>
+        <tr>
+            <th>Description</th>
+            <th>Notes</th>
+            <th>Direct Launch</th>
+        </tr>
+    </thead>
+    <tbody>
+        <tr>
+            <td rowspan="2" width="40%">
+           Deploys two Security Gateways, each in a different Availability Zone, configured for Transit Gateway.<br/><br/>For more details, refer to <a href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Default.htm">Cross Availability Zone Cluster for AWS R81.20 Administration Guide</a>.
+            </td>
+            <td width="40%">Creates a new VPC and deploys a Cross Availability Zone Cluster of Security Gateways configured for Transit Gateway into it.</td>
+            <td><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/tgw-cross-az-cluster-master.yaml&stackName=Check-Point-TGW-Cross-AZ-Cluster"><img src="../../images/launch.png"/></a></td>
+        </tr>
+        <tr>
+            <td width="40%">Deploys a Cross Availability Zone Cluster of Security Gateways configured for Transit Gateway into an existing VPC.</td>
+            <td><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/cross-az-cluster.yaml&stackName=Check-Point-TGW-Cross-AZ-Cluster"><img src="../../images/launch.png"/></a></td>
+        </tr>
+    </tbody>
+</table>
+<br/>
+<br/>
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description                                                                                                                                           |
+|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 20240519         | Add support for requiring use instance metadata service version 2 (IMDSv2) only                                                                       |
+| 20230923         | Add support for C5d instance type.                                                                                                                    |
+| 20230521         | - Change default shell for the admin user to /etc/cli.sh<br/>- Add description for reserved words in hostname                                         |
+| 20230503         | Smart-1 Cloud token validation.                                                                                                                       |
+| 20230411         | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud.<br/>- Multiple VIPs support for Cross Availability Zone Cluster. |
+| 20221229         | Removed unsupported versions.                                                                                                                         |
+| 20221123         | Templates version 20221120 and above support R81.20                                                                                                   |
diff --git a/china/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml b/china/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml
new file mode 100644
index 00000000..809d13b9
--- /dev/null
+++ b/china/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml
@@ -0,0 +1,527 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: |
+  Deploy a Check Point TGW  Cross Availabilty Zone Cluster in a new VPC (20250617). 
+  See CloudGuard Network for AWS Cross Availability Zone Cluster Deployment guide for detailed deployment and configuration steps.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: VPC Network Configuration
+        Parameters:
+          - AvailabilityZones
+          - VPCCIDR
+          - PublicSubnet1CIDR
+          - PublicSubnet2CIDR
+          - PrivateSubnet1CIDR
+          - PrivateSubnet2CIDR
+          - TgwSubnet1CIDR
+          - TgwSubnet2CIDR
+      - Label:
+          default: EC2 Instance Configuration
+        Parameters:
+          - GatewayName
+          - GatewayInstanceType
+          - KeyName
+          - AllocatePublicAddress
+          - VolumeSize
+          - VolumeType
+          - VolumeEncryption
+          - EnableInstanceConnect
+          - GatewayPredefinedRole
+          - TerminationProtection
+          - MetaDataToken
+      - Label:
+          default: Check Point Settings
+        Parameters:
+          - GatewayVersion
+          - Shell
+          - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
+          - GatewaySICKey
+      - Label:
+          default: Quick connect to Smart-1 Cloud (Recommended)
+        Parameters:
+          - MemberAToken
+          - MemberBToken
+      - Label:
+          default: Advanced Settings
+        Parameters:
+          - ResourcesTagName
+          - GatewayHostname
+          - AllowUploadDownload
+          - CloudWatch
+          - GatewayBootstrapScript
+          - NTPPrimary
+          - NTPSecondary
+    ParameterLabels:
+      AvailabilityZones:
+        default: Availability zones
+      VPCCIDR:
+        default: VPC CIDR
+      PublicSubnet1CIDR:
+        default: Public subnet 1 CIDR
+      PublicSubnet2CIDR:
+        default: Public subnet 2 CIDR
+      PrivateSubnet1CIDR:
+        default: Private subnet 1 CIDR
+      PrivateSubnet2CIDR:
+        default: Private subnet 2 CIDR
+      TgwSubnet1CIDR:
+        default: TGW HA subnet 1 CIDR
+      TgwSubnet2CIDR:
+        default: TGW HA subnet 2 CIDR
+      GatewayName:
+        default: Gateway Name
+      GatewayInstanceType:
+        default: Security Gateways instance type
+      KeyName:
+        default: Key name
+      AllocatePublicAddress:
+        default: Allocate Elastic IPs for cluster members
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeType:
+        default: Volume Type
+      VolumeEncryption:
+        default: Volume encryption KMS key identifier
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      GatewayPredefinedRole:
+        default: Existing IAM role name
+      TerminationProtection:
+        default: Termination Protection
+      MetaDataToken:
+        default: Metadata HTTP token
+      GatewayVersion:
+        default: Gateways version & license
+      Shell:
+        default: Admin shell
+      GatewayPasswordHash:
+        default: Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
+      GatewaySICKey:
+        default: SIC key
+      MemberAToken:
+        default: Smart-1 Cloud Token for member A
+      MemberBToken:
+        default: Smart-1 Cloud Token for member B
+      ResourcesTagName:
+        default: Resources prefix tag
+      GatewayHostname:
+        default: Gateway Hostname
+      AllowUploadDownload:
+        default: Allow upload & download
+      CloudWatch:
+        default: CloudWatch metrics
+      GatewayBootstrapScript:
+        default: Bootstrap Script
+      NTPPrimary:
+        default: Primary NTP server
+      NTPSecondary:
+        default: Secondary NTP server
+Parameters:
+  AvailabilityZones:
+    Description: The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved).
+    Type: List<AWS::EC2::AvailabilityZone::Name>
+    MinLength: 2
+  VPCCIDR:
+    Description: The CIDR block of the provided VPC.
+    Type: String
+    Default: 10.0.0.0/16
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet1CIDR:
+    Description: The 1st external subnet of the cluster. The cluster's public IPs will be generated from this subnet.
+    Type: String
+    Default: 10.0.10.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet2CIDR:
+    Description: The 2nd external subnet of the cluster. The cluster's public IPs will be generated from this subnet.
+    Type: String
+    Default: 10.0.20.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PrivateSubnet1CIDR:
+    Description: The 1st internal subnet of the cluster. The cluster's private IPs will be generated from this subnet.
+    Type: String
+    Default: 10.0.11.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PrivateSubnet2CIDR:
+    Description: The 2nd internal subnet of the cluster. The cluster's private IPs will be generated from this subnet.
+    Type: String
+    Default: 10.0.21.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  TgwSubnet1CIDR:
+    Description: The 1st TGW HA subnet of the TGW VPC attachment.
+    Type: String
+    Default: 10.0.12.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  TgwSubnet2CIDR:
+    Description: The 2nd TGW HA subnet of the TGW VPC attachment.
+    Type: String
+    Default: 10.0.22.0/24
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+  GatewayName:
+    Description: The name tag of the Security Gateway instances. (optional)
+    Type: String
+    Default: Check-Point-Cluster
+  GatewayInstanceType:
+    Description: The instance type of the Secutiry Gateway.
+    Type: String
+    Default: c6i.xlarge
+    AllowedValues:
+      - c4.large
+      - c4.xlarge
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: must be a valid EC2 instance type.
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the instance.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+  AllocatePublicAddress:
+    Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  VolumeSize:
+    Type: Number
+    Default: 100
+    MinValue: 100
+  VolumeType:
+    Description: General Purpose SSD Volume Type
+    Type: String
+    Default: gp3
+    AllowedValues:
+      - gp3
+      - gp2
+  VolumeEncryption:
+    Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+    Type: String
+    Default: alias/aws/ebs
+  EnableInstanceConnect:
+    Description: Enable SSH connection over AWS web console.
+    Default: false
+    Type: String
+    AllowedValues:
+      - true
+      - false
+  GatewayPredefinedRole:
+    Description: A predefined IAM role to attach to the cluster profile. (optional)
+    Type: String
+    Default: ''
+  TerminationProtection:
+    Description: Prevents an instance from accidental termination.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  GatewayVersion:
+    Type: String
+    Default: R81.20-BYOL
+    AllowedValues:
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  Shell:
+    Description: Change the admin shell to enable advanced command line configuration.
+    Type: String
+    Default: /etc/cli.sh
+    AllowedValues:
+      - /etc/cli.sh
+      - /bin/bash
+      - /bin/csh
+      - /bin/tcsh
+  GatewayPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+      to get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+    NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  GatewaySICKey:
+    Description: The Secure Internal Communication key creates trusted connections
+      between Check Point components. Choose a random string consisting of at least
+      8 alphanumeric characters.
+    Type: String
+    AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+    ConstraintDescription: At least 8 alpha numeric characters.
+    NoEcho: true
+  MemberAToken:
+    Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+    AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+    Type: String
+    NoEcho: true
+  MemberBToken:
+    Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+    AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+    Type: String
+    NoEcho: true
+  ResourcesTagName:
+    Description: Name tag prefix of the resources. (optional)
+    Type: String
+    Default: ''
+  GatewayHostname:
+    Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179.
+    Type: String
+    Default: ''
+    AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$'
+    ConstraintDescription: A valid hostname label or an empty string.
+  AllowUploadDownload:
+    Description: Automatically download updates and share statistical data for product improvement purpose.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  CloudWatch:
+    Description: Report Check Point specific CloudWatch metrics.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  GatewayBootstrapScript:
+    Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+    Type: String
+    Default: ''
+    NoEcho: true
+  NTPPrimary:
+    Description: (optional)
+    Type: String
+    Default: 169.254.169.123
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+  NTPSecondary:
+    Description: (optional)
+    Type: String
+    Default: 0.pool.ntp.org
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+Conditions:
+  AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+Resources:
+  VPCStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc.yaml
+      Parameters:
+        AvailabilityZones: !Join [',', !Ref AvailabilityZones]
+        NumberOfAZs: 2
+        VPCCIDR: !Ref VPCCIDR
+        PublicSubnet1CIDR: !Ref PublicSubnet1CIDR
+        PublicSubnet2CIDR: !Ref PublicSubnet2CIDR
+        PrivateSubnet1CIDR: !Ref PrivateSubnet1CIDR
+        PrivateSubnet2CIDR: !Ref PrivateSubnet2CIDR
+        CreateAttachmentSubnets: true
+        AttachmentSubnet1CIDR: !Ref TgwSubnet1CIDR
+        AttachmentSubnet2CIDR: !Ref TgwSubnet2CIDR
+  InternalRouteTable:
+    Type: AWS::EC2::RouteTable
+    DependsOn: VPCStack
+    Properties:
+      VpcId: !GetAtt VPCStack.Outputs.VPCID
+      Tags:
+        - Key: Name
+          Value: Private Subnets Route Table
+  ClusterStack:
+    Type: AWS::CloudFormation::Stack
+    DependsOn: VPCStack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/tgw-cross-az-cluster.yaml
+      Parameters:
+        VPC: !GetAtt VPCStack.Outputs.VPCID
+        PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID
+        PublicSubnetB: !GetAtt VPCStack.Outputs.PublicSubnet2ID
+        PrivateSubnetA: !GetAtt VPCStack.Outputs.PrivateSubnet1ID
+        PrivateSubnetB: !GetAtt VPCStack.Outputs.PrivateSubnet2ID
+        TgwHASubnetA: !GetAtt VPCStack.Outputs.AttachmentSubnet1ID
+        TgwHASubnetB: !GetAtt VPCStack.Outputs.AttachmentSubnet2ID
+        InternalRouteTable: !Ref InternalRouteTable
+        GatewayName: !Ref GatewayName
+        GatewayInstanceType: !Ref GatewayInstanceType
+        KeyName: !Ref KeyName
+        AllocatePublicAddress: !Ref AllocatePublicAddress
+        VolumeSize: !Ref VolumeSize
+        VolumeType: !Ref VolumeType
+        VolumeEncryption: !Ref VolumeEncryption
+        EnableInstanceConnect: !Ref EnableInstanceConnect
+        GatewayPredefinedRole: !Ref GatewayPredefinedRole
+        TerminationProtection: !Ref TerminationProtection
+        MetaDataToken: !Ref MetaDataToken
+        GatewayVersion: !Ref GatewayVersion
+        Shell: !Ref Shell
+        GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+        GatewaySICKey: !Ref GatewaySICKey
+        MemberAToken: !Ref MemberAToken
+        MemberBToken: !Ref MemberBToken
+        ResourcesTagName: !Ref ResourcesTagName
+        GatewayHostname: !Ref GatewayHostname
+        AllowUploadDownload: !Ref AllowUploadDownload
+        CloudWatch: !Ref CloudWatch
+        GatewayBootstrapScript: !Ref GatewayBootstrapScript
+        NTPPrimary: !Ref NTPPrimary
+        NTPSecondary: !Ref NTPSecondary
+Outputs:
+  ClusterPublicAddress:
+    Description: The public address of the cluster.
+    Value: !GetAtt ClusterStack.Outputs.ClusterPublicAddress
+  MemberAPublicAddress:
+    Condition: AllocateAddress
+    Description: The public address of member A.
+    Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress
+  MemberASSH:
+    Condition: AllocateAddress
+    Description: SSH command to member A.
+    Value: !GetAtt ClusterStack.Outputs.MemberASSH
+  MemberAURL:
+    Condition: AllocateAddress
+    Description: URL to the member A portal.
+    Value: !GetAtt ClusterStack.Outputs.MemberAURL
+  MemberBPublicAddress:
+    Condition: AllocateAddress
+    Description: The public address of member B.
+    Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress
+  MemberBSSH:
+    Condition: AllocateAddress
+    Description: SSH command to member B.
+    Value: !GetAtt ClusterStack.Outputs.MemberBSSH
+  MemberBURL:
+    Condition: AllocateAddress
+    Description: URL to the member B portal.
+    Value: !GetAtt ClusterStack.Outputs.MemberBURL
+Rules:
+  MemberATokenNotProvided:
+    RuleCondition: !Equals [!Ref MemberAToken, '']
+    Assertions:
+      - AssertDescription: "Smart-1 Cloud Token for member A can not be empty"
+        Assert: !Equals [!Ref MemberBToken, '']
+  MemberBTokenNotProvided:
+    RuleCondition: !Equals [ !Ref MemberBToken, '' ]
+    Assertions:
+      - AssertDescription: "Smart-1 Cloud Token for member B can not be empty"
+        Assert: !Equals [ !Ref MemberAToken, '' ]
+  MembersTokenValueEquals:
+    RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ]
+    Assertions:
+      - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+        Assert: !Equals [ !Ref MemberAToken, '' ]
+      - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+        Assert: !Equals [ !Ref MemberBToken, '' ]
diff --git a/china/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml b/china/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml
new file mode 100644
index 00000000..2c0ec653
--- /dev/null
+++ b/china/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml
@@ -0,0 +1,523 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: |
+  Deploys a Check Point TGW Cross Availabilty Zone Cluster into an existing VPC (20250617). 
+  See CloudGuard Network for AWS Cross Availability Zone Cluster Deployment guide for detailed deployment and configuration steps.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: VPC Network Configuration
+        Parameters:
+          - VPC
+          - PublicSubnetA
+          - PublicSubnetB
+          - PrivateSubnetA
+          - PrivateSubnetB
+          - TgwHASubnetA
+          - TgwHASubnetB
+          - InternalRouteTable
+      - Label:
+          default: EC2 Instance Configuration
+        Parameters:
+          - GatewayName
+          - GatewayInstanceType
+          - KeyName
+          - AllocatePublicAddress
+          - VolumeSize
+          - VolumeType
+          - VolumeEncryption
+          - EnableInstanceConnect
+          - GatewayPredefinedRole
+          - TerminationProtection
+          - MetaDataToken
+      - Label:
+          default: Check Point Settings
+        Parameters:
+          - GatewayVersion
+          - Shell
+          - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
+          - GatewaySICKey
+      - Label:
+          default: Quick connect to Smart-1 Cloud (Recommended)
+        Parameters:
+          - MemberAToken
+          - MemberBToken
+      - Label:
+          default: Advanced Settings
+        Parameters:
+          - ResourcesTagName
+          - GatewayHostname
+          - AllowUploadDownload
+          - CloudWatch
+          - GatewayBootstrapScript
+          - NTPPrimary
+          - NTPSecondary
+    ParameterLabels:
+      VPC:
+        default: VPC
+      PublicSubnetA:
+        default: Public subnet 1
+      PublicSubnetB:
+        default: Public subnet 2
+      PrivateSubnetA:
+        default: Private subnet 1
+      PrivateSubnetB:
+        default: Private subnet 2
+      TgwHASubnetA:
+        default: TGW HA subnet 1
+      TgwHASubnetB:
+        default: TGW HA subnet 2
+      InternalRouteTable:
+        default: Internal route table
+      GatewayName:
+        default: Gateway Name
+      GatewayInstanceType:
+        default: Security Gateways instance type
+      KeyName:
+        default: Key name
+      AllocatePublicAddress:
+        default: Allocate Elastic IPs for cluster members
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeType:
+        default: Volume Type
+      VolumeEncryption:
+        default: Volume encryption KMS key identifier
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      GatewayPredefinedRole:
+        default: Existing IAM role name
+      TerminationProtection:
+        default: Termination Protection
+      MetaDataToken:
+        default: Metadata HTTP token
+      GatewayVersion:
+        default: Gateways version & license
+      Shell:
+        default: Admin shell
+      GatewayPasswordHash:
+        default: Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
+      GatewaySICKey:
+        default: SIC key
+      MemberAToken:
+        default: Smart-1 Cloud Token for member A
+      MemberBToken:
+        default: Smart-1 Cloud Token for member B
+      ResourcesTagName:
+        default: Resources prefix tag
+      GatewayHostname:
+        default: Gateway Hostname
+      AllowUploadDownload:
+        default: Allow upload & download
+      CloudWatch:
+        default: CloudWatch metrics
+      GatewayBootstrapScript:
+        default: Bootstrap Script
+      NTPPrimary:
+        default: Primary NTP server
+      NTPSecondary:
+        default: Secondary NTP server
+Parameters:
+  VPC:
+    Description: Select an existing VPC.
+    Type: AWS::EC2::VPC::Id
+    MinLength: 1
+    ConstraintDescription: you must select a VPC.
+  PublicSubnetA:
+    Description: Select a public subnet for the first Security Gateway.
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+    ConstraintDescription: you must select a public subnet for the first Security Gateway.
+  PublicSubnetB:
+    Description: Select a public subnet for the second Security Gateway.
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+    ConstraintDescription: you must select a public subnet for the second Security Gateway.
+  PrivateSubnetA:
+    Description: Select a private subnet for the first Security Gateway.
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+    ConstraintDescription: you must select a private subnet for the first Security Gateway.
+  PrivateSubnetB:
+    Description: Select a private subnet for the second Security Gateway.
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+    ConstraintDescription: you must select a private subnet for the second Security Gateway.
+  TgwHASubnetA:
+    Description: Select a TGW HA subnet for the first Security Gateway.
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+    ConstraintDescription: you must select a TGW HA subnet for the first Security Gateway.
+  TgwHASubnetB:
+    Description: Select a TGW HA subnet for the second Security Gateway.
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+    ConstraintDescription: you must select a TGW HAsubnet for the second Security Gateway.
+  InternalRouteTable:
+    Description: Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Cluster, this requires manual configuration in the Route Table. (optional)
+    Type: String
+    Default: ''
+  GatewayName:
+    Description: The name tag of the Security Gateway instances. (optional)
+    Type: String
+    Default: Check-Point-Cluster
+  GatewayInstanceType:
+    Description: The instance type of the Secutiry Gateway.
+    Type: String
+    Default: c6i.xlarge
+    AllowedValues:
+      - c4.large
+      - c4.xlarge
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: must be a valid EC2 instance type.
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the Security Gateways.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+    ConstraintDescription: must be the name of an existing EC2 KeyPair.
+  AllocatePublicAddress:
+    Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP.
+    Default: true
+    Type: String
+    AllowedValues:
+      - true
+      - false
+  VolumeSize:
+    Type: Number
+    Default: 100
+    MinValue: 100
+  VolumeType:
+    Description: General Purpose SSD Volume Type
+    Type: String
+    Default: gp3
+    AllowedValues:
+      - gp3
+      - gp2
+  VolumeEncryption:
+    Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+    Type: String
+    Default: alias/aws/ebs
+  EnableInstanceConnect:
+    Description: Enable SSH connection over AWS web console.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  GatewayPredefinedRole:
+    Description: A predefined IAM role to attach to the cluster profile. (optional)
+    Type: String
+    Default: ''
+  TerminationProtection:
+    Description: Prevents an instance from accidental termination.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  GatewayVersion:
+    Description: The license to install on the Security Gateways.
+    Type: String
+    Default: R81.20-BYOL
+    AllowedValues:
+      - R81.20-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  Shell:
+    Description: Change the admin shell to enable advanced command line configuration.
+    Type: String
+    Default: /etc/cli.sh
+    AllowedValues:
+      - /etc/cli.sh
+      - /bin/bash
+      - /bin/csh
+      - /bin/tcsh
+  GatewayPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+      to get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+    NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  GatewaySICKey:
+    Description: The Secure Internal Communication key creates trusted connections
+      between Check Point components. Choose a random string consisting of at least
+      8 alphanumeric characters.
+    Type: String
+    AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+    ConstraintDescription: At least 8 alpha numeric characters.
+    NoEcho: true
+  MemberAToken:
+    Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+    AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+    Type: String
+    NoEcho: true
+  MemberBToken:
+    Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+    AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+    Type: String
+    NoEcho: true
+  ResourcesTagName:
+    Description: Name tag prefix of the resources. (optional)
+    Type: String
+    Default: ''
+  GatewayHostname:
+    Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179.
+    Type: String
+    Default: ''
+    AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$'
+    ConstraintDescription: A valid hostname label or an empty string.
+  AllowUploadDownload:
+    Description: Automatically download updates and share statistical data for product improvement purpose.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  CloudWatch:
+    Description: Report Check Point specific CloudWatch metrics.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  GatewayBootstrapScript:
+    Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+    Type: String
+    Default: ''
+    NoEcho: true
+  NTPPrimary:
+    Description: (optional)
+    Type: String
+    Default: 169.254.169.123
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+  NTPSecondary:
+    Description: (optional)
+    Type: String
+    Default: 0.pool.ntp.org
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+Conditions:
+  AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+Resources:
+  ClusterStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/cross-az-cluster.yaml
+      Parameters:
+        VPC: !Ref VPC
+        PublicSubnetA: !Ref PublicSubnetA
+        PublicSubnetB: !Ref PublicSubnetB
+        PrivateSubnetA: !Ref PrivateSubnetA
+        PrivateSubnetB: !Ref PrivateSubnetB
+        InternalRouteTable: !Ref InternalRouteTable
+        GatewayName: !Ref GatewayName
+        GatewayInstanceType: !Ref GatewayInstanceType
+        KeyName: !Ref KeyName
+        AllocatePublicAddress: !Ref AllocatePublicAddress
+        VolumeSize: !Ref VolumeSize
+        VolumeType: !Ref VolumeType
+        VolumeEncryption: !Ref VolumeEncryption
+        EnableInstanceConnect: !Ref EnableInstanceConnect
+        GatewayPredefinedRole: !Ref GatewayPredefinedRole
+        TerminationProtection: !Ref TerminationProtection
+        MetaDataToken: !Ref MetaDataToken
+        GatewayVersion: !Ref GatewayVersion
+        Shell: !Ref Shell
+        GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+        GatewaySICKey: !Ref GatewaySICKey
+        MemberAToken: !Ref MemberAToken
+        MemberBToken: !Ref MemberBToken
+        ResourcesTagName: !Ref ResourcesTagName
+        GatewayHostname: !Ref GatewayHostname
+        AllowUploadDownload: !Ref AllowUploadDownload
+        CloudWatch: !Ref CloudWatch
+        GatewayBootstrapScript: !Ref GatewayBootstrapScript
+        NTPPrimary: !Ref NTPPrimary
+        NTPSecondary: !Ref NTPSecondary
+  TGWRouteTable:
+    Type: AWS::EC2::RouteTable
+    Properties:
+      VpcId: !Ref VPC
+      Tags:
+        - Key: Name
+          Value: TGW Subnets
+  TGWDefaultRoute:
+    Type: AWS::EC2::Route
+    DependsOn: ClusterStack
+    Properties:
+      DestinationCidrBlock: 0.0.0.0/0
+      NetworkInterfaceId: !GetAtt ClusterStack.Outputs.MemberAExternalInterface
+      RouteTableId: !Ref TGWRouteTable
+  TGWNSubnet1RouteAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    DependsOn: TGWRouteTable
+    Properties:
+      RouteTableId: !Ref TGWRouteTable
+      SubnetId: !Ref TgwHASubnetA
+  TGWSubnet2RouteAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    DependsOn: TGWRouteTable
+    Properties:
+      RouteTableId: !Ref TGWRouteTable
+      SubnetId: !Ref TgwHASubnetB
+Outputs:
+  ClusterPublicAddress:
+    Description: The public address of the cluster.
+    Value: !GetAtt ClusterStack.Outputs.ClusterPublicAddress
+  MemberAPublicAddress:
+    Condition: AllocateAddress
+    Description: The public address of member A.
+    Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress
+  MemberASSH:
+    Condition: AllocateAddress
+    Description: SSH command to member A.
+    Value: !GetAtt ClusterStack.Outputs.MemberASSH
+  MemberAURL:
+    Condition: AllocateAddress
+    Description: URL to the member A portal.
+    Value: !GetAtt ClusterStack.Outputs.MemberAURL
+  MemberBPublicAddress:
+    Condition: AllocateAddress
+    Description: The public address of member B.
+    Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress
+  MemberBSSH:
+    Condition: AllocateAddress
+    Description: SSH command to member B.
+    Value: !GetAtt ClusterStack.Outputs.MemberBSSH
+  MemberBURL:
+    Condition: AllocateAddress
+    Description: URL to the member B portal.
+    Value: !GetAtt ClusterStack.Outputs.MemberBURL
+Rules:
+  MemberATokenNotProvided:
+    RuleCondition: !Equals [!Ref MemberAToken, '']
+    Assertions:
+      - AssertDescription: "Smart-1 Cloud Token for member A can not be empty"
+        Assert: !Equals [!Ref MemberBToken, '']
+  MemberBTokenNotProvided:
+    RuleCondition: !Equals [ !Ref MemberBToken, '' ]
+    Assertions:
+      - AssertDescription: "Smart-1 Cloud Token for member B can not be empty"
+        Assert: !Equals [ !Ref MemberAToken, '' ]
+  MembersTokenValueEquals:
+    RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ]
+    Assertions:
+      - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+        Assert: !Equals [ !Ref MemberAToken, '' ]
+      - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+        Assert: !Equals [ !Ref MemberBToken, '' ]
\ No newline at end of file
diff --git a/china/aws/templates/tgw-ha/README.md b/china/aws/templates/tgw-ha/README.md
new file mode 100644
index 00000000..cbc90be9
--- /dev/null
+++ b/china/aws/templates/tgw-ha/README.md
@@ -0,0 +1,39 @@
+
+## Transit Gateway Cross Availability Zone Cluster
+<table>
+    <thead>
+        <tr>
+            <th>Description</th>
+            <th>Notes</th>
+            <th>Direct Launch</th>
+        </tr>
+    </thead>
+    <tbody>
+        <tr>
+            <td rowspan="2" width="40%">
+           Deploys two Security Gateways, each in a different Availability Zone, configured for Transit Gateway.<br/><br/>For more details, refer to <a href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Transit_Gateway_High_Availability/Default.htm">CloudGuard Transit Gateway High Availability for AWS R80.40 Administration Guide</a>.
+            </td>
+            <td width="40%">Creates a new VPC and deploys a Cross Availability Zone Cluster of Security Gateways configured for Transit Gateway into it.</td>
+            <td><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/tgw-ha-master.yaml&stackName=Check-Point-TGW-HA"><img src="../../images/launch.png"/></a></td>
+        </tr>
+        <tr>
+            <td width="40%">Deploys a Cross Availability Zone Cluster of Security Gateways configured for Transit Gateway into an existing VPC.</td>
+            <td><a href="https://console.amazonaws.cn/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/tgw-ha.yaml&stackName=Check-Point-TGW-HA"><img src="../../images/launch.png"/></a></td>
+        </tr>
+    </tbody>
+</table>
+<br/>
+<br/>
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description                                                                                                      |
+|------------------|------------------------------------------------------------------------------------------------------------------|
+| 20240519         | Add support for requiring use instance metadata service version 2 (IMDSv2) only                                  |
+| 20230923         | Add support for C5d instance type.                                                                               |
+| 20230521         | - Change default shell for the admin user to /etc/cli.sh<br/>- Add description for reserved words in hostname    |
+| 20230503         | Template version 20230503 and above supports Smart-1 Cloud token validation.                                     |
+| 20230411         | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud.                               |
+| 20221123         | Templates version 20221120 and above support R81.20                                                              |
+| 20220606         | New instance type support                                                                                        |
+| 20210309         | First release of Check Point Security Management Server & Security Gateway (Standalone) Terraform module for AWS |
diff --git a/china/aws/templates/tgw-ha/tgw-ha-master.yaml b/china/aws/templates/tgw-ha/tgw-ha-master.yaml
new file mode 100644
index 00000000..62548deb
--- /dev/null
+++ b/china/aws/templates/tgw-ha/tgw-ha-master.yaml
@@ -0,0 +1,524 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: |
+  Deploy a Check Point TGW HA cross AZ Cluster in a new VPC (20250617)
+  See CloudGuard Network for AWS Cross Availability Zone Cluster Deployment Guide for detailed deployment and configuration steps.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: VPC Network Configuration
+        Parameters:
+          - AvailabilityZones
+          - VPCCIDR
+          - PublicSubnet1CIDR
+          - PublicSubnet2CIDR
+          - PrivateSubnet1CIDR
+          - PrivateSubnet2CIDR
+          - TgwSubnet1CIDR
+          - TgwSubnet2CIDR
+      - Label:
+          default: EC2 Instance Configuration
+        Parameters:
+          - GatewayName
+          - GatewayInstanceType
+          - KeyName
+          - AllocatePublicAddress
+          - VolumeSize
+          - VolumeType
+          - VolumeEncryption
+          - EnableInstanceConnect
+          - GatewayPredefinedRole
+          - TerminationProtection
+          - MetaDataToken
+      - Label:
+          default: Check Point Settings
+        Parameters:
+          - GatewayVersion
+          - Shell
+          - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
+          - GatewaySICKey
+      - Label:
+          default: Quick connect to Smart-1 Cloud (Recommended)
+        Parameters:
+          - MemberAToken
+          - MemberBToken
+      - Label:
+          default: Advanced Settings
+        Parameters:
+          - ResourcesTagName
+          - GatewayHostname
+          - AllowUploadDownload
+          - CloudWatch
+          - GatewayBootstrapScript
+          - NTPPrimary
+          - NTPSecondary
+    ParameterLabels:
+      AvailabilityZones:
+        default: Availability Zones
+      VPCCIDR:
+        default: VPC CIDR
+      PublicSubnet1CIDR:
+        default: Public subnet 1 CIDR
+      PublicSubnet2CIDR:
+        default: Public subnet 2 CIDR
+      PrivateSubnet1CIDR:
+        default: Private subnet 1 CIDR
+      PrivateSubnet2CIDR:
+        default: Private subnet 2 CIDR
+      TgwSubnet1CIDR:
+        default: TGW HA subnet 1 CIDR
+      TgwSubnet2CIDR:
+        default: TGW HA subnet 2 CIDR
+      GatewayName:
+        default: Gateway Name
+      GatewayInstanceType:
+        default: Security Gateways instance type
+      KeyName:
+        default: Key name
+      AllocatePublicAddress:
+        default: Allocate Elastic IPs for cluster members
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeType:
+        default: Volume Type
+      VolumeEncryption:
+        default: Volume encryption KMS key identifier
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      GatewayPredefinedRole:
+        default: Existing IAM role name
+      TerminationProtection:
+        default: Termination Protection
+      MetaDataToken:
+        default: Metadata HTTP token
+      GatewayVersion:
+        default: Gateways version & license
+      Shell:
+        default: Admin shell
+      GatewayPasswordHash:
+        default: Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
+      GatewaySICKey:
+        default: SIC key
+      MemberAToken:
+        default: Smart-1 Cloud Token for member A
+      MemberBToken:
+        default: Smart-1 Cloud Token for member B
+      ResourcesTagName:
+        default: Resources prefix tag
+      GatewayHostname:
+        default: Gateway Hostname
+      AllowUploadDownload:
+        default: Allow upload & download
+      CloudWatch:
+        default: CloudWatch metrics
+      GatewayBootstrapScript:
+        default: Bootstrap Script
+      NTPPrimary:
+        default: Primary NTP server
+      NTPSecondary:
+        default: Secondary NTP server
+Parameters:
+  AvailabilityZones:
+    Description: The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved).
+    Type: List<AWS::EC2::AvailabilityZone::Name>
+    MinLength: 2
+  VPCCIDR:
+    Description: The CIDR block of the provided VPC.
+    Type: String
+    Default: 10.0.0.0/16
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet1CIDR:
+    Description: CIDR block for public subnet 1 located in the 1st Availability Zone.
+    Type: String
+    Default: 10.0.10.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet2CIDR:
+    Description: CIDR block for public subnet 2 located in the 2nd Availability Zone.
+    Type: String
+    Default: 10.0.20.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PrivateSubnet1CIDR:
+    Description: CIDR block for private subnet 1 located in the 1st Availability Zone.
+    Type: String
+    Default: 10.0.11.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PrivateSubnet2CIDR:
+    Description: CIDR block for private subnet 2 located in the 2nd Availability Zone.
+    Type: String
+    Default: 10.0.21.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  TgwSubnet1CIDR:
+    Description: CIDR block for TGW HA subnet 1 located in the 1st Availability Zone.
+    Type: String
+    Default: 10.0.12.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  TgwSubnet2CIDR:
+    Description: CIDR block for TGW HA subnet 2 located in the 2nd Availability Zone.
+    Type: String
+    Default: 10.0.22.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  GatewayName:
+    Description: The name tag of the Security Gateway instances. (optional)
+    Type: String
+    Default: Check-Point-Cluster
+  GatewayInstanceType:
+    Description: The instance type of the Secutiry Gateway.
+    Type: String
+    Default: c6i.xlarge
+    AllowedValues:
+      - c4.large
+      - c4.xlarge
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: must be a valid EC2 instance type.
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the instance.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+  AllocatePublicAddress:
+    Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  VolumeSize:
+    Type: Number
+    Default: 100
+    MinValue: 100
+  VolumeType:
+    Description: General Purpose SSD Volume Type
+    Type: String
+    Default: gp3
+    AllowedValues:
+      - gp3
+      - gp2
+  VolumeEncryption:
+    Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+    Type: String
+    Default: alias/aws/ebs
+  EnableInstanceConnect:
+    Description: Enable SSH connection over AWS web console.
+    Default: false
+    Type: String
+    AllowedValues:
+      - true
+      - false
+  GatewayPredefinedRole:
+    Description: A predefined IAM role to attach to the cluster profile. (optional)
+    Type: String
+    Default: ''
+  TerminationProtection:
+    Description: Prevents an instance from accidental termination.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  GatewayVersion:
+    Type: String
+    Default: R81.10-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  Shell:
+    Description: Change the admin shell to enable advanced command line configuration.
+    Type: String
+    Default: /etc/cli.sh
+    AllowedValues:
+      - /etc/cli.sh
+      - /bin/bash
+      - /bin/csh
+      - /bin/tcsh
+  GatewayPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+      to get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+    NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  GatewaySICKey:
+    Description: The Secure Internal Communication key creates trusted connections
+      between Check Point components. Choose a random string consisting of at least
+      8 alphanumeric characters.
+    Type: String
+    AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+    ConstraintDescription: At least 8 alpha numeric characters.
+    NoEcho: true
+  MemberAToken:
+    Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+    AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+    Type: String
+    NoEcho: true
+  MemberBToken:
+    Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+    AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+    Type: String
+    NoEcho: true
+  ResourcesTagName:
+    Description: Name tag prefix of the resources. (optional)
+    Type: String
+    Default: ''
+  GatewayHostname:
+    Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179.
+    Type: String
+    Default: ''
+    AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$'
+    ConstraintDescription: A valid hostname label or an empty string.
+  AllowUploadDownload:
+    Description: Automatically download updates and share statistical data for product improvement purpose.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  CloudWatch:
+    Description: Report Check Point specific CloudWatch metrics.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  GatewayBootstrapScript:
+    Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+    Type: String
+    Default: ''
+    NoEcho: true
+  NTPPrimary:
+    Description: (optional)
+    Type: String
+    Default: 169.254.169.123
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+  NTPSecondary:
+    Description: (optional)
+    Type: String
+    Default: 0.pool.ntp.org
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+Conditions:
+  AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+Resources:
+  VPCStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc.yaml
+      Parameters:
+        AvailabilityZones: !Join [',', !Ref AvailabilityZones]
+        NumberOfAZs: 2
+        VPCCIDR: !Ref VPCCIDR
+        PublicSubnet1CIDR: !Ref PublicSubnet1CIDR
+        PublicSubnet2CIDR: !Ref PublicSubnet2CIDR
+        PrivateSubnet1CIDR: !Ref PrivateSubnet1CIDR
+        PrivateSubnet2CIDR: !Ref PrivateSubnet2CIDR
+        CreateAttachmentSubnets: true
+        AttachmentSubnet1CIDR: !Ref TgwSubnet1CIDR
+        AttachmentSubnet2CIDR: !Ref TgwSubnet2CIDR
+  InternalRouteTable:
+    Type: AWS::EC2::RouteTable
+    DependsOn: VPCStack
+    Properties:
+      VpcId: !GetAtt VPCStack.Outputs.VPCID
+      Tags:
+        - Key: Name
+          Value: Private Subnets Route Table
+  ClusterStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/tgw-ha.yaml
+      Parameters:
+        VPC: !GetAtt VPCStack.Outputs.VPCID
+        PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID
+        PublicSubnetB: !GetAtt VPCStack.Outputs.PublicSubnet2ID
+        PrivateSubnetA: !GetAtt VPCStack.Outputs.PrivateSubnet1ID
+        PrivateSubnetB: !GetAtt VPCStack.Outputs.PrivateSubnet2ID
+        TgwHASubnetA: !GetAtt VPCStack.Outputs.AttachmentSubnet1ID
+        TgwHASubnetB: !GetAtt VPCStack.Outputs.AttachmentSubnet2ID
+        InternalRouteTable: !Ref InternalRouteTable
+        GatewayName: !Ref GatewayName
+        GatewayInstanceType: !Ref GatewayInstanceType
+        KeyName: !Ref KeyName
+        AllocatePublicAddress: !Ref AllocatePublicAddress
+        VolumeSize: !Ref VolumeSize
+        VolumeType: !Ref VolumeType
+        VolumeEncryption: !Ref VolumeEncryption
+        EnableInstanceConnect: !Ref EnableInstanceConnect
+        GatewayPredefinedRole: !Ref GatewayPredefinedRole
+        TerminationProtection: !Ref TerminationProtection
+        MetaDataToken: !Ref MetaDataToken
+        GatewayVersion: !Ref GatewayVersion
+        Shell: !Ref Shell
+        GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+        GatewaySICKey: !Ref GatewaySICKey
+        MemberAToken: !Ref MemberAToken
+        MemberBToken: !Ref MemberBToken
+        ResourcesTagName: !Ref ResourcesTagName
+        GatewayHostname: !Ref GatewayHostname
+        AllowUploadDownload: !Ref AllowUploadDownload
+        CloudWatch: !Ref CloudWatch
+        GatewayBootstrapScript: !Ref GatewayBootstrapScript
+        NTPPrimary: !Ref NTPPrimary
+        NTPSecondary: !Ref NTPSecondary
+Outputs:
+  MemberAPublicAddress:
+    Condition: AllocateAddress
+    Description: The public address of member A.
+    Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress
+  MemberASSH:
+    Condition: AllocateAddress
+    Description: SSH command to member A.
+    Value: !GetAtt ClusterStack.Outputs.MemberASSH
+  MemberAURL:
+    Condition: AllocateAddress
+    Description: URL to the member A portal.
+    Value: !GetAtt ClusterStack.Outputs.MemberAURL
+  MemberBPublicAddress:
+    Condition: AllocateAddress
+    Description: The public address of member B.
+    Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress
+  MemberBSSH:
+    Condition: AllocateAddress
+    Description: SSH command to member B.
+    Value: !GetAtt ClusterStack.Outputs.MemberBSSH
+  MemberBURL:
+    Condition: AllocateAddress
+    Description: URL to the member B portal.
+    Value: !GetAtt ClusterStack.Outputs.MemberBURL
+Rules:
+  MemberATokenNotProvided:
+    RuleCondition: !Equals [!Ref MemberAToken, '']
+    Assertions:
+      - AssertDescription: "Smart-1 Cloud Token for member A can not be empty"
+        Assert: !Equals [!Ref MemberBToken, '']
+  MemberBTokenNotProvided:
+    RuleCondition: !Equals [ !Ref MemberBToken, '' ]
+    Assertions:
+      - AssertDescription: "Smart-1 Cloud Token for member B can not be empty"
+        Assert: !Equals [ !Ref MemberAToken, '' ]
+  MembersTokenValueEquals:
+    RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ]
+    Assertions:
+      - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+        Assert: !Equals [ !Ref MemberAToken, '' ]
+      - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+        Assert: !Equals [ !Ref MemberBToken, '' ]
\ No newline at end of file
diff --git a/china/aws/templates/tgw-ha/tgw-ha.yaml b/china/aws/templates/tgw-ha/tgw-ha.yaml
new file mode 100644
index 00000000..750de054
--- /dev/null
+++ b/china/aws/templates/tgw-ha/tgw-ha.yaml
@@ -0,0 +1,520 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: |
+  Deploy a Check Point TGW HA cross AZ Cluster in a new VPC (20250617)
+  See CloudGuard Network for AWS Cross Availability Zone Cluster Deployment Guide for detailed deployment and configuration steps.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: VPC Network Configuration
+        Parameters:
+          - VPC
+          - PublicSubnetA
+          - PublicSubnetB
+          - PrivateSubnetA
+          - PrivateSubnetB
+          - TgwHASubnetA
+          - TgwHASubnetB
+          - InternalRouteTable
+      - Label:
+          default: EC2 Instance Configuration
+        Parameters:
+          - GatewayName
+          - GatewayInstanceType
+          - KeyName
+          - AllocatePublicAddress
+          - VolumeSize
+          - VolumeType
+          - VolumeEncryption
+          - EnableInstanceConnect
+          - GatewayPredefinedRole
+          - TerminationProtection
+          - MetaDataToken
+      - Label:
+          default: Check Point Settings
+        Parameters:
+          - GatewayVersion
+          - Shell
+          - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
+          - GatewaySICKey
+      - Label:
+          default: Quick connect to Smart-1 Cloud (Recommended)
+        Parameters:
+          - MemberAToken
+          - MemberBToken
+      - Label:
+          default: Advanced Settings
+        Parameters:
+          - ResourcesTagName
+          - GatewayHostname
+          - AllowUploadDownload
+          - CloudWatch
+          - GatewayBootstrapScript
+          - NTPPrimary
+          - NTPSecondary
+    ParameterLabels:
+      VPC:
+        default: VPC
+      PublicSubnetA:
+        default: Public subnet 1
+      PublicSubnetB:
+        default: Public subnet 2
+      PrivateSubnetA:
+        default: Private subnet 1
+      PrivateSubnetB:
+        default: Private subnet 2
+      TgwHASubnetA:
+        default: TGW HA subnet 1
+      TgwHASubnetB:
+        default: TGW HA subnet 2
+      InternalRouteTable:
+        default: Internal route table
+      GatewayName:
+        default: Gateway Name
+      GatewayInstanceType:
+        default: Security Gateways instance type
+      KeyName:
+        default: Key name
+      AllocatePublicAddress:
+        default: Allocate Elastic IPs for cluster members
+      VolumeSize:
+        default: Root volume size (GB)
+      VolumeType:
+        default: Volume Type
+      VolumeEncryption:
+        default: Volume encryption KMS key identifier
+      EnableInstanceConnect:
+        default: Enable AWS Instance Connect
+      GatewayPredefinedRole:
+        default: Existing IAM role name
+      TerminationProtection:
+        default: Termination Protection
+      MetaDataToken:
+        default: Metadata HTTP token
+      GatewayVersion:
+        default: Gateways version & license
+      Shell:
+        default: Admin shell
+      GatewayPasswordHash:
+        default: Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
+      GatewaySICKey:
+        default: SIC key
+      MemberAToken:
+        default: Smart-1 Cloud Token for member A
+      MemberBToken:
+        default: Smart-1 Cloud Token for member B
+      ResourcesTagName:
+        default: Resources prefix tag
+      GatewayHostname:
+        default: Gateway Hostname
+      AllowUploadDownload:
+        default: Allow upload & download
+      CloudWatch:
+        default: CloudWatch metrics
+      GatewayBootstrapScript:
+        default: Bootstrap Script
+      NTPPrimary:
+        default: Primary NTP server
+      NTPSecondary:
+        default: Secondary NTP server
+Parameters:
+  VPC:
+    Description: Select an existing VPC.
+    Type: AWS::EC2::VPC::Id
+    MinLength: 1
+    ConstraintDescription: you must select a VPC.
+  PublicSubnetA:
+    Description: Select a public subnet for the first Security Gateway.
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+    ConstraintDescription: you must select a public subnet for the first Security Gateway.
+  PublicSubnetB:
+    Description: Select a public subnet for the second Security Gateway.
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+    ConstraintDescription: you must select a public subnet for the second Security Gateway.
+  PrivateSubnetA:
+    Description: Select a private subnet for the first Security Gateway.
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+    ConstraintDescription: you must select a private subnet for the first Security Gateway.
+  PrivateSubnetB:
+    Description: Select a private subnet for the second Security Gateway.
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+    ConstraintDescription: you must select a private subnet for the second Security Gateway.
+  TgwHASubnetA:
+    Description: Select a TGW HA subnet for the first Security Gateway.
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+    ConstraintDescription: you must select a TGW HA subnet for the first Security Gateway.
+  TgwHASubnetB:
+    Description: Select a TGW HA subnet for the second Security Gateway.
+    Type: AWS::EC2::Subnet::Id
+    MinLength: 1
+    ConstraintDescription: you must select a TGW HAsubnet for the second Security Gateway.
+  InternalRouteTable:
+    Description: Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Cluster, this requires manual configuration in the Route Table. (optional)
+    Type: String
+    Default: ''
+  GatewayName:
+    Description: The name tag of the Security Gateway instances. (optional)
+    Type: String
+    Default: Check-Point-Cluster
+  GatewayInstanceType:
+    Type: String
+    Default: c6i.xlarge
+    AllowedValues:
+      - c4.large
+      - c4.xlarge
+      - c5.large
+      - c5.xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.12xlarge
+      - c5.18xlarge
+      - c5.24xlarge
+      - c5n.large
+      - c5n.xlarge
+      - c5n.2xlarge
+      - c5n.4xlarge
+      - c5n.9xlarge
+      - c5n.18xlarge
+      - c5d.large
+      - c5d.xlarge
+      - c5d.2xlarge
+      - c5d.4xlarge
+      - c5d.9xlarge
+      - c5d.12xlarge
+      - c5d.18xlarge
+      - c5d.24xlarge
+      - m5.large
+      - m5.xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.8xlarge
+      - m5.12xlarge
+      - m5.16xlarge
+      - m5.24xlarge
+      - m6i.large
+      - m6i.xlarge
+      - m6i.2xlarge
+      - m6i.4xlarge
+      - m6i.8xlarge
+      - m6i.12xlarge
+      - m6i.16xlarge
+      - m6i.24xlarge
+      - m6i.32xlarge
+      - c6i.large
+      - c6i.xlarge
+      - c6i.2xlarge
+      - c6i.4xlarge
+      - c6i.8xlarge
+      - c6i.12xlarge
+      - c6i.16xlarge
+      - c6i.24xlarge
+      - c6i.32xlarge
+      - r5.large
+      - r5.xlarge
+      - r5.2xlarge
+      - r5.4xlarge
+      - r5.8xlarge
+      - r5.12xlarge
+      - r5.16xlarge
+      - r5.24xlarge
+      - r5a.large
+      - r5a.xlarge
+      - r5a.2xlarge
+      - r5a.4xlarge
+      - r5a.8xlarge
+      - r5a.12xlarge
+      - r5a.16xlarge
+      - r5a.24xlarge
+      - r5b.large
+      - r5b.xlarge
+      - r5b.2xlarge
+      - r5b.4xlarge
+      - r5b.8xlarge
+      - r5b.12xlarge
+      - r5b.16xlarge
+      - r5b.24xlarge
+      - r5n.large
+      - r5n.xlarge
+      - r5n.2xlarge
+      - r5n.4xlarge
+      - r5n.8xlarge
+      - r5n.12xlarge
+      - r5n.16xlarge
+      - r5n.24xlarge
+      - r6i.large
+      - r6i.xlarge
+      - r6i.2xlarge
+      - r6i.4xlarge
+      - r6i.8xlarge
+      - r6i.12xlarge
+      - r6i.16xlarge
+      - r6i.24xlarge
+      - r6i.32xlarge
+      - m6a.large
+      - m6a.xlarge
+      - m6a.2xlarge
+      - m6a.4xlarge
+      - m6a.8xlarge
+      - m6a.12xlarge
+      - m6a.16xlarge
+      - m6a.24xlarge
+      - m6a.32xlarge
+      - m6a.48xlarge
+    ConstraintDescription: must be a valid EC2 instance type.
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the Security Gateways.
+    Type: AWS::EC2::KeyPair::KeyName
+    MinLength: 1
+    ConstraintDescription: must be the name of an existing EC2 KeyPair.
+  AllocatePublicAddress:
+    Description: When choosing "false", make sure the cluster members can connect to an ec2 endpoint.
+    Default: true
+    Type: String
+    AllowedValues:
+      - true
+      - false
+  VolumeSize:
+    Type: Number
+    Default: 100
+    MinValue: 100
+  VolumeType:
+    Description: General Purpose SSD Volume Type
+    Type: String
+    Default: gp3
+    AllowedValues:
+      - gp3
+      - gp2
+  VolumeEncryption:
+    Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+    Type: String
+    Default: alias/aws/ebs
+  EnableInstanceConnect:
+    Description: Enable SSH connection over AWS web console.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  GatewayPredefinedRole:
+    Description: A predefined IAM role to attach to the cluster profile. (optional)
+    Type: String
+    Default: ''
+  TerminationProtection:
+    Description: Prevents an instance from accidental termination.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  MetaDataToken:
+    Description: Set true to deploy the instance with metadata v2 token required.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  GatewayVersion:
+    Description: The license to install on the Security Gateways.
+    Type: String
+    Default: R81.10-BYOL
+    AllowedValues:
+      - R81.10-BYOL
+      - R82-BYOL
+      - R82.10-BYOL
+  Shell:
+    Description: Change the admin shell to enable advanced command line configuration.
+    Type: String
+    Default: /etc/cli.sh
+    AllowedValues:
+      - /etc/cli.sh
+      - /bin/bash
+      - /bin/csh
+      - /bin/tcsh
+  GatewayPasswordHash:
+    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to
+      get the PASSWORD's hash). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+    NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
+  GatewaySICKey:
+    Description: The Secure Internal Communication key creates trusted connections between
+      Check Point components. Choose a random string consisting of at least 8
+      alphanumeric characters.
+    Type: String
+    AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+    ConstraintDescription: At least 8 alpha numeric characters.
+    NoEcho: true
+  MemberAToken:
+    Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+    AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+    Type: String
+    NoEcho: true
+  MemberBToken:
+    Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+    AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+    Type: String
+    NoEcho: true
+  ResourcesTagName:
+    Description: Name tag prefix of the resources. (optional)
+    Type: String
+    Default: ''
+  GatewayHostname:
+    Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179.
+    Type: String
+    Default: ''
+    AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$'
+    ConstraintDescription: A valid hostname label or an empty string.
+  AllowUploadDownload:
+    Description: >-
+      Automatically download updates and share statistical data for product improvement purpose.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  CloudWatch:
+    Description: Report Check Point specific CloudWatch metrics.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  GatewayBootstrapScript:
+    Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+    Type: String
+    Default: ''
+    NoEcho: true
+  NTPPrimary:
+    Description: (optional)
+    Type: String
+    Default: 169.254.169.123
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+  NTPSecondary:
+    Description: (optional)
+    Type: String
+    Default: 0.pool.ntp.org
+    AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+Conditions:
+  AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+Resources:
+  ClusterStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/geo-cluster.yaml
+      Parameters:
+        VPC: !Ref VPC
+        PublicSubnetA: !Ref PublicSubnetA
+        PublicSubnetB: !Ref PublicSubnetB
+        PrivateSubnetA: !Ref PrivateSubnetA
+        PrivateSubnetB: !Ref PrivateSubnetB
+        InternalRouteTable: !Ref InternalRouteTable
+        GatewayName: !Ref GatewayName
+        GatewayInstanceType: !Ref GatewayInstanceType
+        KeyName: !Ref KeyName
+        AllocatePublicAddress: !Ref AllocatePublicAddress
+        VolumeSize: !Ref VolumeSize
+        VolumeType: !Ref VolumeType
+        VolumeEncryption: !Ref VolumeEncryption
+        EnableInstanceConnect: !Ref EnableInstanceConnect
+        GatewayPredefinedRole: !Ref GatewayPredefinedRole
+        TerminationProtection: !Ref TerminationProtection
+        MetaDataToken: !Ref MetaDataToken
+        GatewayVersion: !Ref GatewayVersion
+        Shell: !Ref Shell
+        GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+        GatewaySICKey: !Ref GatewaySICKey
+        MemberAToken: !Ref MemberAToken
+        MemberBToken: !Ref MemberBToken
+        ResourcesTagName: !Ref ResourcesTagName
+        GatewayHostname: !Ref GatewayHostname
+        AllowUploadDownload: !Ref AllowUploadDownload
+        CloudWatch: !Ref CloudWatch
+        GatewayBootstrapScript: !Ref GatewayBootstrapScript
+        NTPPrimary: !Ref NTPPrimary
+        NTPSecondary: !Ref NTPSecondary
+  TGWRouteTable:
+    Type: AWS::EC2::RouteTable
+    Properties:
+      VpcId: !Ref VPC
+      Tags:
+        - Key: Name
+          Value: TGW Subnets
+  TGWDefaultRoute:
+    Type: AWS::EC2::Route
+    DependsOn: ClusterStack
+    Properties:
+      DestinationCidrBlock: 0.0.0.0/0
+      NetworkInterfaceId: !GetAtt ClusterStack.Outputs.MemberAExternalInterface
+      RouteTableId: !Ref TGWRouteTable
+  TGWNSubnet1RouteAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    DependsOn: TGWRouteTable
+    Properties:
+      RouteTableId: !Ref TGWRouteTable
+      SubnetId: !Ref TgwHASubnetA
+  TGWSubnet2RouteAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    DependsOn: TGWRouteTable
+    Properties:
+      RouteTableId: !Ref TGWRouteTable
+      SubnetId: !Ref TgwHASubnetB
+Outputs:
+  MemberAPublicAddress:
+    Condition: AllocateAddress
+    Description: The public address of member A.
+    Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress
+  MemberASSH:
+    Condition: AllocateAddress
+    Description: SSH command to member A.
+    Value: !GetAtt ClusterStack.Outputs.MemberASSH
+  MemberAURL:
+    Condition: AllocateAddress
+    Description: URL to the member A portal.
+    Value: !GetAtt ClusterStack.Outputs.MemberAURL
+  MemberBPublicAddress:
+    Condition: AllocateAddress
+    Description: The public address of member B.
+    Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress
+  MemberBSSH:
+    Condition: AllocateAddress
+    Description: SSH command to member B.
+    Value: !GetAtt ClusterStack.Outputs.MemberBSSH
+  MemberBURL:
+    Condition: AllocateAddress
+    Description: URL to the member B portal.
+    Value: !GetAtt ClusterStack.Outputs.MemberBURL
+Rules:
+  MemberATokenNotProvided:
+    RuleCondition: !Equals [!Ref MemberAToken, '']
+    Assertions:
+      - AssertDescription: "Smart-1 Cloud Token for member A can not be empty"
+        Assert: !Equals [!Ref MemberBToken, '']
+  MemberBTokenNotProvided:
+    RuleCondition: !Equals [ !Ref MemberBToken, '' ]
+    Assertions:
+      - AssertDescription: "Smart-1 Cloud Token for member B can not be empty"
+        Assert: !Equals [ !Ref MemberAToken, '' ]
+  MembersTokenValueEquals:
+    RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ]
+    Assertions:
+      - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+        Assert: !Equals [ !Ref MemberAToken, '' ]
+      - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+        Assert: !Equals [ !Ref MemberBToken, '' ]
\ No newline at end of file
diff --git a/china/aws/templates/utils/amis.yaml b/china/aws/templates/utils/amis.yaml
new file mode 100644
index 00000000..be62f083
--- /dev/null
+++ b/china/aws/templates/utils/amis.yaml
@@ -0,0 +1,52 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Returns a Check Point Amazon Machine ID (20230110)
+Parameters:
+  Version:
+    Description: Security Gateway or Management Server version
+    Type: String
+    Default: R81.20-BYOL-GW
+    AllowedValues:
+      - R81.10-BYOL-MGMT
+      - R81.10-BYOL-GW
+      - R81.20-BYOL-MGMT
+      - R81.20-BYOL-GW
+      - R82-BYOL-MGMT
+      - R82-BYOL-GW
+Mappings:
+  ConverterMap:
+    R81.10-BYOL-MGMT:
+      Value: R8110BYOLMGMT
+    R81.10-BYOL-GW:
+      Value: R8110BYOLGW
+    R81.20-BYOL-MGMT:
+      Value: R8120BYOLMGMT
+    R81.20-BYOL-GW:
+      Value: R8120BYOLGW
+    R82-BYOL-MGMT:
+      Value: R82BYOLMGMT
+    R82-BYOL-GW:
+      Value: R82BYOLGW
+
+  RegionMap:
+    cn-northwest-1:
+      R8110BYOLMGMT: ami-064a33bb86b69a7d3
+      R8110BYOLGW: ami-06e176c827e5c4ca7
+      R8120BYOLMGMT: ami-0cf32d6b94fd87cc5
+      R8120BYOLGW: ami-000a805e697d66b87
+      R82BYOLMGMT: ami-0d08805f54e5726cb
+      R82BYOLGW: ami-0aa3165569c350981
+    cn-north-1:
+      R8110BYOLMGMT: ami-045ed4c9758825acf
+      R8110BYOLGW: ami-04028fc05932c373f
+      R8120BYOLMGMT: ami-057f2fe0648449168
+      R8120BYOLGW: ami-00d3fd4736380432d
+      R82BYOLMGMT: ami-01e5f75e87e8566b6
+      R82BYOLGW: ami-0e23b21a74123f268
+Resources:
+  DummyHandle:
+    Type: AWS::CloudFormation::WaitConditionHandle
+    Properties: {}
+Outputs:
+  ImageId:
+    Description: Check Point Security Gateway AMI
+    Value: !FindInMap [RegionMap ,!Ref 'AWS::Region', !FindInMap [ConverterMap, !Ref 'Version', Value]]
diff --git a/china/aws/templates/utils/copy-lambda-zip.yaml b/china/aws/templates/utils/copy-lambda-zip.yaml
new file mode 100755
index 00000000..0da17643
--- /dev/null
+++ b/china/aws/templates/utils/copy-lambda-zip.yaml
@@ -0,0 +1,138 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Create an S3 bucket in the same region as the stack, and copy a zip of a Lambda from remote bucket to it (20250617)
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: Lambda zip location
+        Parameters:
+          - SourceBucketName
+          - FolderName
+          - LambdaPathObjects
+    ParameterLabels:
+      SourceBucketName:
+        default: Source Bucket Name
+      FolderName:
+        default: Folder Name
+      LambdaPathObjects:
+        default: Lambda Path
+Parameters:
+  SourceBucketName:
+    Description: The source bucket (e.g. lambda-bucket ).
+    Type: String
+    MinLength: 1
+  FolderName:
+    Description: The source folder (e.g. lambda-prefix/ ).
+    Type: String
+    AllowedPattern: '^[0-9a-zA-Z-_/]*/$'
+  LambdaPathObjects:
+    Description: A zip file (e.g. lambda.zip).
+    Type: String
+    AllowedPattern: '.*\.zip'
+Resources:
+  LambdaZipBucket:
+    Type: AWS::S3::Bucket
+  CopyZips:
+    Type: Custom::CopyZips
+    Properties:
+      ServiceToken: !GetAtt CopyZipsFunction.Arn
+      SourceBucket: !Ref SourceBucketName
+      DestBucket: !Ref LambdaZipBucket
+      Prefix: !Ref FolderName
+      Objects:
+        - !Ref LambdaPathObjects
+  CopyZipsRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: lambda.amazonaws.com
+            Action: sts:AssumeRole
+      Path: /
+      Policies:
+        - PolicyName: !Sub lambda-copier-${LambdaZipBucket}
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Effect: Allow
+                Action:
+                  - s3:GetObject
+                Resource:
+                  - !Sub arn:aws:s3:::${SourceBucketName}/${FolderName}*
+              - Effect: Allow
+                Action:
+                  - s3:PutObject
+                  - s3:DeleteObject
+                Resource:
+                  - !Sub arn:aws:s3:::${LambdaZipBucket}/${FolderName}*
+  CopyZipsFunction:
+    Type: AWS::Lambda::Function
+    Properties:
+      Description: Copies objects from a source S3 bucket to a destination.
+      Handler: index.handler
+      Runtime: python3.7
+      Role: !GetAtt CopyZipsRole.Arn
+      Timeout: 240
+      Code:
+        ZipFile: |
+          import json
+          import logging
+          import threading
+          import boto3
+          import cfnresponse
+
+
+          def copy_objects(source_bucket, dest_bucket, prefix, objects):
+              s3 = boto3.client('s3')
+              for o in objects:
+                  key = prefix + o
+                  copy_source = {'Bucket': source_bucket, 'Key': key }
+                  print(f'copy_source: {copy_source}')
+                  print(f'dest_bucket = {dest_bucket}')
+                  print(f'key = {key}')
+                  s3.copy_object(CopySource=copy_source, Bucket=dest_bucket, Key=key)
+
+
+          def delete_objects(bucket, prefix, objects):
+              s3 = boto3.client('s3')
+              objects = {'Objects': [{'Key': prefix + o} for o in objects]}
+              s3.delete_objects(Bucket=bucket, Delete=objects)
+
+
+          def timeout(event, context):
+              logging.error('Execution is about to time out, sending failure'
+                            ' response to CloudFormation')
+              cfnresponse.send(event, context, cfnresponse.FAILED, {}, None)
+
+
+          def handler(event, context):
+              # make sure we send a failure to CloudFormation if the function
+              # is going to timeout
+              timer = threading.Timer((context.get_remaining_time_in_millis()
+                                       / 1000.00) - 0.5, timeout, args=[event, context])
+              timer.start()
+
+              print(f'Received event: {json.dumps(event)}')
+              status = cfnresponse.SUCCESS
+              try:
+                  source_bucket = event['ResourceProperties']['SourceBucket']
+                  dest_bucket = event['ResourceProperties']['DestBucket']
+                  prefix = event['ResourceProperties']['Prefix']
+                  objects = event['ResourceProperties']['Objects']
+                  if event['RequestType'] == 'Delete':
+                      delete_objects(dest_bucket, prefix, objects)
+                  else:
+                      copy_objects(source_bucket, dest_bucket, prefix, objects)
+              except Exception as e:
+                  logging.error('Exception: %s' % e, exc_info=True)
+                  status = cfnresponse.FAILED
+              finally:
+                  timer.cancel()
+                  cfnresponse.send(event, context, status, {}, None)
+Outputs:
+  LambdaZipBucket:
+    Description: The new S3 bucket in the local region.
+    Value: !Ref LambdaZipBucket
\ No newline at end of file
diff --git a/china/aws/templates/utils/tap-target-and-filter.yaml b/china/aws/templates/utils/tap-target-and-filter.yaml
new file mode 100755
index 00000000..d1fea268
--- /dev/null
+++ b/china/aws/templates/utils/tap-target-and-filter.yaml
@@ -0,0 +1,68 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploy a traffic-mirror-filter and traffic-mirror-target (20250617)
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+    - Label:
+        default: General Settings
+      Parameters:
+      - MirroringNetworkInterfaceId
+      - EnvironmentPrefix
+    ParameterLabels:
+      MirroringNetworkInterfaceId:
+        default: Mirroring target network interface id
+      EnvironmentPrefix:
+        default: Environment prefix for created resources
+Parameters:
+  MirroringNetworkInterfaceId:
+    Description: The network interface ID to which all the traffic will be mirrored.
+    Type: String
+    AllowedPattern: '^eni-[a-z0-9]+$'
+  EnvironmentPrefix:
+    Description: The environment prefix for created resources. (optional)
+    Type: String
+    AllowedPattern: '[a-zA-Z0-9-_]*'
+    Default: cp-tap
+Resources:
+  TrafficMirrorFilter:
+    Type: AWS::EC2::TrafficMirrorFilter
+    Properties:
+      Description: Traffic mirror filter.
+      Tags:
+        - Key: Name
+          Value: !Join ['-', [!Ref EnvironmentPrefix, traffic-filter]]
+  TrafficMirrorFilterRuleIngress:
+    Type: AWS::EC2::TrafficMirrorFilterRule
+    Properties:
+      Description: Traffic mirror filter rule - ingress.
+      DestinationCidrBlock: 0.0.0.0/0
+      RuleAction: accept
+      RuleNumber: 100
+      SourceCidrBlock: 0.0.0.0/0
+      TrafficDirection: ingress
+      TrafficMirrorFilterId: !Ref TrafficMirrorFilter
+  TrafficMirrorFilterRuleEgress:
+    Type: AWS::EC2::TrafficMirrorFilterRule
+    Properties:
+      Description: Traffic mirror filter rule - egress.
+      DestinationCidrBlock: 0.0.0.0/0
+      RuleAction: accept
+      RuleNumber: 100
+      SourceCidrBlock: 0.0.0.0/0
+      TrafficDirection: egress
+      TrafficMirrorFilterId: !Ref TrafficMirrorFilter
+  TrafficMirrorTarget:
+    Type: AWS::EC2::TrafficMirrorTarget
+    Properties:
+      Description: Traffic mirror target.
+      NetworkInterfaceId: !Ref MirroringNetworkInterfaceId
+      Tags:
+        - Key: Name
+          Value: !Join ['-', [!Ref EnvironmentPrefix, traffic-target]]
+Outputs:
+  TrafficMirrorTargetId:
+    Description: Traffic mirror target id.
+    Value: !Ref TrafficMirrorTarget
+  TrafficMirrorFilterId:
+    Description: Traffic mirror filter id.
+    Value: !Ref TrafficMirrorFilter
\ No newline at end of file
diff --git a/china/aws/templates/utils/vpc-ipv6.yaml b/china/aws/templates/utils/vpc-ipv6.yaml
new file mode 100644
index 00000000..db242d5a
--- /dev/null
+++ b/china/aws/templates/utils/vpc-ipv6.yaml
@@ -0,0 +1,703 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: This template creates a Multi-AZ, multi-subnet VPC infrastructure (20260101)
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: Availability Zone Configuration
+        Parameters:
+          - AvailabilityZones
+          - NumberOfAZs
+      - Label:
+          default: Network Configuration
+        Parameters:
+          - IPMode
+          - VPCCIDR
+          - PublicSubnet1CIDR
+          - PublicSubnet2CIDR
+          - PublicSubnet3CIDR
+          - PublicSubnet4CIDR
+          - CreatePrivateSubnets
+          - PrivateSubnet1CIDR
+          - PrivateSubnet2CIDR
+          - PrivateSubnet3CIDR
+          - PrivateSubnet4CIDR
+          - CreateAttachmentSubnets
+          - AttachmentSubnet1CIDR
+          - AttachmentSubnet2CIDR
+          - AttachmentSubnet3CIDR
+          - AttachmentSubnet4CIDR
+    ParameterLabels:
+      AvailabilityZones:
+        default: Availability Zones
+      NumberOfAZs:
+        default: Number of Availability Zones
+      IPMode:
+        default: IP Configuration Mode      
+      VPCCIDR:
+        default: VPC CIDR
+      PublicSubnet1CIDR:
+        default: Public subnet 1 CIDR
+      PublicSubnet2CIDR:
+        default: Public subnet 2 CIDR
+      PublicSubnet3CIDR:
+        default: Public subnet 3 CIDR
+      PublicSubnet4CIDR:
+        default: Public subnet 4 CIDR
+      CreatePrivateSubnets:
+        default: Create private subnets
+      PrivateSubnet1CIDR:
+        default: Private subnet 1 CIDR
+      PrivateSubnet2CIDR:
+        default: Private subnet 2 CIDR
+      PrivateSubnet3CIDR:
+        default: Private subnet 3 CIDR
+      PrivateSubnet4CIDR:
+        default: Private subnet 4 CIDR
+      CreateAttachmentSubnets:
+        default: Create Attachment subnets
+      AttachmentSubnet1CIDR:
+        default: Attachment subnet 1 CIDR
+      AttachmentSubnet2CIDR:
+        default: Attachment subnet 2 CIDR
+      AttachmentSubnet3CIDR:
+        default: Attachment subnet 3 CIDR
+      AttachmentSubnet4CIDR:
+        default: Attachment subnet 4 CIDR
+Parameters:
+  AvailabilityZones:
+    Description: 'List of Availability Zones to use for the subnets in the VPC. Note: The logical order is preserved.'
+    Type: List<AWS::EC2::AvailabilityZone::Name>
+    MinLength: 1
+  NumberOfAZs:
+    Description: Number of Availability Zones to use in the VPC. This must match your
+      selections in the list of Availability Zones parameter.
+    Type: Number
+    Default: 2
+    MinValue: 1
+    MaxValue: 4
+  IPMode:
+    Description: Specifies the IP mode for the VPC and AWS resources.
+    Type: String
+    Default: DualStack
+    AllowedValues:
+      - IPv6
+      - DualStack
+  VPCCIDR:
+    Description: CIDR block for the VPC.
+    Type: String
+    Default: 10.0.0.0/16
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet1CIDR:
+    Description: CIDR block for the public DMZ subnet 1 located in Availability Zone 1.
+    Type: String
+    Default: 10.0.10.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet2CIDR:
+    Description: CIDR block for the public DMZ subnet 2 located in Availability Zone 2.
+    Type: String
+    Default: 10.0.20.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet3CIDR:
+    Description: CIDR block for the public DMZ subnet 3 located in Availability Zone 3.
+    Type: String
+    Default: 10.0.30.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet4CIDR:
+    Description: CIDR block for the public DMZ subnet 4 located in Availability Zone 4.
+    Type: String
+    Default: 10.0.40.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  CreatePrivateSubnets:
+    Description: Set to false to create only public subnets. If false, the CIDR parameters.
+      for ALL private subnets will be ignored.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  PrivateSubnet1CIDR:
+    Description: CIDR block for private subnet 1 located in Availability Zone 1.
+    Type: String
+    Default: 10.0.11.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PrivateSubnet2CIDR:
+    Description: CIDR block for private subnet 2 located in Availability Zone 2.
+    Type: String
+    Default: 10.0.21.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PrivateSubnet3CIDR:
+    Description: CIDR block for private subnet 3 located in Availability Zone 3.
+    Type: String
+    Default: 10.0.31.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PrivateSubnet4CIDR:
+    Description: CIDR block for private subnet 4 located in Availability Zone 4.
+    Type: String
+    Default: 10.0.41.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  CreateAttachmentSubnets:
+    Description: Set true for creating designated subnets for VPC attachments. If false,
+      the CIDR parameters for the Attachment subnets will be ignored.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  AttachmentSubnet1CIDR:
+    Description: CIDR block for Attachment subnet 1 located in Availability Zone 1.
+    Type: String
+    Default: 10.0.12.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  AttachmentSubnet2CIDR:
+    Description: CIDR block for Attachment subnet 2 located in Availability Zone 2.
+    Type: String
+    Default: 10.0.22.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  AttachmentSubnet3CIDR:
+    Description: CIDR block for Attachment subnet 3 located in Availability Zone 3.
+    Type: String
+    Default: 10.0.32.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  AttachmentSubnet4CIDR:
+    Description: CIDR block for Attachment subnet 4 located in Availability Zone 4.
+    Type: String
+    Default: 10.0.42.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+Conditions:
+  4AZs: !Equals [!Ref NumberOfAZs, 4]
+  3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs]
+  2AZs: !Or [!Equals [!Ref NumberOfAZs, 2], !Condition 3AZs]
+  PrivateSubnets: !Equals [!Ref CreatePrivateSubnets, true]
+  2AZsPrivateSubnets: !And [!Condition PrivateSubnets, !Condition 2AZs]
+  3AZsPrivateSubnets: !And [!Condition PrivateSubnets, !Condition 3AZs]
+  4AZsPrivateSubnets: !And [!Condition PrivateSubnets, !Condition 4AZs]
+  AttachmentSubnets: !Equals [!Ref CreateAttachmentSubnets, true]
+  2AZsAttachmentSubnets: !And [!Condition AttachmentSubnets, !Condition 2AZs]
+  3AZsAttachmentSubnets: !And [!Condition AttachmentSubnets, !Condition 3AZs]
+  4AZsAttachmentSubnets: !And [!Condition AttachmentSubnets, !Condition 4AZs]
+  IsIPv6Only: !Equals [!Ref IPMode, "IPv6"]
+  IsIPv4Enabled: !Not [!Condition IsIPv6Only]
+Resources:
+  VPC:
+    Type: AWS::EC2::VPC
+    Properties:
+      CidrBlock: !Ref VPCCIDR
+      EnableDnsSupport: true
+      EnableDnsHostnames: true
+      Tags:
+        - Key: Name
+          Value: !Ref 'AWS::StackName'
+  Ipv6CidrBlock:
+    DependsOn: VPC
+    Type: AWS::EC2::VPCCidrBlock
+    Properties:
+      VpcId: !Ref VPC
+      AmazonProvidedIpv6CidrBlock: true
+  InternetGateway:
+    Type: AWS::EC2::InternetGateway
+    Properties:
+      Tags:
+        - Key: Name
+          Value: !Ref 'AWS::StackName'
+        - Key: Network
+          Value: Public
+  VPCGatewayAttachment:
+    Type: AWS::EC2::VPCGatewayAttachment
+    DependsOn: [VPC, InternetGateway]
+    Properties:
+      VpcId: !Ref VPC
+      InternetGatewayId: !Ref InternetGateway
+  PublicSubnet1:
+    Type: AWS::EC2::Subnet
+    DependsOn: [ VPC, Ipv6CidrBlock ]
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !If [IsIPv6Only, !Ref "AWS::NoValue", !Ref PublicSubnet1CIDR]
+      AvailabilityZone: !Select [0, !Ref AvailabilityZones]
+      Ipv6CidrBlock: !Select [ 0, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ]
+      AssignIpv6AddressOnCreation: true
+      Ipv6Native: !If [IsIPv6Only, true, !Ref "AWS::NoValue"]
+      Tags:
+        - Key: Name
+          Value: Public subnet 1
+        - Key: Network
+          Value: Public
+      MapPublicIpOnLaunch: !If [IsIPv6Only, !Ref "AWS::NoValue", true]
+  PublicSubnet2:
+    Condition: 2AZs
+    DependsOn: [ VPC, Ipv6CidrBlock ]
+    Type: AWS::EC2::Subnet
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !If [IsIPv6Only, !Ref "AWS::NoValue", !Ref PublicSubnet2CIDR]
+      AvailabilityZone: !Select [1, !Ref AvailabilityZones]
+      Ipv6CidrBlock: !Select [ 1, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ]
+      AssignIpv6AddressOnCreation: true
+      Ipv6Native: !If [IsIPv6Only, true, !Ref "AWS::NoValue"]
+      Tags:
+        - Key: Name
+          Value: Public subnet 2
+        - Key: Network
+          Value: Public
+      MapPublicIpOnLaunch: !If [IsIPv6Only, !Ref "AWS::NoValue", true]
+  PublicSubnet3:
+    Condition: 3AZs
+    DependsOn: [ VPC, Ipv6CidrBlock ]
+    Type: AWS::EC2::Subnet
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !If [IsIPv6Only, !Ref "AWS::NoValue", !Ref PublicSubnet3CIDR]
+      AvailabilityZone: !Select [2, !Ref AvailabilityZones]
+      Ipv6CidrBlock: !Select [ 2, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ]
+      AssignIpv6AddressOnCreation: true
+      Ipv6Native: !If [IsIPv6Only, true, !Ref "AWS::NoValue"]
+      Tags:
+        - Key: Name
+          Value: Public subnet 3
+        - Key: Network
+          Value: Public
+      MapPublicIpOnLaunch: !If [IsIPv6Only, !Ref "AWS::NoValue", true]
+  PublicSubnet4:
+    Condition: 4AZs
+    DependsOn: [ VPC, Ipv6CidrBlock ]
+    Type: AWS::EC2::Subnet
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !If [IsIPv6Only, !Ref "AWS::NoValue", !Ref PublicSubnet4CIDR]
+      AvailabilityZone: !Select [3, !Ref AvailabilityZones]
+      Ipv6CidrBlock: !Select [ 3, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ]
+      AssignIpv6AddressOnCreation: true
+      Ipv6Native: !If [IsIPv6Only, true, !Ref "AWS::NoValue"]
+      Tags:
+        - Key: Name
+          Value: Public subnet 4
+        - Key: Network
+          Value: Public
+      MapPublicIpOnLaunch: !If [IsIPv6Only, !Ref "AWS::NoValue", true]
+  PublicSubnetRouteTable:
+    Type: AWS::EC2::RouteTable
+    DependsOn: VPC
+    Properties:
+      VpcId: !Ref VPC
+      Tags:
+        - Key: Name
+          Value: Public Subnets Route Table
+        - Key: Network
+          Value: Public
+  PublicSubnetRoute:
+    Condition: IsIPv4Enabled
+    DependsOn: [VPCGatewayAttachment, PublicSubnetRouteTable]
+    Type: AWS::EC2::Route
+    Properties:
+      RouteTableId: !Ref PublicSubnetRouteTable
+      DestinationCidrBlock: 0.0.0.0/0
+      GatewayId: !Ref InternetGateway
+  PublicSubnetRouteIPv6:
+    DependsOn: [VPCGatewayAttachment, PublicSubnetRouteTable]
+    Type: AWS::EC2::Route
+    Properties:
+      RouteTableId: !Ref PublicSubnetRouteTable
+      DestinationIpv6CidrBlock: ::/0
+      GatewayId: !Ref InternetGateway
+  PublicSubnet1RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    DependsOn: [PublicSubnet1, PublicSubnetRouteTable]
+    Properties:
+      SubnetId: !Ref PublicSubnet1
+      RouteTableId: !Ref PublicSubnetRouteTable
+  PublicSubnet2RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Condition: 2AZs
+    DependsOn: [PublicSubnet2, PublicSubnetRouteTable]
+    Properties:
+      SubnetId: !Ref PublicSubnet2
+      RouteTableId: !Ref PublicSubnetRouteTable
+  PublicSubnet3RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Condition: 3AZs
+    DependsOn: [PublicSubnet3, PublicSubnetRouteTable]
+    Properties:
+      SubnetId: !Ref PublicSubnet3
+      RouteTableId: !Ref PublicSubnetRouteTable
+  PublicSubnet4RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Condition: 4AZs
+    DependsOn: [PublicSubnet4, PublicSubnetRouteTable]
+    Properties:
+      SubnetId: !Ref PublicSubnet4
+      RouteTableId: !Ref PublicSubnetRouteTable
+  PrivateSubnet1:
+    Type: AWS::EC2::Subnet
+    Condition: PrivateSubnets
+    DependsOn: [ VPC, Ipv6CidrBlock ]
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !If [IsIPv6Only, !Ref "AWS::NoValue", !Ref PrivateSubnet1CIDR]
+      AvailabilityZone: !Select [0, !Ref AvailabilityZones]
+      Ipv6CidrBlock: !Select [ 4, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ]
+      AssignIpv6AddressOnCreation: true
+      Ipv6Native: !If [IsIPv6Only, true, !Ref "AWS::NoValue"]
+      Tags:
+        - Key: Name
+          Value: Private subnet 1
+        - Key: Network
+          Value: Private
+  PrivateSubnet2:
+    Type: AWS::EC2::Subnet
+    Condition: 2AZsPrivateSubnets
+    DependsOn: [ VPC, Ipv6CidrBlock ]
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !If [IsIPv6Only, !Ref "AWS::NoValue", !Ref PrivateSubnet2CIDR]
+      AvailabilityZone: !Select [1, !Ref AvailabilityZones]
+      Ipv6CidrBlock: !Select [ 5, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ]
+      AssignIpv6AddressOnCreation: true
+      Ipv6Native: !If [IsIPv6Only, true, !Ref "AWS::NoValue"]
+      Tags:
+        - Key: Name
+          Value: Private subnet 2
+        - Key: Network
+          Value: Private
+  PrivateSubnet3:
+    Type: AWS::EC2::Subnet
+    Condition: 3AZsPrivateSubnets
+    DependsOn: [ VPC, Ipv6CidrBlock ]
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !Ref PrivateSubnet3CIDR
+      AvailabilityZone: !Select [2, !Ref AvailabilityZones]
+      Ipv6CidrBlock: !Select [ 6, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ]
+      AssignIpv6AddressOnCreation: true
+      Tags:
+        - Key: Name
+          Value: Private subnet 3
+        - Key: Network
+          Value: Private
+  PrivateSubnet4:
+    Type: AWS::EC2::Subnet
+    Condition: 4AZsPrivateSubnets
+    DependsOn: [ VPC, Ipv6CidrBlock ]
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !Ref PrivateSubnet4CIDR
+      AvailabilityZone: !Select [3, !Ref AvailabilityZones]
+      Ipv6CidrBlock: !Select [ 7, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ]
+      AssignIpv6AddressOnCreation: true
+      Tags:
+        - Key: Name
+          Value: Private subnet 4
+        - Key: Network
+          Value: Private
+  AttachmentSubnet1:
+    Condition: AttachmentSubnets
+    DependsOn: [ VPC, Ipv6CidrBlock ]
+    Type: AWS::EC2::Subnet
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !Ref AttachmentSubnet1CIDR
+      AvailabilityZone: !Select [0, !Ref AvailabilityZones]
+      Ipv6CidrBlock: !Select [ 8, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ]
+      AssignIpv6AddressOnCreation: true
+      Tags:
+        - Key: Name
+          Value: Attachment subnet 1
+        - Key: Network
+          Value: Private
+  AttachmentSubnet2:
+    Condition: AttachmentSubnets
+    DependsOn: [ VPC, Ipv6CidrBlock ]
+    Type: AWS::EC2::Subnet
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !Ref AttachmentSubnet2CIDR
+      AvailabilityZone: !Select [1, !Ref AvailabilityZones]
+      Ipv6CidrBlock: !Select [ 9, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ]
+      AssignIpv6AddressOnCreation: true
+      Tags:
+        - Key: Name
+          Value: Attachment subnet 2
+        - Key: Network
+          Value: Private
+  AttachmentSubnet3:
+    Condition: 3AZsAttachmentSubnets
+    DependsOn: [ VPC, Ipv6CidrBlock ]
+    Type: AWS::EC2::Subnet
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !Ref AttachmentSubnet3CIDR
+      AvailabilityZone: !Select [2, !Ref AvailabilityZones]
+      Ipv6CidrBlock: !Select [ 10, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ]
+      AssignIpv6AddressOnCreation: true
+      Tags:
+        - Key: Name
+          Value: Attachment subnet 3
+        - Key: Network
+          Value: Private
+  AttachmentSubnet4:
+    Condition: 4AZsAttachmentSubnets
+    DependsOn: [ VPC, Ipv6CidrBlock ]
+    Type: AWS::EC2::Subnet
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !Ref AttachmentSubnet4CIDR
+      AvailabilityZone: !Select [3, !Ref AvailabilityZones]
+      Ipv6CidrBlock: !Select [ 11, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ]
+      AssignIpv6AddressOnCreation: true
+      Tags:
+        - Key: Name
+          Value: Attachment subnet 4
+        - Key: Network
+          Value: Private
+Outputs:
+  VPCID:
+    Value: !Ref VPC
+    Description: VPC ID.
+    Export:
+      Name: !Sub '${AWS::StackName}-VPCID'
+  VPCCIDR:
+    Value: !Ref VPCCIDR
+    Description: VPC CIDR
+    Export:
+      Name: !Sub '${AWS::StackName}-VPCCIDR'
+  PublicSubnet1CIDR:
+    Description: Public subnet 1 CIDR in Availability Zone 1.
+    Value: !Ref PublicSubnet1CIDR
+    Export:
+      Name: !Sub '${AWS::StackName}-PublicSubnet1CIDR'
+  PublicSubnet1ID:
+    Description: Public subnet 1 ID in Availability Zone 1.
+    Value: !Ref PublicSubnet1
+    Export:
+      Name: !Sub '${AWS::StackName}-PublicSubnet1ID'
+  PublicSubnet2CIDR:
+    Condition: 2AZs
+    Description: Public subnet 2 CIDR in Availability Zone 2.
+    Value: !Ref PublicSubnet2CIDR
+    Export:
+      Name: !Sub '${AWS::StackName}-PublicSubnet2CIDR'
+  PublicSubnet2ID:
+    Condition: 2AZs
+    Description: Public subnet 2 ID in Availability Zone 2.
+    Value: !Ref PublicSubnet2
+    Export:
+      Name: !Sub '${AWS::StackName}-PublicSubnet2ID'
+  PublicSubnet3CIDR:
+    Condition: 3AZs
+    Description: Public subnet 3 CIDR in Availability Zone 3.
+    Value: !Ref PublicSubnet3CIDR
+    Export:
+      Name: !Sub '${AWS::StackName}-PublicSubnet3CIDR'
+  PublicSubnet3ID:
+    Condition: 3AZs
+    Description: Public subnet 3 ID in Availability Zone 3.
+    Value: !Ref PublicSubnet3
+    Export:
+      Name: !Sub '${AWS::StackName}-PublicSubnet3ID'
+  PublicSubnet4CIDR:
+    Condition: 4AZs
+    Description: Public subnet 4 CIDR in Availability Zone 4.
+    Value: !Ref PublicSubnet4CIDR
+    Export:
+      Name: !Sub '${AWS::StackName}-PublicSubnet4CIDR'
+  PublicSubnet4ID:
+    Condition: 4AZs
+    Description: Public subnet 4 ID in Availability Zone 4.
+    Value: !Ref PublicSubnet4
+    Export:
+      Name: !Sub '${AWS::StackName}-PublicSubnet4ID'
+  PublicSubnetRouteTable:
+    Value: !Ref PublicSubnetRouteTable
+    Description: Public subnet route table.
+    Export:
+      Name: !Sub '${AWS::StackName}-PublicSubnetRouteTable'
+  PrivateSubnet1CIDR:
+    Condition: PrivateSubnets
+    Description: Private subnet 1 CIDR in Availability Zone 1.
+    Value: !Ref PrivateSubnet1CIDR
+    Export:
+      Name: !Sub '${AWS::StackName}-PrivateSubnet1CIDR'
+  PrivateSubnet1ID:
+    Condition: PrivateSubnets
+    Description: Private subnet 1 ID in Availability Zone 1.
+    Value: !Ref PrivateSubnet1
+    Export:
+      Name: !Sub '${AWS::StackName}-PrivateSubnet1ID'
+  PrivateSubnet2CIDR:
+    Condition: 2AZsPrivateSubnets
+    Description: Private subnet 2 CIDR in Availability Zone 2.
+    Value: !Ref PrivateSubnet2CIDR
+    Export:
+      Name: !Sub '${AWS::StackName}-PrivateSubnet2CIDR'
+  PrivateSubnet2ID:
+    Condition: 2AZsPrivateSubnets
+    Description: Private subnet 2 ID in Availability Zone 2.
+    Value: !Ref PrivateSubnet2
+    Export:
+      Name: !Sub '${AWS::StackName}-PrivateSubnet2ID'
+  PrivateSubnet3CIDR:
+    Condition: 3AZsPrivateSubnets
+    Description: Private subnet 3 CIDR in Availability Zone 3.
+    Value: !Ref PrivateSubnet3CIDR
+    Export:
+      Name: !Sub '${AWS::StackName}-PrivateSubnet3CIDR'
+  PrivateSubnet3ID:
+    Condition: 3AZsPrivateSubnets
+    Description: Private subnet 3 ID in Availability Zone 3.
+    Value: !Ref PrivateSubnet3
+    Export:
+      Name: !Sub '${AWS::StackName}-PrivateSubnet3ID'
+  PrivateSubnet4CIDR:
+    Condition: 4AZsPrivateSubnets
+    Description: Private subnet 4 CIDR in Availability Zone 4.
+    Value: !Ref PrivateSubnet4CIDR
+    Export:
+      Name: !Sub '${AWS::StackName}-PrivateSubnet4CIDR'
+  PrivateSubnet4ID:
+    Condition: 4AZsPrivateSubnets
+    Description: Private subnet 4 ID in Availability Zone 4.
+    Value: !Ref PrivateSubnet4
+    Export:
+      Name: !Sub '${AWS::StackName}-PrivateSubnet4ID'
+  AttachmentSubnet1CIDR:
+    Condition: AttachmentSubnets
+    Description: Attachment subnet 1 CIDR in Availability Zone 1.
+    Value: !Ref AttachmentSubnet1CIDR
+    Export:
+      Name: !Sub '${AWS::StackName}-AttachmentSubnet1CIDR'
+  AttachmentSubnet1ID:
+    Condition: AttachmentSubnets
+    Description: Attachment subnet 1 ID in Availability Zone 1.
+    Value: !Ref AttachmentSubnet1
+    Export:
+      Name: !Sub '${AWS::StackName}-AttachmentSubnet1ID'
+  AttachmentSubnet2CIDR:
+    Condition: 2AZsAttachmentSubnets
+    Description: Attachment subnet 2 CIDR in Availability Zone 2.
+    Value: !Ref AttachmentSubnet2CIDR
+    Export:
+      Name: !Sub '${AWS::StackName}-AttachmentSubnet2CIDR'
+  AttachmentSubnet2ID:
+    Condition: 2AZsAttachmentSubnets
+    Description: Attachment subnet 2 ID in Availability Zone 2.
+    Value: !Ref AttachmentSubnet2
+    Export:
+      Name: !Sub '${AWS::StackName}-AttachmentSubnet2ID'
+  AttachmentSubnet3CIDR:
+    Condition: 3AZsAttachmentSubnets
+    Description: Attachment subnet 3 CIDR in Availability Zone 3.
+    Value: !Ref AttachmentSubnet3CIDR
+    Export:
+      Name: !Sub '${AWS::StackName}-AttachmentSubnet3CIDR'
+  AttachmentSubnet3ID:
+    Condition: 3AZsAttachmentSubnets
+    Description: Attachment subnet 3 ID in Availability Zone 3.
+    Value: !Ref AttachmentSubnet3
+    Export:
+      Name: !Sub '${AWS::StackName}-AttachmentSubnet3ID'
+  AttachmentSubnet4CIDR:
+    Condition: 4AZsAttachmentSubnets
+    Description: Attachment subnet 4 CIDR in Availability Zone 4.
+    Value: !Ref AttachmentSubnet4CIDR
+    Export:
+      Name: !Sub '${AWS::StackName}-AttachmentSubnet4CIDR'
+  AttachmentSubnet4ID:
+    Condition: 4AZsAttachmentSubnets
+    Description: Attachment subnet 4 ID in Availability Zone 4.
+    Value: !Ref AttachmentSubnet4
+    Export:
+      Name: !Sub '${AWS::StackName}-AttachmentSubnet4ID'
+  IGWID:
+    Description: IGW ID.
+    Value: !Join ['', [!Ref InternetGateway]]
+    Export:
+      Name: !Sub '${AWS::StackName}-IGWID'
+  VPCIPv6CIDR:
+    Value: !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ]
+    Description: VPC IPv6 CIDR
+    Export:
+      Name: !Sub '${AWS::StackName}-VPCIPv6CIDR'
+  PublicSubnet1IPv6CIDR:
+    Description: Public subnet 1 IPv6 CIDR in Availability Zone 1.
+    Value: !Select [ 0, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ]
+    Export:
+      Name: !Sub '${AWS::StackName}-PublicSubnet1IPv6CIDR'
+  PublicSubnet2IPv6CIDR:
+    Condition: 2AZs
+    Description: Public subnet 2 IPv6 CIDR in Availability Zone 2.
+    Value: !Select [ 1, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ]
+    Export:
+      Name: !Sub '${AWS::StackName}-PublicSubnet2IPv6CIDR'
+  PublicSubnet3IPv6CIDR:
+    Condition: 3AZs
+    Description: Public subnet 3 IPv6 CIDR in Availability Zone 3.
+    Value: !Select [ 2, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ]
+    Export:
+      Name: !Sub '${AWS::StackName}-PublicSubnet3IPv6CIDR'
+  PublicSubnet4IPv6CIDR:
+    Condition: 4AZs
+    Description: Public subnet 4 IPv6 CIDR in Availability Zone 4.
+    Value: !Select [ 3, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ]
+    Export:
+      Name: !Sub '${AWS::StackName}-PublicSubnet4IPv6CIDR'
+  PrivateSubnet1IPv6CIDR:
+    Condition: PrivateSubnets
+    Description: Private subnet 1 IPv6 CIDR in Availability Zone 1.
+    Value: !Select [ 4, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ]
+    Export:
+      Name: !Sub '${AWS::StackName}-PrivateSubnet1IPv6CIDR'
+  PrivateSubnet2IPv6CIDR:
+    Condition: 2AZsPrivateSubnets
+    Description: Private subnet 2 IPv6 CIDR in Availability Zone 2.
+    Value: !Select [ 5, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ]
+    Export:
+      Name: !Sub '${AWS::StackName}-PrivateSubnet2IPv6CIDR'
+  PrivateSubnet3IPv6CIDR:
+    Condition: 3AZsPrivateSubnets
+    Description: Private subnet 3 IPv6 CIDR in Availability Zone 3.
+    Value: !Select [ 6, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ]
+    Export:
+      Name: !Sub '${AWS::StackName}-PrivateSubnet3IPv6CIDR'
+  PrivateSubnet4IPv6CIDR:
+    Condition: 4AZsPrivateSubnets
+    Description: Private subnet 4 IPv6 CIDR in Availability Zone 4.
+    Value: !Select [ 7, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ]
+    Export:
+      Name: !Sub '${AWS::StackName}-PrivateSubnet4IPv6CIDR'
+  AttachmentSubnet1IPv6CIDR:
+    Condition: AttachmentSubnets
+    Description: Attachment subnet 1 IPv6 CIDR in Availability Zone 1.
+    Value: !Select [ 8, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ]
+    Export:
+      Name: !Sub '${AWS::StackName}-AttachmentSubnet1IPv6CIDR'
+  AttachmentSubnet2IPv6CIDR:
+    Condition: 2AZsAttachmentSubnets
+    Description: Attachment subnet 3 IPv6 CIDR in Availability Zone 3.
+    Value: !Select [ 9, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ]
+    Export:
+      Name: !Sub '${AWS::StackName}-AttachmentSubnet2IPv6CIDR'
+  AttachmentSubnet3IPv6CIDR:
+    Condition: 3AZsAttachmentSubnets
+    Description: Attachment subnet 3 IPv6 CIDR in Availability Zone 3.
+    Value: !Select [ 10, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ]
+    Export:
+      Name: !Sub '${AWS::StackName}-AttachmentSubnet3IPv6CIDR'
+  AttachmentSubnet4IPv6CIDR:
+    Condition: 4AZsAttachmentSubnets
+    Description: Attachment subnet 4 IPv6 CIDR in Availability Zone 4.
+    Value: !Select [ 11, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ]
+    Export:
+      Name: !Sub '${AWS::StackName}-AttachmentSubnet4IPv6CIDR'
\ No newline at end of file
diff --git a/china/aws/templates/utils/vpc.yaml b/china/aws/templates/utils/vpc.yaml
new file mode 100644
index 00000000..71be7cd5
--- /dev/null
+++ b/china/aws/templates/utils/vpc.yaml
@@ -0,0 +1,571 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: This template creates a Multi-AZ, multi-subnet VPC infrastructure (20250617)
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: Availability Zone Configuration
+        Parameters:
+          - AvailabilityZones
+          - NumberOfAZs
+      - Label:
+          default: Network Configuration
+        Parameters:
+          - VPCCIDR
+          - PublicSubnet1CIDR
+          - PublicSubnet2CIDR
+          - PublicSubnet3CIDR
+          - PublicSubnet4CIDR
+          - CreatePrivateSubnets
+          - PrivateSubnet1CIDR
+          - PrivateSubnet2CIDR
+          - PrivateSubnet3CIDR
+          - PrivateSubnet4CIDR
+          - CreateAttachmentSubnets
+          - AttachmentSubnet1CIDR
+          - AttachmentSubnet2CIDR
+          - AttachmentSubnet3CIDR
+          - AttachmentSubnet4CIDR
+    ParameterLabels:
+      AvailabilityZones:
+        default: Availability Zones
+      NumberOfAZs:
+        default: Number of Availability Zones
+      VPCCIDR:
+        default: VPC CIDR
+      PublicSubnet1CIDR:
+        default: Public subnet 1 CIDR
+      PublicSubnet2CIDR:
+        default: Public subnet 2 CIDR
+      PublicSubnet3CIDR:
+        default: Public subnet 3 CIDR
+      PublicSubnet4CIDR:
+        default: Public subnet 4 CIDR
+      CreatePrivateSubnets:
+        default: Create private subnets
+      PrivateSubnet1CIDR:
+        default: Private subnet 1 CIDR
+      PrivateSubnet2CIDR:
+        default: Private subnet 2 CIDR
+      PrivateSubnet3CIDR:
+        default: Private subnet 3 CIDR
+      PrivateSubnet4CIDR:
+        default: Private subnet 4 CIDR
+      CreateAttachmentSubnets:
+        default: Create Attachment subnets
+      AttachmentSubnet1CIDR:
+        default: Attachment subnet 1 CIDR
+      AttachmentSubnet2CIDR:
+        default: Attachment subnet 2 CIDR
+      AttachmentSubnet3CIDR:
+        default: Attachment subnet 3 CIDR
+      AttachmentSubnet4CIDR:
+        default: Attachment subnet 4 CIDR
+Parameters:
+  AvailabilityZones:
+    Description: 'List of Availability Zones to use for the subnets in the VPC. Note: The logical order is preserved.'
+    Type: List<AWS::EC2::AvailabilityZone::Name>
+    MinLength: 1
+  NumberOfAZs:
+    Description: Number of Availability Zones to use in the VPC. This must match your
+      selections in the list of Availability Zones parameter.
+    Type: Number
+    Default: 2
+    MinValue: 1
+    MaxValue: 4
+  VPCCIDR:
+    Description: CIDR block for the VPC.
+    Type: String
+    Default: 10.0.0.0/16
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet1CIDR:
+    Description: CIDR block for the public DMZ subnet 1 located in Availability Zone 1.
+    Type: String
+    Default: 10.0.10.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet2CIDR:
+    Description: CIDR block for the public DMZ subnet 2 located in Availability Zone 2.
+    Type: String
+    Default: 10.0.20.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet3CIDR:
+    Description: CIDR block for the public DMZ subnet 3 located in Availability Zone 3.
+    Type: String
+    Default: 10.0.30.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PublicSubnet4CIDR:
+    Description: CIDR block for the public DMZ subnet 4 located in Availability Zone 4.
+    Type: String
+    Default: 10.0.40.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  CreatePrivateSubnets:
+    Description: Set to false to create only public subnets. If false, the CIDR parameters.
+      for ALL private subnets will be ignored.
+    Type: String
+    Default: true
+    AllowedValues:
+      - true
+      - false
+  PrivateSubnet1CIDR:
+    Description: CIDR block for private subnet 1 located in Availability Zone 1.
+    Type: String
+    Default: 10.0.11.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PrivateSubnet2CIDR:
+    Description: CIDR block for private subnet 2 located in Availability Zone 2.
+    Type: String
+    Default: 10.0.21.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PrivateSubnet3CIDR:
+    Description: CIDR block for private subnet 3 located in Availability Zone 3.
+    Type: String
+    Default: 10.0.31.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  PrivateSubnet4CIDR:
+    Description: CIDR block for private subnet 4 located in Availability Zone 4.
+    Type: String
+    Default: 10.0.41.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  CreateAttachmentSubnets:
+    Description: Set true for creating designated subnets for VPC attachments. If false,
+      the CIDR parameters for the Attachment subnets will be ignored.
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+  AttachmentSubnet1CIDR:
+    Description: CIDR block for Attachment subnet 1 located in Availability Zone 1.
+    Type: String
+    Default: 10.0.12.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  AttachmentSubnet2CIDR:
+    Description: CIDR block for Attachment subnet 2 located in Availability Zone 2.
+    Type: String
+    Default: 10.0.22.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  AttachmentSubnet3CIDR:
+    Description: CIDR block for Attachment subnet 3 located in Availability Zone 3.
+    Type: String
+    Default: 10.0.32.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+  AttachmentSubnet4CIDR:
+    Description: CIDR block for Attachment subnet 4 located in Availability Zone 4.
+    Type: String
+    Default: 10.0.42.0/24
+    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+Conditions:
+  4AZs: !Equals [!Ref NumberOfAZs, 4]
+  3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs]
+  2AZs: !Or [!Equals [!Ref NumberOfAZs, 2], !Condition 3AZs]
+  PrivateSubnets: !Equals [!Ref CreatePrivateSubnets, true]
+  2AZsPrivateSubnets: !And [!Condition PrivateSubnets, !Condition 2AZs]
+  3AZsPrivateSubnets: !And [!Condition PrivateSubnets, !Condition 3AZs]
+  4AZsPrivateSubnets: !And [!Condition PrivateSubnets, !Condition 4AZs]
+  AttachmentSubnets: !Equals [!Ref CreateAttachmentSubnets, true]
+  2AZsAttachmentSubnets: !And [!Condition AttachmentSubnets, !Condition 2AZs]
+  3AZsAttachmentSubnets: !And [!Condition AttachmentSubnets, !Condition 3AZs]
+  4AZsAttachmentSubnets: !And [!Condition AttachmentSubnets, !Condition 4AZs]
+Resources:
+  VPC:
+    Type: AWS::EC2::VPC
+    Properties:
+      CidrBlock: !Ref VPCCIDR
+      EnableDnsSupport: true
+      EnableDnsHostnames: true
+      Tags:
+        - Key: Name
+          Value: !Ref 'AWS::StackName'
+  InternetGateway:
+    Type: AWS::EC2::InternetGateway
+    Properties:
+      Tags:
+        - Key: Name
+          Value: !Ref 'AWS::StackName'
+        - Key: Network
+          Value: Public
+  VPCGatewayAttachment:
+    Type: AWS::EC2::VPCGatewayAttachment
+    DependsOn: [VPC, InternetGateway]
+    Properties:
+      VpcId: !Ref VPC
+      InternetGatewayId: !Ref InternetGateway
+  PublicSubnet1:
+    Type: AWS::EC2::Subnet
+    DependsOn: VPC
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !Ref PublicSubnet1CIDR
+      AvailabilityZone: !Select [0, !Ref AvailabilityZones]
+      Tags:
+        - Key: Name
+          Value: Public subnet 1
+        - Key: Network
+          Value: Public
+      MapPublicIpOnLaunch: true
+  PublicSubnet2:
+    Condition: 2AZs
+    DependsOn: VPC
+    Type: AWS::EC2::Subnet
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !Ref PublicSubnet2CIDR
+      AvailabilityZone: !Select [1, !Ref AvailabilityZones]
+      Tags:
+        - Key: Name
+          Value: Public subnet 2
+        - Key: Network
+          Value: Public
+      MapPublicIpOnLaunch: true
+  PublicSubnet3:
+    Condition: 3AZs
+    DependsOn: VPC
+    Type: AWS::EC2::Subnet
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !Ref PublicSubnet3CIDR
+      AvailabilityZone: !Select [2, !Ref AvailabilityZones]
+      Tags:
+        - Key: Name
+          Value: Public subnet 3
+        - Key: Network
+          Value: Public
+      MapPublicIpOnLaunch: true
+  PublicSubnet4:
+    Condition: 4AZs
+    DependsOn: VPC
+    Type: AWS::EC2::Subnet
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !Ref PublicSubnet4CIDR
+      AvailabilityZone: !Select [3, !Ref AvailabilityZones]
+      Tags:
+        - Key: Name
+          Value: Public subnet 4
+        - Key: Network
+          Value: Public
+      MapPublicIpOnLaunch: true
+  PublicSubnetRouteTable:
+    Type: AWS::EC2::RouteTable
+    DependsOn: VPC
+    Properties:
+      VpcId: !Ref VPC
+      Tags:
+        - Key: Name
+          Value: Public Subnets Route Table
+        - Key: Network
+          Value: Public
+  PublicSubnetRoute:
+    DependsOn: [VPCGatewayAttachment, PublicSubnetRouteTable]
+    Type: AWS::EC2::Route
+    Properties:
+      RouteTableId: !Ref PublicSubnetRouteTable
+      DestinationCidrBlock: 0.0.0.0/0
+      GatewayId: !Ref InternetGateway
+  PublicSubnet1RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    DependsOn: [PublicSubnet1, PublicSubnetRouteTable]
+    Properties:
+      SubnetId: !Ref PublicSubnet1
+      RouteTableId: !Ref PublicSubnetRouteTable
+  PublicSubnet2RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Condition: 2AZs
+    DependsOn: [PublicSubnet2, PublicSubnetRouteTable]
+    Properties:
+      SubnetId: !Ref PublicSubnet2
+      RouteTableId: !Ref PublicSubnetRouteTable
+  PublicSubnet3RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Condition: 3AZs
+    DependsOn: [PublicSubnet3, PublicSubnetRouteTable]
+    Properties:
+      SubnetId: !Ref PublicSubnet3
+      RouteTableId: !Ref PublicSubnetRouteTable
+  PublicSubnet4RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Condition: 4AZs
+    DependsOn: [PublicSubnet4, PublicSubnetRouteTable]
+    Properties:
+      SubnetId: !Ref PublicSubnet4
+      RouteTableId: !Ref PublicSubnetRouteTable
+  PrivateSubnet1:
+    Type: AWS::EC2::Subnet
+    Condition: PrivateSubnets
+    DependsOn: VPC
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !Ref PrivateSubnet1CIDR
+      AvailabilityZone: !Select [0, !Ref AvailabilityZones]
+      Tags:
+        - Key: Name
+          Value: Private subnet 1
+        - Key: Network
+          Value: Private
+  PrivateSubnet2:
+    Type: AWS::EC2::Subnet
+    Condition: 2AZsPrivateSubnets
+    DependsOn: VPC
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !Ref PrivateSubnet2CIDR
+      AvailabilityZone: !Select [1, !Ref AvailabilityZones]
+      Tags:
+        - Key: Name
+          Value: Private subnet 2
+        - Key: Network
+          Value: Private
+  PrivateSubnet3:
+    Type: AWS::EC2::Subnet
+    Condition: 3AZsPrivateSubnets
+    DependsOn: VPC
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !Ref PrivateSubnet3CIDR
+      AvailabilityZone: !Select [2, !Ref AvailabilityZones]
+      Tags:
+        - Key: Name
+          Value: Private subnet 3
+        - Key: Network
+          Value: Private
+  PrivateSubnet4:
+    Type: AWS::EC2::Subnet
+    Condition: 4AZsPrivateSubnets
+    DependsOn: VPC
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !Ref PrivateSubnet4CIDR
+      AvailabilityZone: !Select [3, !Ref AvailabilityZones]
+      Tags:
+        - Key: Name
+          Value: Private subnet 4
+        - Key: Network
+          Value: Private
+  AttachmentSubnet1:
+    Condition: AttachmentSubnets
+    DependsOn: VPC
+    Type: AWS::EC2::Subnet
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !Ref AttachmentSubnet1CIDR
+      AvailabilityZone: !Select [0, !Ref AvailabilityZones]
+      Tags:
+        - Key: Name
+          Value: Attachment subnet 1
+        - Key: Network
+          Value: Private
+  AttachmentSubnet2:
+    Condition: AttachmentSubnets
+    DependsOn: VPC
+    Type: AWS::EC2::Subnet
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !Ref AttachmentSubnet2CIDR
+      AvailabilityZone: !Select [1, !Ref AvailabilityZones]
+      Tags:
+        - Key: Name
+          Value: Attachment subnet 2
+        - Key: Network
+          Value: Private
+  AttachmentSubnet3:
+    Condition: 3AZsAttachmentSubnets
+    DependsOn: VPC
+    Type: AWS::EC2::Subnet
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !Ref AttachmentSubnet3CIDR
+      AvailabilityZone: !Select [2, !Ref AvailabilityZones]
+      Tags:
+        - Key: Name
+          Value: Attachment subnet 3
+        - Key: Network
+          Value: Private
+  AttachmentSubnet4:
+    Condition: 4AZsAttachmentSubnets
+    DependsOn: VPC
+    Type: AWS::EC2::Subnet
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !Ref AttachmentSubnet4CIDR
+      AvailabilityZone: !Select [3, !Ref AvailabilityZones]
+      Tags:
+        - Key: Name
+          Value: Attachment subnet 4
+        - Key: Network
+          Value: Private
+Outputs:
+  VPCID:
+    Value: !Ref VPC
+    Description: VPC ID.
+    Export:
+      Name: !Sub '${AWS::StackName}-VPCID'
+  VPCCIDR:
+    Value: !Ref VPCCIDR
+    Description: VPC CIDR
+    Export:
+      Name: !Sub '${AWS::StackName}-VPCCIDR'
+  PublicSubnet1CIDR:
+    Description: Public subnet 1 CIDR in Availability Zone 1.
+    Value: !Ref PublicSubnet1CIDR
+    Export:
+      Name: !Sub '${AWS::StackName}-PublicSubnet1CIDR'
+  PublicSubnet1ID:
+    Description: Public subnet 1 ID in Availability Zone 1.
+    Value: !Ref PublicSubnet1
+    Export:
+      Name: !Sub '${AWS::StackName}-PublicSubnet1ID'
+  PublicSubnet2CIDR:
+    Condition: 2AZs
+    Description: Public subnet 2 CIDR in Availability Zone 2.
+    Value: !Ref PublicSubnet2CIDR
+    Export:
+      Name: !Sub '${AWS::StackName}-PublicSubnet2CIDR'
+  PublicSubnet2ID:
+    Condition: 2AZs
+    Description: Public subnet 2 ID in Availability Zone 2.
+    Value: !Ref PublicSubnet2
+    Export:
+      Name: !Sub '${AWS::StackName}-PublicSubnet2ID'
+  PublicSubnet3CIDR:
+    Condition: 3AZs
+    Description: Public subnet 3 CIDR in Availability Zone 3.
+    Value: !Ref PublicSubnet3CIDR
+    Export:
+      Name: !Sub '${AWS::StackName}-PublicSubnet3CIDR'
+  PublicSubnet3ID:
+    Condition: 3AZs
+    Description: Public subnet 3 ID in Availability Zone 3.
+    Value: !Ref PublicSubnet3
+    Export:
+      Name: !Sub '${AWS::StackName}-PublicSubnet3ID'
+  PublicSubnet4CIDR:
+    Condition: 4AZs
+    Description: Public subnet 4 CIDR in Availability Zone 4.
+    Value: !Ref PublicSubnet4CIDR
+    Export:
+      Name: !Sub '${AWS::StackName}-PublicSubnet4CIDR'
+  PublicSubnet4ID:
+    Condition: 4AZs
+    Description: Public subnet 4 ID in Availability Zone 4.
+    Value: !Ref PublicSubnet4
+    Export:
+      Name: !Sub '${AWS::StackName}-PublicSubnet4ID'
+  PublicSubnetRouteTable:
+    Value: !Ref PublicSubnetRouteTable
+    Description: Public subnet route table.
+    Export:
+      Name: !Sub '${AWS::StackName}-PublicSubnetRouteTable'
+  PrivateSubnet1CIDR:
+    Condition: PrivateSubnets
+    Description: Private subnet 1 CIDR in Availability Zone 1.
+    Value: !Ref PrivateSubnet1CIDR
+    Export:
+      Name: !Sub '${AWS::StackName}-PrivateSubnet1CIDR'
+  PrivateSubnet1ID:
+    Condition: PrivateSubnets
+    Description: Private subnet 1 ID in Availability Zone 1.
+    Value: !Ref PrivateSubnet1
+    Export:
+      Name: !Sub '${AWS::StackName}-PrivateSubnet1ID'
+  PrivateSubnet2CIDR:
+    Condition: 2AZsPrivateSubnets
+    Description: Private subnet 2 CIDR in Availability Zone 2.
+    Value: !Ref PrivateSubnet2CIDR
+    Export:
+      Name: !Sub '${AWS::StackName}-PrivateSubnet2CIDR'
+  PrivateSubnet2ID:
+    Condition: 2AZsPrivateSubnets
+    Description: Private subnet 2 ID in Availability Zone 2.
+    Value: !Ref PrivateSubnet2
+    Export:
+      Name: !Sub '${AWS::StackName}-PrivateSubnet2ID'
+  PrivateSubnet3CIDR:
+    Condition: 3AZsPrivateSubnets
+    Description: Private subnet 3 CIDR in Availability Zone 3.
+    Value: !Ref PrivateSubnet3CIDR
+    Export:
+      Name: !Sub '${AWS::StackName}-PrivateSubnet3CIDR'
+  PrivateSubnet3ID:
+    Condition: 3AZsPrivateSubnets
+    Description: Private subnet 3 ID in Availability Zone 3.
+    Value: !Ref PrivateSubnet3
+    Export:
+      Name: !Sub '${AWS::StackName}-PrivateSubnet3ID'
+  PrivateSubnet4CIDR:
+    Condition: 4AZsPrivateSubnets
+    Description: Private subnet 4 CIDR in Availability Zone 4.
+    Value: !Ref PrivateSubnet4CIDR
+    Export:
+      Name: !Sub '${AWS::StackName}-PrivateSubnet4CIDR'
+  PrivateSubnet4ID:
+    Condition: 4AZsPrivateSubnets
+    Description: Private subnet 4 ID in Availability Zone 4.
+    Value: !Ref PrivateSubnet4
+    Export:
+      Name: !Sub '${AWS::StackName}-PrivateSubnet4ID'
+  AttachmentSubnet1CIDR:
+    Condition: AttachmentSubnets
+    Description: Attachment subnet 1 CIDR in Availability Zone 1.
+    Value: !Ref AttachmentSubnet1CIDR
+    Export:
+      Name: !Sub '${AWS::StackName}-AttachmentSubnet1CIDR'
+  AttachmentSubnet1ID:
+    Condition: AttachmentSubnets
+    Description: Attachment subnet 1 ID in Availability Zone 1.
+    Value: !Ref AttachmentSubnet1
+    Export:
+      Name: !Sub '${AWS::StackName}-AttachmentSubnet1ID'
+  AttachmentSubnet2CIDR:
+    Condition: 2AZsAttachmentSubnets
+    Description: Attachment subnet 2 CIDR in Availability Zone 2.
+    Value: !Ref AttachmentSubnet2CIDR
+    Export:
+      Name: !Sub '${AWS::StackName}-AttachmentSubnet2CIDR'
+  AttachmentSubnet2ID:
+    Condition: 2AZsAttachmentSubnets
+    Description: Attachment subnet 2 ID in Availability Zone 2.
+    Value: !Ref AttachmentSubnet2
+    Export:
+      Name: !Sub '${AWS::StackName}-AttachmentSubnet2ID'
+  AttachmentSubnet3CIDR:
+    Condition: 3AZsAttachmentSubnets
+    Description: Attachment subnet 3 CIDR in Availability Zone 3.
+    Value: !Ref AttachmentSubnet3CIDR
+    Export:
+      Name: !Sub '${AWS::StackName}-AttachmentSubnet3CIDR'
+  AttachmentSubnet3ID:
+    Condition: 3AZsAttachmentSubnets
+    Description: Attachment subnet 3 ID in Availability Zone 3.
+    Value: !Ref AttachmentSubnet3
+    Export:
+      Name: !Sub '${AWS::StackName}-AttachmentSubnet3ID'
+  AttachmentSubnet4CIDR:
+    Condition: 4AZsAttachmentSubnets
+    Description: Attachment subnet 4 CIDR in Availability Zone 4.
+    Value: !Ref AttachmentSubnet4CIDR
+    Export:
+      Name: !Sub '${AWS::StackName}-AttachmentSubnet4CIDR'
+  AttachmentSubnet4ID:
+    Condition: 4AZsAttachmentSubnets
+    Description: Attachment subnet 4 ID in Availability Zone 4.
+    Value: !Ref AttachmentSubnet4
+    Export:
+      Name: !Sub '${AWS::StackName}-AttachmentSubnet4ID'
+  IGWID:
+    Description: IGW ID.
+    Value: !Join ['', [!Ref InternetGateway]]
+    Export:
+      Name: !Sub '${AWS::StackName}-IGWID'
\ No newline at end of file
diff --git a/china/azure/marketplace-gateway-load-balancer/README.md b/china/azure/marketplace-gateway-load-balancer/README.md
index 4e55d4a8..58211fd7 100644
--- a/china/azure/marketplace-gateway-load-balancer/README.md
+++ b/china/azure/marketplace-gateway-load-balancer/README.md
@@ -11,12 +11,12 @@ Benefits:
 · Provides consistent security policy management, enforcement, and reporting with a single pane of glass, using Check Point Unified Security Management
 
 
-<a href="https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2FChina%2Fazure%2ftemplates%2Fmarketplace-gateway-load-balancer%2FmainTemplate.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2FChina%2Fazure%2ftemplates%2Fmarketplace-gateway-load-balancer%2FcreateUiDefinition.json
+<a href="https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fchina%2Fazure%2ftemplates%2Fmarketplace-gateway-load-balancer%2FmainTemplate.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fchina%2Fazure%2ftemplates%2Fmarketplace-gateway-load-balancer%2FcreateUiDefinition.json
 ">
  <img src="https://aka.ms/deploytoazurebutton" alt="Deploy to Azure" />
 </a>
 
 
-To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2FChina%2Fazure%2ftemplates%2Fmarketplace-gateway-load-balancer%2FmainTemplate.json)
+To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fchina%2Fazure%2ftemplates%2Fmarketplace-gateway-load-balancer%2FmainTemplate.json)
 
 
diff --git a/china/azure/marketplace-gateway-load-balancer/createUiDefinition.json b/china/azure/marketplace-gateway-load-balancer/createUiDefinition.json
index 3cd3057f..8fdd9c41 100644
--- a/china/azure/marketplace-gateway-load-balancer/createUiDefinition.json
+++ b/china/azure/marketplace-gateway-load-balancer/createUiDefinition.json
@@ -110,6 +110,10 @@
                 {
                   "label": "R82",
                   "value": "R82"
+                },
+                {
+                  "label": "R82.10",
+                  "value": "R82.10"
                 }
               ]
             }
@@ -733,6 +737,204 @@
             },
             "count": "[steps('chkp-advanced').vmCount]"
           },
+          {
+            "name": "R8210vmSizeUiBYOL",
+            "type": "Microsoft.Compute.SizeSelector",
+            "visible": "[and(equals(steps('autoprovision').cloudGuardVersion, 'R82.10'), contains(steps('autoprovision').R80Offer, 'Bring Your Own License'))]",
+            "label": "Virtual machine size",
+            "toolTip": "The VM size of the Security Gateway",
+            "recommendedSizes": [
+              "Standard_D4ds_v4",
+              "Standard_D4d_v4"
+            ],
+            "constraints": {
+              "allowedSizes": [
+                "Standard_D4_v4",
+                "Standard_D8_v4",
+                "Standard_D16_v4",
+                "Standard_D32_v4",
+                "Standard_D48_v4",
+                "Standard_D64_v4",
+                "Standard_D4s_v4",
+                "Standard_D8s_v4",
+                "Standard_D16s_v4",
+                "Standard_D32s_v4",
+                "Standard_D48s_v4",
+                "Standard_D64s_v4",
+                "Standard_D2_v4",
+                "Standard_D4_v4",
+                "Standard_D8_v4",
+                "Standard_D16_v4",
+                "Standard_D32_v4",
+                "Standard_D2s_v4",
+                "Standard_D4s_v4",
+                "Standard_D8s_v4",
+                "Standard_D16s_v4",
+                "Standard_D2d_v4",
+                "Standard_D4d_v4",
+                "Standard_D8d_v4",
+                "Standard_D16d_v4",
+                "Standard_D32d_v4",
+                "Standard_D2ds_v4",
+                "Standard_D4ds_v4",
+                "Standard_D8ds_v4",
+                "Standard_D16ds_v4",
+                "Standard_D32ds_v4",
+                "Standard_F2s",
+                "Standard_F4s",
+                "Standard_F8s",
+                "Standard_F16s",
+                "Standard_M8ms",
+                "Standard_M16ms",
+                "Standard_M32ms",
+                "Standard_M64ms",
+                "Standard_M64s",
+                "Standard_F2",
+                "Standard_F4",
+                "Standard_F8",
+                "Standard_F16"
+              ]
+            },
+            "osPlatform": "Linux",
+            "imageReference": {
+              "publisher": "1740992136172",
+              "offer": "check-point-cg-r8210",
+              "sku": "sg-byol"
+            },
+            "count": "[steps('chkp-advanced').vmCount]"
+          },
+          {
+            "name": "R8210vmSizeUiNGTP",
+            "type": "Microsoft.Compute.SizeSelector",
+            "visible": "[and(equals(steps('autoprovision').cloudGuardVersion, 'R82.10'), contains(steps('autoprovision').R80Offer, '(NGTP)'))]",
+            "label": "Virtual machine size",
+            "toolTip": "The VM size of the Security Gateway",
+            "recommendedSizes": [
+              "Standard_D4ds_v4",
+              "Standard_D4d_v4"
+            ],
+            "constraints": {
+              "allowedSizes": [
+                "Standard_D4_v4",
+                "Standard_D8_v4",
+                "Standard_D16_v4",
+                "Standard_D32_v4",
+                "Standard_D48_v4",
+                "Standard_D64_v4",
+                "Standard_D4s_v4",
+                "Standard_D8s_v4",
+                "Standard_D16s_v4",
+                "Standard_D32s_v4",
+                "Standard_D48s_v4",
+                "Standard_D64s_v4",
+                "Standard_D2_v4",
+                "Standard_D4_v4",
+                "Standard_D8_v4",
+                "Standard_D16_v4",
+                "Standard_D32_v4",
+                "Standard_D2s_v4",
+                "Standard_D4s_v4",
+                "Standard_D8s_v4",
+                "Standard_D16s_v4",
+                "Standard_D2d_v4",
+                "Standard_D4d_v4",
+                "Standard_D8d_v4",
+                "Standard_D16d_v4",
+                "Standard_D32d_v4",
+                "Standard_D2ds_v4",
+                "Standard_D4ds_v4",
+                "Standard_D8ds_v4",
+                "Standard_D16ds_v4",
+                "Standard_D32ds_v4",
+                "Standard_F2s",
+                "Standard_F4s",
+                "Standard_F8s",
+                "Standard_F16s",
+                "Standard_M8ms",
+                "Standard_M16ms",
+                "Standard_M32ms",
+                "Standard_M64ms",
+                "Standard_M64s",
+                "Standard_F2",
+                "Standard_F4",
+                "Standard_F8",
+                "Standard_F16"
+              ]
+            },
+            "osPlatform": "Linux",
+            "imageReference": {
+              "publisher": "1740992136172",
+              "offer": "check-point-cg-r8210",
+              "sku": "sg-ngtp"
+            },
+            "count": "[steps('chkp-advanced').vmCount]"
+          },
+          {
+            "name": "R8210vmSizeUiNGTX",
+            "type": "Microsoft.Compute.SizeSelector",
+            "visible": "[and(equals(steps('autoprovision').cloudGuardVersion, 'R82.10'), contains(steps('autoprovision').R80Offer, '(NGTX)'))]",
+            "label": "Virtual machine size",
+            "toolTip": "The VM size of the Security Gateway",
+            "recommendedSizes": [
+              "Standard_D4ds_v4",
+              "Standard_D4d_v4"
+            ],
+            "constraints": {
+              "allowedSizes": [
+                "Standard_D4_v4",
+                "Standard_D8_v4",
+                "Standard_D16_v4",
+                "Standard_D32_v4",
+                "Standard_D48_v4",
+                "Standard_D64_v4",
+                "Standard_D4s_v4",
+                "Standard_D8s_v4",
+                "Standard_D16s_v4",
+                "Standard_D32s_v4",
+                "Standard_D48s_v4",
+                "Standard_D64s_v4",
+                "Standard_D2_v4",
+                "Standard_D4_v4",
+                "Standard_D8_v4",
+                "Standard_D16_v4",
+                "Standard_D32_v4",
+                "Standard_D2s_v4",
+                "Standard_D4s_v4",
+                "Standard_D8s_v4",
+                "Standard_D16s_v4",
+                "Standard_D2d_v4",
+                "Standard_D4d_v4",
+                "Standard_D8d_v4",
+                "Standard_D16d_v4",
+                "Standard_D32d_v4",
+                "Standard_D2ds_v4",
+                "Standard_D4ds_v4",
+                "Standard_D8ds_v4",
+                "Standard_D16ds_v4",
+                "Standard_D32ds_v4",
+                "Standard_F2s",
+                "Standard_F4s",
+                "Standard_F8s",
+                "Standard_F16s",
+                "Standard_M8ms",
+                "Standard_M16ms",
+                "Standard_M32ms",
+                "Standard_M64ms",
+                "Standard_M64s",
+                "Standard_F2",
+                "Standard_F4",
+                "Standard_F8",
+                "Standard_F16"
+              ]
+            },
+            "osPlatform": "Linux",
+            "imageReference": {
+              "publisher": "1740992136172",
+              "offer": "check-point-cg-r8210",
+              "sku": "sg-ngtx"
+            },
+            "count": "[steps('chkp-advanced').vmCount]"
+          },
           {
             "name": "sicKeyUi",
             "type": "Microsoft.Common.PasswordBox",
@@ -750,6 +952,7 @@
               "hideConfirmation": false
             }
           }
+
         ]
       },
       {
@@ -1352,6 +1555,35 @@
             },
             "visible": "[steps('network').NSG]"
           },
+          {
+            "name": "storageAccountDeployMode",
+            "type": "Microsoft.Common.DropDown",
+            "label": "Storage Account Deployment Mode",
+            "toolTip": "Select your preferred Storage Account deployment mode, New to a new Storage Account, Existing to an existing Storage Account, Managed to managed Storage Account, None to deploy without a Storage Account",
+            "defaultValue": "New",
+            "constraints": {
+              "allowedValues": [
+                {
+                  "label": "New",
+                  "value": "New"
+                },
+                {
+                  "label": "Existing",
+                  "value": "Existing"
+                },
+                {
+                  "label": "Managed",
+                  "value": "Managed"
+                },
+                {
+                  "label": "None",
+                  "value": "None"
+                }
+              ],
+              "required": true
+            },
+            "visible": true
+          },
           {
             "name": "addStorageAccountIpRules",
             "type": "Microsoft.Common.OptionsGroup",
@@ -1369,9 +1601,48 @@
                   "value": true
                 }
               ],
-              "required": true
+              "required": "[equals(steps('network').storageAccountDeployMode, 'New')]"
             },
-            "visible": true
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'New')]"
+          },
+          {
+            "name": "existingStorageAccount",
+            "type": "Microsoft.Solutions.ResourceSelector",
+            "label": "Storage Account",
+            "defaultValue": "null",
+            "toolTip": "Choose an existing Storage Account",
+            "resourceType": "Microsoft.Storage/storageAccounts",
+            "constraints": {
+              "required": "[equals(steps('network').storageAccountDeployMode, 'Existing')]"
+            },
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'Existing')]"
+          },
+          {
+            "name": "infoExistingStorageAccount",
+            "type": "Microsoft.Common.InfoBox",
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'Existing')]",
+            "options": {
+              "icon": "Info",
+              "text": "The Storage Account must allow network access from the Serial Console feature, for more information - <a href='https://learn.microsoft.com/zh-cn/troubleshoot/azure/virtual-machines/linux/serial-console-linux' target='_blank'>Serial Console Security</a>."
+            }
+          },
+          {
+            "name": "infoManagedStorageAccount",
+            "type": "Microsoft.Common.InfoBox",
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'Managed')]",
+            "options": {
+              "icon": "Info",
+              "text": "Azure will use a managed Storage Account for the deployment, no additional configuration is required."
+            }
+          },
+          {
+            "name": "warningNoneStorageAccount",
+            "type": "Microsoft.Common.InfoBox",
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'None')]",
+            "options": {
+              "icon": "Warning",
+              "text": "Please note that deploying without a Storage Account will not allow you to use the Serial Console feature. For more information - <a href='https://learn.microsoft.com/zh-cn/troubleshoot/azure/virtual-machines/linux/serial-console-linux?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef' target='_blank'>Azure Serial Console</a>."
+            }
           }
         ]
       },
@@ -1426,7 +1697,7 @@
       "availabilityZonesNum": "[coalesce(steps('chkp-advanced').availabilityZonesNum, int('0'))]",
       "customMetrics": "[steps('chkp-advanced').customMetrics]",
       "cloudGuardVersion": "[concat(steps('autoprovision').cloudGuardVersion, ' - ', coalesce(steps('autoprovision').R80Offer, 'Bring Your Own License'))]",
-      "vmSize": "[coalesce(steps('autoprovision').R8110vmSizeUiBYOL, steps('autoprovision').R8110vmSizeUiNGTP, steps('autoprovision').R8110vmSizeUiNGTX, steps('autoprovision').R8120vmSizeUiBYOL, steps('autoprovision').R8120vmSizeUiNGTP, steps('autoprovision').R8120vmSizeUiNGTX, steps('autoprovision').R82vmSizeUiBYOL, steps('autoprovision').R82vmSizeUiNGTP, steps('autoprovision').R82vmSizeUiNGTX)]",
+      "vmSize": "[coalesce(steps('autoprovision').R8110vmSizeUiBYOL, steps('autoprovision').R8110vmSizeUiNGTP, steps('autoprovision').R8110vmSizeUiNGTX, steps('autoprovision').R8120vmSizeUiBYOL, steps('autoprovision').R8120vmSizeUiNGTP, steps('autoprovision').R8120vmSizeUiNGTX, steps('autoprovision').R82vmSizeUiBYOL, steps('autoprovision').R82vmSizeUiNGTP, steps('autoprovision').R82vmSizeUiNGTX, steps('autoprovision').R8210vmSizeUiBYOL, steps('autoprovision').R8210vmSizeUiNGTP, steps('autoprovision').R8210vmSizeUiNGTX)]",
       "sicKey": "[steps('autoprovision').sicKeyUi]",
       "bootstrapScript": "[steps('chkp-advanced').bootstrapScript]",
       "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp-advanced').allowUploadDownload, 'true')]",
@@ -1445,9 +1716,11 @@
       "deployNewNSG": "[steps('network').NSG]",
       "ExistingNSG": "[steps('network').nsgSelector]",
       "NewNsgName": "[steps('network').NSGName]",
+      "storageAccountDeployMode": "[steps('network').storageAccountDeployMode]",
       "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]",
+      "existingStorageAccountId": "[steps('network').existingStorageAccount]",
       "SerialConsolePasswordHash": "[steps('chkp-advanced').AdditionalPassword]",
       "MaintenanceModePasswordHash": "[steps('chkp-advanced').MaintenanceModePassword]"
     }
   }
-}
\ No newline at end of file
+}
diff --git a/china/azure/marketplace-gateway-load-balancer/mainTemplate.json b/china/azure/marketplace-gateway-load-balancer/mainTemplate.json
index 8a8c16c4..58e700f3 100644
--- a/china/azure/marketplace-gateway-load-balancer/mainTemplate.json
+++ b/china/azure/marketplace-gateway-load-balancer/mainTemplate.json
@@ -1,5 +1,5 @@
 {
-  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {
     "subscriptionId": {
@@ -21,7 +21,8 @@
       "allowedValues": [
         "R81.10 - Bring Your Own License",
         "R81.20 - Bring Your Own License",
-        "R82 - Bring Your Own License"
+        "R82 - Bring Your Own License",
+        "R82.10 - Bring Your Own License"
       ],
       "defaultValue": "R82 - Bring Your Own License",
       "metadata": {
@@ -319,7 +320,7 @@
     "_artifactsLocation": {
       "type": "string",
       "metadata": {
-        "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/"
+        "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/"
       },
       "defaultValue": "[deployment().properties.templateLink.uri]"
     },
@@ -393,19 +394,39 @@
       "type": "string",
       "defaultValue": "[concat(parameters('vmName'),'-nsg')]"
     },
+    "storageAccountDeployMode": {
+      "type": "string",
+      "defaultValue": "New",
+      "metadata": {
+        "description": "Choose the Storage Account mode: 'New' creates a new account, 'Existing' uses one already available, 'Managed' provisions a managed account, and 'None' skips account creation."
+      },
+      "allowedValues": [
+        "New",
+        "Existing",
+        "Managed",
+        "None"
+      ]
+    },
     "addStorageAccountIpRules": {
       "type": "bool",
       "metadata": {
-        "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled"
+        "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/zh-cn/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled. Only relevant when 'Storage Account Deploy Mode' is set to 'New'."
       },
       "defaultValue": false
     },
     "storageAccountAdditionalIps": {
       "type": "array",
       "metadata": {
-        "description": "IPs/CIDRs that are allowed access to the Storage Account"
+        "description": "IPs/CIDRs that are allowed access to the Storage Account. Format should be an array of strings. Only relevant when 'Storage Account Deploy Mode' is set to 'New'."
       },
       "defaultValue": []
+    },
+    "existingStorageAccountId": {
+      "type": "string",
+      "metadata": {
+        "description": "The ID of the existing Storage Account. Only relevant when 'Storage Account Deploy Mode' is set to 'Existing'."
+      },
+      "defaultValue": ""
     }
   },
   "variables": {
@@ -422,7 +443,10 @@
       "R81.20 - Pay As You Go (NGTX)": "NGTX",
       "R82 - Bring Your Own License": "BYOL",
       "R82 - Pay As You Go (NGTP)": "NGTP",
-      "R82 - Pay As You Go (NGTX)": "NGTX"
+      "R82 - Pay As You Go (NGTX)": "NGTX",
+      "R82.10 - Bring Your Own License": "BYOL",
+      "R82.10 - Pay As You Go (NGTP)": "NGTP",
+      "R82.10 - Pay As You Go (NGTX)": "NGTX"
     },
     "offer": "[variables('offers')[parameters('cloudGuardVersion')]]",
     "osVersions": {
@@ -434,224 +458,781 @@
       "R81.20 - Pay As You Go (NGTX)": "R8120",
       "R82 - Bring Your Own License": "R82",
       "R82 - Pay As You Go (NGTP)": "R82",
-      "R82 - Pay As You Go (NGTX)": "R82"
+      "R82 - Pay As You Go (NGTX)": "R82",
+      "R82.10 - Bring Your Own License": "R8210",
+      "R82.10 - Pay As You Go (NGTP)": "R8210",
+      "R82.10 - Pay As You Go (NGTX)": "R8210"
     },
     "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]",
     "serialConsoleGeographies": {
       "eastasia": [
+        "4.145.74.168",
+        "20.195.85.180",
+        "20.195.85.181",
+        "20.205.68.106",
+        "20.205.68.107",
         "20.205.69.28",
-        "20.195.85.180"
+        "23.97.88.117",
+        "23.98.106.151"
       ],
       "southeastasia": [
+        "4.145.74.168",
+        "20.195.85.180",
+        "20.195.85.181",
+        "20.205.68.106",
+        "20.205.68.107",
         "20.205.69.28",
-        "20.195.85.180"
+        "23.97.88.117",
+        "23.98.106.151"
       ],
       "australiacentral": [
+        "4.198.45.55",
+        "4.200.251.224",
+        "20.167.131.228",
+        "20.53.52.250",
         "20.53.53.224",
-        "20.70.222.112"
+        "20.53.55.174",
+        "20.70.222.112",
+        "20.70.222.113",
+        "68.218.123.133"
       ],
       "australiacentral2": [
+        "4.198.45.55",
+        "4.200.251.224",
+        "20.167.131.228",
+        "20.53.52.250",
         "20.53.53.224",
-        "20.70.222.112"
+        "20.53.55.174",
+        "20.70.222.112",
+        "20.70.222.113",
+        "68.218.123.133"
       ],
       "australiaeast": [
+        "4.198.45.55",
+        "4.200.251.224",
+        "20.167.131.228",
+        "20.53.52.250",
         "20.53.53.224",
-        "20.70.222.112"
+        "20.53.55.174",
+        "20.70.222.112",
+        "20.70.222.113",
+        "68.218.123.133"
       ],
       "australiasoutheast": [
+        "4.198.45.55",
+        "4.200.251.224",
+        "20.167.131.228",
+        "20.53.52.250",
         "20.53.53.224",
-        "20.70.222.112"
+        "20.53.55.174",
+        "20.70.222.112",
+        "20.70.222.113",
+        "68.218.123.133"
       ],
       "brazilsouth": [
-        "91.234.136.63",
-        "20.206.0.194"
+        "20.206.0.192",
+        "20.206.0.193",
+        "20.206.0.194",
+        "20.226.211.157",
+        "108.140.5.172",
+        "191.234.136.63",
+        "191.238.77.232",
+        "191.238.77.233"
       ],
       "brazilsoutheast": [
-        "91.234.136.63",
-        "20.206.0.194"
+        "20.206.0.192",
+        "20.206.0.193",
+        "20.206.0.194",
+        "20.226.211.157",
+        "108.140.5.172",
+        "191.234.136.63",
+        "191.238.77.232",
+        "191.238.77.233"
       ],
       "canadacentral": [
+        "20.175.7.183",
+        "20.48.201.78",
+        "20.48.201.79",
+        "20.220.7.246",
+        "52.139.106.74",
+        "52.139.106.75",
         "52.228.86.177",
         "52.242.40.90"
       ],
       "canadaeast": [
+        "20.175.7.183",
+        "20.48.201.78",
+        "20.48.201.79",
+        "20.220.7.246",
+        "52.139.106.74",
+        "52.139.106.75",
         "52.228.86.177",
         "52.242.40.90"
       ],
       "northeurope": [
+        "4.210.131.60",
+        "20.105.209.72",
+        "20.105.209.73",
+        "40.113.178.49",
+        "52.146.137.65",
         "52.146.139.220",
-        "20.105.209.72"
+        "52.146.139.221",
+        "98.71.107.78"
       ],
       "westeurope": [
+        "4.210.131.60",
+        "20.105.209.72",
+        "20.105.209.73",
+        "40.113.178.49",
+        "52.146.137.65",
         "52.146.139.220",
-        "20.105.209.72"
+        "52.146.139.221",
+        "98.71.107.78"
       ],
       "francecentral": [
         "20.111.0.244",
-        "52.136.191.10"
+        "40.80.103.247",
+        "51.138.215.126",
+        "51.138.215.127",
+        "52.136.191.8",
+        "52.136.191.9",
+        "52.136.191.10",
+        "98.66.128.35"
       ],
       "francesouth": [
         "20.111.0.244",
-        "52.136.191.10"
+        "40.80.103.247",
+        "51.138.215.126",
+        "51.138.215.127",
+        "52.136.191.8",
+        "52.136.191.9",
+        "52.136.191.10",
+        "98.66.128.35"
       ],
       "germanynorth": [
+        "20.52.94.114",
+        "20.52.94.115",
+        "20.52.95.48",
+        "20.113.251.155",
         "51.116.75.88",
-        "20.52.95.48"
+        "51.116.75.89",
+        "51.116.75.90",
+        "98.67.183.186"
       ],
       "germanywestcentral": [
+        "20.52.94.114",
+        "20.52.94.115",
+        "20.52.95.48",
+        "20.113.251.155",
         "51.116.75.88",
-        "20.52.95.48"
+        "51.116.75.89",
+        "51.116.75.90",
+        "98.67.183.186"
       ],
       "centralindia": [
-        "20.192.168.150",
-        "20.192.153.104"
+        "4.187.107.68",
+        "20.192.47.134",
+        "20.192.47.135",
+        "20.192.152.150",
+        "20.192.152.151",
+        "20.192.153.104",
+        "20.207.175.96",
+        "52.172.82.199",
+        "98.70.20.180"
       ],
       "southindia": [
-        "20.192.168.150",
-        "20.192.153.104"
+        "4.187.107.68",
+        "20.192.47.134",
+        "20.192.47.135",
+        "20.192.152.150",
+        "20.192.152.151",
+        "20.192.153.104",
+        "20.207.175.96",
+        "52.172.82.199",
+        "98.70.20.180"
       ],
       "westindia": [
-        "20.192.168.150",
-        "20.192.153.104"
+        "4.187.107.68",
+        "20.192.47.134",
+        "20.192.47.135",
+        "20.192.152.150",
+        "20.192.152.151",
+        "20.192.153.104",
+        "20.207.175.96",
+        "52.172.82.199",
+        "98.70.20.180"
       ],
       "japaneast": [
+        "20.18.7.188",
         "20.43.70.205",
-        "20.189.228.222"
+        "20.89.12.192",
+        "20.89.12.193",
+        "20.189.194.100",
+        "20.189.228.222",
+        "20.189.228.223",
+        "20.210.144.254"
       ],
       "japanwest": [
+        "20.18.7.188",
         "20.43.70.205",
-        "20.189.228.222"
+        "20.89.12.192",
+        "20.89.12.193",
+        "20.189.194.100",
+        "20.189.228.222",
+        "20.189.228.223",
+        "20.210.144.254"
       ],
       "koreacentral": [
+        "20.200.166.136",
+        "20.200.194.238",
+        "20.200.194.239",
         "20.200.196.96",
-        "52.147.119.29"
+        "20.214.133.81",
+        "52.147.119.28",
+        "52.147.119.29",
+        "52.147.119.30"
       ],
       "koreasouth": [
+        "20.200.166.136",
+        "20.200.194.238",
+        "20.200.194.239",
         "20.200.196.96",
-        "52.147.119.29"
+        "20.214.133.81",
+        "52.147.119.28",
+        "52.147.119.29",
+        "52.147.119.30"
       ],
       "norwaywest": [
+        "20.100.1.154",
+        "20.100.1.155",
         "20.100.1.184",
-        "51.13.138.76"
+        "20.100.21.182",
+        "51.13.138.76",
+        "51.13.138.77",
+        "51.13.138.78",
+        "51.120.183.54"
       ],
       "norwayeast": [
+        "20.100.1.154",
+        "20.100.1.155",
         "20.100.1.184",
-        "51.13.138.76"
+        "20.100.21.182",
+        "51.13.138.76",
+        "51.13.138.77",
+        "51.13.138.78",
+        "51.120.183.54"
       ],
       "switzerlandnorth": [
+        "20.199.207.188",
         "20.208.4.98",
-        "51.107.251.190"
+        "20.208.4.99",
+        "20.208.4.120",
+        "20.208.149.229",
+        "51.107.251.190",
+        "51.107.251.191",
+        "51.107.255.176"
       ],
       "switzerlandwest": [
+        "20.199.207.188",
         "20.208.4.98",
-        "51.107.251.190"
+        "20.208.4.99",
+        "20.208.4.120",
+        "20.208.149.229",
+        "51.107.251.190",
+        "51.107.251.191",
+        "51.107.255.176"
       ],
       "uaecentral": [
+        "20.38.141.5",
+        "20.45.95.64",
+        "20.45.95.65",
         "20.45.95.66",
-        "20.38.141.5"
+        "20.203.93.198",
+        "20.233.132.205",
+        "40.120.87.50",
+        "40.120.87.51"
       ],
       "uaenorth": [
+        "20.38.141.5",
+        "20.45.95.64",
+        "20.45.95.65",
         "20.45.95.66",
-        "20.38.141.5"
+        "20.203.93.198",
+        "20.233.132.205",
+        "40.120.87.50",
+        "40.120.87.51"
       ],
       "uksouth": [
+        "20.58.68.62",
+        "20.58.68.63",
+        "20.90.32.180",
         "20.90.132.144",
-        "20.58.68.62"
+        "20.90.132.145",
+        "51.104.30.169",
+        "172.187.0.26",
+        "172.187.65.53"
       ],
       "ukwest": [
+        "20.58.68.62",
+        "20.58.68.63",
+        "20.90.32.180",
         "20.90.132.144",
-        "20.58.68.62"
+        "20.90.132.145",
+        "51.104.30.169",
+        "172.187.0.26",
+        "172.187.65.53"
       ],
       "swedencentral": [
+        "20.91.100.236",
+        "51.12.22.174",
+        "51.12.22.175",
+        "51.12.22.204",
+        "51.12.72.222",
         "51.12.72.223",
-        "51.12.22.174"
+        "51.12.73.92",
+        "172.160.216.6"
       ],
       "swedensouth": [
+        "20.91.100.236",
+        "51.12.22.174",
+        "51.12.22.175",
+        "51.12.22.204",
+        "51.12.72.222",
         "51.12.72.223",
-        "51.12.22.174"
+        "51.12.73.92",
+        "172.160.216.6"
       ],
       "centralus": [
-        "20.98.146.84",
-        "20.98.194.64",
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "eastus2": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "eastus2": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "eastus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "eastus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "northcentralus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "northcentralus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "southcentralus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "southcentralus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "westus2": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "westus2": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "westus3": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "westus3": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "westcentralus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "westcentralus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "westus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "westus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
+        "20.98.146.84",
+        "20.98.146.85",
+        "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
       ],
       "eastus2euap": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
         "20.45.242.18",
-        "20.51.21.252"
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
+        "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
+        "20.83.222.102",
+        "20.98.146.84",
+        "20.98.146.85",
+        "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
       ],
       "centraluseuap": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
         "20.45.242.18",
-        "20.51.21.252"
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
+        "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
+        "20.83.222.102",
+        "20.98.146.84",
+        "20.98.146.85",
+        "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
       ],
       "usgovarizona": [
+        "20.140.104.48",
+        "20.140.105.3",
+        "20.140.144.58",
+        "20.140.144.59",
+        "20.140.147.168",
+        "20.140.53.121",
         "20.141.10.130",
-        "52.127.55.131"
+        "20.141.10.131",
+        "20.141.13.121",
+        "20.141.15.104",
+        "52.127.55.131",
+        "52.235.252.252",
+        "52.235.252.253",
+        "52.243.247.124",
+        "52.245.155.139",
+        "52.245.156.185",
+        "62.10.196.24",
+        "62.10.196.25",
+        "62.10.84.240",
+        "62.11.6.64",
+        "62.11.6.65"
       ],
       "usgovvirginia": [
+        "20.140.104.48",
+        "20.140.105.3",
+        "20.140.144.58",
+        "20.140.144.59",
+        "20.140.147.168",
+        "20.140.53.121",
         "20.141.10.130",
-        "52.127.55.131"
+        "20.141.10.131",
+        "20.141.13.121",
+        "20.141.15.104",
+        "52.127.55.131",
+        "52.235.252.252",
+        "52.235.252.253",
+        "52.243.247.124",
+        "52.245.155.139",
+        "52.245.156.185",
+        "62.10.196.24",
+        "62.10.196.25",
+        "62.10.84.240",
+        "62.11.6.64",
+        "62.11.6.65"
       ],
       "usgovtexas": [
+        "20.140.104.48",
+        "20.140.105.3",
+        "20.140.144.58",
+        "20.140.144.59",
+        "20.140.147.168",
+        "20.140.53.121",
         "20.141.10.130",
-        "52.127.55.131"
+        "20.141.10.131",
+        "20.141.13.121",
+        "20.141.15.104",
+        "52.127.55.131",
+        "52.235.252.252",
+        "52.235.252.253",
+        "52.243.247.124",
+        "52.245.155.139",
+        "52.245.156.185",
+        "62.10.196.24",
+        "62.10.196.25",
+        "62.10.84.240",
+        "62.11.6.64",
+        "62.11.6.65"
       ],
       "chinanorth": [
         "139.217.51.16",
@@ -680,7 +1261,7 @@
     "additionalDiskSizeGB": "[if(contains('R8110 R8120', variables('osVersion')), 0, parameters('additionalDiskSizeGB'))]",
     "diskSizeGB": "[add(variables('additionalDiskSizeGB'), variables('diskSize100GB'))]",
     "vxlanParametersForR82": "kernel_parameters:\n  sim:\n    - sim_enable_vxlan=3\n    - sim_enable_gre=3\n  fw: \n    - fw_enable_vxlan=1\n    - fw_enable_gre=1",
-    "cloudConfigParams": [
+    "cloudConfigParams":[
       "[concat('installationType=\\\"', variables('installationType'), '\\\"')]",
       "[concat('allowUploadDownload=\\\"', variables('allowUploadDownload'), '\\\"')]",
       "[concat('osVersion=\\\"', variables('osVersion'), '\\\"')]",
@@ -787,7 +1368,7 @@
       }
     },
     "upgrading": "[equals(parameters('upgrading'), 'yes')]",
-    "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/',parameters('_artifactsLocation'))]",
+    "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/',parameters('_artifactsLocation'))]",
     "networkSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vnet-1-subnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]",
     "loadBalacerSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/gateway-load-balancers.json', parameters('_artifactsLocationSasToken')))]",
     "lbsTargetRGName": "[parameters('lbsTargetRGName')]",
@@ -838,7 +1419,7 @@
       "properties": {
         "mode": "Incremental",
         "template": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
           "contentVersion": "1.0.0.0",
           "resources": []
         }
@@ -1003,6 +1584,7 @@
       }
     },
     {
+      "condition": "[equals(parameters('storageAccountDeployMode'), 'New')]",
       "type": "Microsoft.Storage/storageAccounts",
       "name": "[variables('storageAccountName')]",
       "apiVersion": "2021-06-01",
@@ -1020,7 +1602,7 @@
       "sku": {
         "name": "[variables('storageAccountType')]"
       },
-      "kind": "Storage",
+      "kind": "StorageV2",
       "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]"
     },
     {
@@ -1111,10 +1693,7 @@
             ]
           },
           "diagnosticsProfile": {
-            "bootDiagnostics": {
-              "enabled": "true",
-              "storageUri": "[reference(variables('storageAccountId'), '2023-01-01').primaryEndpoints.blob]"
-            }
+            "bootDiagnostics": "[if(equals(parameters('storageAccountDeployMode'), 'None'), createObject('enabled', false()), if(equals(parameters('storageAccountDeployMode'), 'Managed'), createObject('enabled', true()), createObject('enabled', true(), 'storageUri', if(equals(parameters('storageAccountDeployMode'), 'New'), reference(variables('storageAccountId'), '2023-01-01').primaryEndpoints.blob, reference(parameters('existingStorageAccountId'), '2023-05-01').primaryEndpoints.blob))))]"
           }
         },
         "overprovision": false
diff --git a/china/azure/marketplace-ha/README.md b/china/azure/marketplace-ha/README.md
index f9419db6..30aa4fea 100644
--- a/china/azure/marketplace-ha/README.md
+++ b/china/azure/marketplace-ha/README.md
@@ -11,11 +11,11 @@ Benefits:
 · Provides consistent security policy management, enforcement, and reporting with a single pane of glass, using Check Point Unified Security Management
 
 
-<a href="https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2FChina%2Fazure%2ftemplates%2Fmarketplace-ha%2FmainTemplate.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2FChina%2Fazure%2ftemplates%2Fmarketplace-ha%2FcreateUiDefinition.json">
+<a href="https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fchina%2Fazure%2ftemplates%2Fmarketplace-ha%2FmainTemplate.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fchina%2Fazure%2ftemplates%2Fmarketplace-ha%2FcreateUiDefinition.json">
  <img src="https://aka.ms/deploytoazurebutton" alt="Deploy to Azure" />
 </a>
 
 
-To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2FChina%2Fazure%2ftemplates%2Fmarketplace-ha%2FmainTemplate.json)
+To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fchina%2Fazure%2ftemplates%2Fmarketplace-ha%2FmainTemplate.json)
 
 
diff --git a/china/azure/marketplace-ha/createUiDefinition.json b/china/azure/marketplace-ha/createUiDefinition.json
index 6b59bdda..361ad3e5 100644
--- a/china/azure/marketplace-ha/createUiDefinition.json
+++ b/china/azure/marketplace-ha/createUiDefinition.json
@@ -88,6 +88,10 @@
                 {
                   "label": "R82",
                   "value": "R82"
+                },
+                {
+                  "label": "R82.10",
+                  "value": "R82.10"
                 }
               ]
             }
@@ -711,6 +715,204 @@
             },
             "count": 2
           },
+          {
+            "name": "R8210vmSizeUiBYOL",
+            "type": "Microsoft.Compute.SizeSelector",
+            "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82.10'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]",
+            "label": "Virtual machine size",
+            "toolTip": "The VM size of the Security Gateway",
+            "recommendedSizes": [
+              "Standard_D4ds_v4",
+              "Standard_D4d_v4"
+            ],
+            "constraints": {
+              "allowedSizes": [
+                "Standard_D4_v4",
+                "Standard_D8_v4",
+                "Standard_D16_v4",
+                "Standard_D32_v4",
+                "Standard_D48_v4",
+                "Standard_D64_v4",
+                "Standard_D4s_v4",
+                "Standard_D8s_v4",
+                "Standard_D16s_v4",
+                "Standard_D32s_v4",
+                "Standard_D48s_v4",
+                "Standard_D64s_v4",
+                "Standard_D2_v4",
+                "Standard_D4_v4",
+                "Standard_D8_v4",
+                "Standard_D16_v4",
+                "Standard_D32_v4",
+                "Standard_D2s_v4",
+                "Standard_D4s_v4",
+                "Standard_D8s_v4",
+                "Standard_D16s_v4",
+                "Standard_D2d_v4",
+                "Standard_D4d_v4",
+                "Standard_D8d_v4",
+                "Standard_D16d_v4",
+                "Standard_D32d_v4",
+                "Standard_D2ds_v4",
+                "Standard_D4ds_v4",
+                "Standard_D8ds_v4",
+                "Standard_D16ds_v4",
+                "Standard_D32ds_v4",
+                "Standard_F2s",
+                "Standard_F4s",
+                "Standard_F8s",
+                "Standard_F16s",
+                "Standard_M8ms",
+                "Standard_M16ms",
+                "Standard_M32ms",
+                "Standard_M64ms",
+                "Standard_M64s",
+                "Standard_F2",
+                "Standard_F4",
+                "Standard_F8",
+                "Standard_F16"
+              ]
+            },
+            "osPlatform": "Linux",
+            "imageReference": {
+              "publisher": "1740992136172",
+              "offer": "check-point-cg-r8210",
+              "sku": "sg-byol"
+            },
+            "count": 2
+          },
+          {
+            "name": "R8210vmSizeUiNGTP",
+            "type": "Microsoft.Compute.SizeSelector",
+            "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82.10'), contains(steps('chkp').R80Offer, '(NGTP)'))]",
+            "label": "Virtual machine size",
+            "toolTip": "The VM size of the Security Gateway",
+            "recommendedSizes": [
+              "Standard_D4ds_v4",
+              "Standard_D4d_v4"
+            ],
+            "constraints": {
+              "allowedSizes": [
+                "Standard_D4_v4",
+                "Standard_D8_v4",
+                "Standard_D16_v4",
+                "Standard_D32_v4",
+                "Standard_D48_v4",
+                "Standard_D64_v4",
+                "Standard_D4s_v4",
+                "Standard_D8s_v4",
+                "Standard_D16s_v4",
+                "Standard_D32s_v4",
+                "Standard_D48s_v4",
+                "Standard_D64s_v4",
+                "Standard_D2_v4",
+                "Standard_D4_v4",
+                "Standard_D8_v4",
+                "Standard_D16_v4",
+                "Standard_D32_v4",
+                "Standard_D2s_v4",
+                "Standard_D4s_v4",
+                "Standard_D8s_v4",
+                "Standard_D16s_v4",
+                "Standard_D2d_v4",
+                "Standard_D4d_v4",
+                "Standard_D8d_v4",
+                "Standard_D16d_v4",
+                "Standard_D32d_v4",
+                "Standard_D2ds_v4",
+                "Standard_D4ds_v4",
+                "Standard_D8ds_v4",
+                "Standard_D16ds_v4",
+                "Standard_D32ds_v4",
+                "Standard_F2s",
+                "Standard_F4s",
+                "Standard_F8s",
+                "Standard_F16s",
+                "Standard_M8ms",
+                "Standard_M16ms",
+                "Standard_M32ms",
+                "Standard_M64ms",
+                "Standard_M64s",
+                "Standard_F2",
+                "Standard_F4",
+                "Standard_F8",
+                "Standard_F16"
+              ]
+            },
+            "osPlatform": "Linux",
+            "imageReference": {
+              "publisher": "1740992136172",
+              "offer": "check-point-cg-r8210",
+              "sku": "sg-ngtp"
+            },
+            "count": 2
+          },
+          {
+            "name": "R8210vmSizeUiNGTX",
+            "type": "Microsoft.Compute.SizeSelector",
+            "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82.10'), contains(steps('chkp').R80Offer, '(NGTX)'))]",
+            "label": "Virtual machine size",
+            "toolTip": "The VM size of the Security Gateway",
+            "recommendedSizes": [
+              "Standard_D4ds_v4",
+              "Standard_D4d_v4"
+            ],
+            "constraints": {
+              "allowedSizes": [
+                "Standard_D4_v4",
+                "Standard_D8_v4",
+                "Standard_D16_v4",
+                "Standard_D32_v4",
+                "Standard_D48_v4",
+                "Standard_D64_v4",
+                "Standard_D4s_v4",
+                "Standard_D8s_v4",
+                "Standard_D16s_v4",
+                "Standard_D32s_v4",
+                "Standard_D48s_v4",
+                "Standard_D64s_v4",
+                "Standard_D2_v4",
+                "Standard_D4_v4",
+                "Standard_D8_v4",
+                "Standard_D16_v4",
+                "Standard_D32_v4",
+                "Standard_D2s_v4",
+                "Standard_D4s_v4",
+                "Standard_D8s_v4",
+                "Standard_D16s_v4",
+                "Standard_D2d_v4",
+                "Standard_D4d_v4",
+                "Standard_D8d_v4",
+                "Standard_D16d_v4",
+                "Standard_D32d_v4",
+                "Standard_D2ds_v4",
+                "Standard_D4ds_v4",
+                "Standard_D8ds_v4",
+                "Standard_D16ds_v4",
+                "Standard_D32ds_v4",
+                "Standard_F2s",
+                "Standard_F4s",
+                "Standard_F8s",
+                "Standard_F16s",
+                "Standard_M8ms",
+                "Standard_M16ms",
+                "Standard_M32ms",
+                "Standard_M64ms",
+                "Standard_M64s",
+                "Standard_F2",
+                "Standard_F4",
+                "Standard_F8",
+                "Standard_F16"
+              ]
+            },
+            "osPlatform": "Linux",
+            "imageReference": {
+              "publisher": "1740992136172",
+              "offer": "check-point-cg-r8210",
+              "sku": "sg-ngtx"
+            },
+            "count": 2
+          },
           {
             "name": "sicKeyUi",
             "type": "Microsoft.Common.PasswordBox",
@@ -1102,7 +1304,7 @@
             "name": "floatingIP",
             "type": "Microsoft.Common.OptionsGroup",
             "label": "Deploy the Load Balancers with floating IP",
-            "defaultValue": "No",
+            "defaultValue": "Yes",
             "toolTip": "Deploy the Load Balancers with floating IP.",
             "constraints": {
               "allowedValues": [
@@ -1478,6 +1680,35 @@
             },
             "visible": "[steps('network').NSG]"
           },
+          {
+            "name": "storageAccountDeployMode",
+            "type": "Microsoft.Common.DropDown",
+            "label": "Storage Account Deployment Mode",
+            "toolTip": "Select your preferred Storage Account deployment mode, New to a new Storage Account, Existing to an existing Storage Account, Managed to managed Storage Account, None to deploy without a Storage Account",
+            "defaultValue": "New",
+            "constraints": {
+              "allowedValues": [
+                {
+                  "label": "New",
+                  "value": "New"
+                },
+                {
+                  "label": "Existing",
+                  "value": "Existing"
+                },
+                {
+                  "label": "Managed",
+                  "value": "Managed"
+                },
+                {
+                  "label": "None",
+                  "value": "None"
+                }
+              ],
+              "required": true
+            },
+            "visible": true
+          },
           {
             "name": "addStorageAccountIpRules",
             "type": "Microsoft.Common.OptionsGroup",
@@ -1495,9 +1726,48 @@
                   "value": true
                 }
               ],
-              "required": true
+              "required": "[equals(steps('network').storageAccountDeployMode, 'New')]"
             },
-            "visible": true
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'New')]"
+          },
+          {
+            "name": "existingStorageAccount",
+            "type": "Microsoft.Solutions.ResourceSelector",
+            "label": "Storage Account",
+            "defaultValue": "null",
+            "toolTip": "Choose an existing Storage Account",
+            "resourceType": "Microsoft.Storage/storageAccounts",
+            "constraints": {
+              "required": "[equals(steps('network').storageAccountDeployMode, 'Existing')]"
+            },
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'Existing')]"
+          },
+          {
+            "name": "infoExistingStorageAccount",
+            "type": "Microsoft.Common.InfoBox",
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'Existing')]",
+            "options": {
+              "icon": "Info",
+              "text": "The Storage Account must allow network access from the Serial Console feature, for more information - <a href='https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/linux/serial-console-linux?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef' target='_blank'>Serial Console Security</a>."
+            }
+          },
+          {
+            "name": "infoManagedStorageAccount",
+            "type": "Microsoft.Common.InfoBox",
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'Managed')]",
+            "options": {
+              "icon": "Info",
+              "text": "Azure will use a managed Storage Account for the deployment, no additional configuration is required."
+            }
+          },
+          {
+            "name": "warningNoneStorageAccount",
+            "type": "Microsoft.Common.InfoBox",
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'None')]",
+            "options": {
+              "icon": "Warning",
+              "text": "Please note that deploying without a Storage Account will not allow you to use the Serial Console feature. For more information - <a href='https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/linux/serial-console-linux?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef' target='_blank'>Azure Serial Console</a>."
+            }
           }
         ]
       },
@@ -1540,7 +1810,7 @@
       "authenticationType": "[basics('auth').authenticationType]",
       "sshPublicKey": "[basics('auth').sshPublicKey]",
       "vmName": "[basics('clusterObjectNameUi')]",
-      "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiNGTP, steps('chkp').R8110vmSizeUiNGTX, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R8120vmSizeUiNGTP, steps('chkp').R8120vmSizeUiNGTX, steps('chkp').R82vmSizeUiBYOL, steps('chkp').R82vmSizeUiNGTP, steps('chkp').R82vmSizeUiNGTX)]",
+      "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiNGTP, steps('chkp').R8110vmSizeUiNGTX, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R8120vmSizeUiNGTP, steps('chkp').R8120vmSizeUiNGTX, steps('chkp').R82vmSizeUiBYOL, steps('chkp').R82vmSizeUiNGTP, steps('chkp').R82vmSizeUiNGTX, steps('chkp').R8210vmSizeUiBYOL, steps('chkp').R8210vmSizeUiNGTP, steps('chkp').R8210vmSizeUiNGTX)]",
       "sicKey": "[steps('chkp').sicKeyUi]",
       "virtualNetworkName": "[steps('network').virtualNetwork.name]",
       "virtualNetworkAddressPrefixes": "[steps('network').virtualNetwork.addressPrefixes]",
@@ -1571,7 +1841,9 @@
       "deployNewNSG": "[steps('network').NSG]",
       "ExistingNSG": "[steps('network').nsgSelector]",
       "NewNsgName": "[steps('network').NSGName]",
-      "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]",
+      "storageAccountDeployMode": "[steps('network').storageAccountDeployMode]",
+      "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]",
+      "existingStorageAccountId": "[steps('network').existingStorageAccount]",
       "VipsNumber": "[int(steps('network').Vips_Number)]",
       "VipNames": "[concat(steps('network').VIP_Names.VIP2_Name, ',', steps('network').VIP_Names.VIP3_Name, ',', steps('network').VIP_Names.VIP4_Name, ',', steps('network').VIP_Names.VIP5_Name, ',', steps('network').VIP_Names.VIP6_Name, ',', steps('network').VIP_Names.VIP7_Name, ',', steps('network').VIP_Names.VIP8_Name, ',', steps('network').VIP_Names.VIP9_Name, ',', steps('network').VIP_Names.VIP10_Name)]",
       "SerialConsolePasswordHash": "[steps('chkp-advanced').AdditionalPassword]",
diff --git a/china/azure/marketplace-ha/mainTemplate.json b/china/azure/marketplace-ha/mainTemplate.json
index bd2ec8f6..d53c21d7 100644
--- a/china/azure/marketplace-ha/mainTemplate.json
+++ b/china/azure/marketplace-ha/mainTemplate.json
@@ -14,7 +14,8 @@
       "allowedValues": [
         "R81.10 - Bring Your Own License",
         "R81.20 - Bring Your Own License",
-        "R82 - Bring Your Own License"
+        "R82 - Bring Your Own License",
+        "R82.10 - Bring Your Own License"
       ],
       "defaultValue": "R82 - Bring Your Own License",
       "metadata": {
@@ -66,7 +67,7 @@
         "no",
         "yes"
       ],
-      "defaultValue": "no",
+      "defaultValue": "yes",
       "metadata": {
         "description": "Deploy the Load Balancers with floating IP"
       }
@@ -279,7 +280,7 @@
     "_artifactsLocation": {
       "type": "string",
       "metadata": {
-        "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/"
+        "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/"
       },
       "defaultValue": "[deployment().properties.templateLink.uri]"
     },
@@ -335,19 +336,39 @@
       "type": "string",
       "defaultValue": ""
     },
+    "storageAccountDeployMode": {
+      "type": "string",
+      "defaultValue": "New",
+      "metadata": {
+        "description": "Choose the Storage Account mode: 'New' creates a new account, 'Existing' uses one already available, 'Managed' provisions a managed account, and 'None' skips account creation."
+      },
+      "allowedValues": [
+        "New",
+        "Existing",
+        "Managed",
+        "None"
+      ]
+    },
     "addStorageAccountIpRules": {
       "type": "bool",
       "metadata": {
-        "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled"
+        "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled. Only relevant when 'Storage Account Deploy Mode' is set to 'New'."
       },
       "defaultValue": false
     },
     "storageAccountAdditionalIps": {
       "type": "array",
       "metadata": {
-        "description": "IPs/CIDRs that are allowed access to the Storage Account"
+        "description": "IPs/CIDRs that are allowed access to the Storage Account. Format should be an array of strings. Only relevant when 'Storage Account Deploy Mode' is set to 'New'."
       },
       "defaultValue": []
+    },
+    "existingStorageAccountId": {
+      "type": "string",
+      "metadata": {
+        "description": "The ID of the existing Storage Account. Only relevant when 'Storage Account Deploy Mode' is set to 'Existing'."
+      },
+      "defaultValue": ""
     }
   },
   "variables": {
@@ -367,7 +388,10 @@
       "R81.20 - Pay As You Go (NGTX)": "NGTX",
       "R82 - Bring Your Own License": "BYOL",
       "R82 - Pay As You Go (NGTP)": "NGTP",
-      "R82 - Pay As You Go (NGTX)": "NGTX"
+      "R82 - Pay As You Go (NGTX)": "NGTX",
+      "R82.10 - Bring Your Own License": "BYOL",
+      "R82.10 - Pay As You Go (NGTP)": "NGTP",
+      "R82.10 - Pay As You Go (NGTX)": "NGTX"
     },
     "offer": "[variables('offers')[parameters('cloudGuardVersion')]]",
     "osVersions": {
@@ -379,224 +403,781 @@
       "R81.20 - Pay As You Go (NGTX)": "R8120",
       "R82 - Bring Your Own License": "R82",
       "R82 - Pay As You Go (NGTP)": "R82",
-      "R82 - Pay As You Go (NGTX)": "R82"
+      "R82 - Pay As You Go (NGTX)": "R82",
+      "R82.10 - Bring Your Own License": "R8210",
+      "R82.10 - Pay As You Go (NGTP)": "R8210",
+      "R82.10 - Pay As You Go (NGTX)": "R8210"
     },
     "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]",
     "serialConsoleGeographies": {
       "eastasia": [
+        "4.145.74.168",
+        "20.195.85.180",
+        "20.195.85.181",
+        "20.205.68.106",
+        "20.205.68.107",
         "20.205.69.28",
-        "20.195.85.180"
+        "23.97.88.117",
+        "23.98.106.151"
       ],
       "southeastasia": [
+        "4.145.74.168",
+        "20.195.85.180",
+        "20.195.85.181",
+        "20.205.68.106",
+        "20.205.68.107",
         "20.205.69.28",
-        "20.195.85.180"
+        "23.97.88.117",
+        "23.98.106.151"
       ],
       "australiacentral": [
+        "4.198.45.55",
+        "4.200.251.224",
+        "20.167.131.228",
+        "20.53.52.250",
         "20.53.53.224",
-        "20.70.222.112"
+        "20.53.55.174",
+        "20.70.222.112",
+        "20.70.222.113",
+        "68.218.123.133"
       ],
       "australiacentral2": [
+        "4.198.45.55",
+        "4.200.251.224",
+        "20.167.131.228",
+        "20.53.52.250",
         "20.53.53.224",
-        "20.70.222.112"
+        "20.53.55.174",
+        "20.70.222.112",
+        "20.70.222.113",
+        "68.218.123.133"
       ],
       "australiaeast": [
+        "4.198.45.55",
+        "4.200.251.224",
+        "20.167.131.228",
+        "20.53.52.250",
         "20.53.53.224",
-        "20.70.222.112"
+        "20.53.55.174",
+        "20.70.222.112",
+        "20.70.222.113",
+        "68.218.123.133"
       ],
       "australiasoutheast": [
+        "4.198.45.55",
+        "4.200.251.224",
+        "20.167.131.228",
+        "20.53.52.250",
         "20.53.53.224",
-        "20.70.222.112"
+        "20.53.55.174",
+        "20.70.222.112",
+        "20.70.222.113",
+        "68.218.123.133"
       ],
       "brazilsouth": [
-        "91.234.136.63",
-        "20.206.0.194"
+        "20.206.0.192",
+        "20.206.0.193",
+        "20.206.0.194",
+        "20.226.211.157",
+        "108.140.5.172",
+        "191.234.136.63",
+        "191.238.77.232",
+        "191.238.77.233"
       ],
       "brazilsoutheast": [
-        "91.234.136.63",
-        "20.206.0.194"
+        "20.206.0.192",
+        "20.206.0.193",
+        "20.206.0.194",
+        "20.226.211.157",
+        "108.140.5.172",
+        "191.234.136.63",
+        "191.238.77.232",
+        "191.238.77.233"
       ],
       "canadacentral": [
+        "20.175.7.183",
+        "20.48.201.78",
+        "20.48.201.79",
+        "20.220.7.246",
+        "52.139.106.74",
+        "52.139.106.75",
         "52.228.86.177",
         "52.242.40.90"
       ],
       "canadaeast": [
+        "20.175.7.183",
+        "20.48.201.78",
+        "20.48.201.79",
+        "20.220.7.246",
+        "52.139.106.74",
+        "52.139.106.75",
         "52.228.86.177",
         "52.242.40.90"
       ],
       "northeurope": [
+        "4.210.131.60",
+        "20.105.209.72",
+        "20.105.209.73",
+        "40.113.178.49",
+        "52.146.137.65",
         "52.146.139.220",
-        "20.105.209.72"
+        "52.146.139.221",
+        "98.71.107.78"
       ],
       "westeurope": [
+        "4.210.131.60",
+        "20.105.209.72",
+        "20.105.209.73",
+        "40.113.178.49",
+        "52.146.137.65",
         "52.146.139.220",
-        "20.105.209.72"
+        "52.146.139.221",
+        "98.71.107.78"
       ],
       "francecentral": [
         "20.111.0.244",
-        "52.136.191.10"
+        "40.80.103.247",
+        "51.138.215.126",
+        "51.138.215.127",
+        "52.136.191.8",
+        "52.136.191.9",
+        "52.136.191.10",
+        "98.66.128.35"
       ],
       "francesouth": [
         "20.111.0.244",
-        "52.136.191.10"
+        "40.80.103.247",
+        "51.138.215.126",
+        "51.138.215.127",
+        "52.136.191.8",
+        "52.136.191.9",
+        "52.136.191.10",
+        "98.66.128.35"
       ],
       "germanynorth": [
+        "20.52.94.114",
+        "20.52.94.115",
+        "20.52.95.48",
+        "20.113.251.155",
         "51.116.75.88",
-        "20.52.95.48"
+        "51.116.75.89",
+        "51.116.75.90",
+        "98.67.183.186"
       ],
       "germanywestcentral": [
+        "20.52.94.114",
+        "20.52.94.115",
+        "20.52.95.48",
+        "20.113.251.155",
         "51.116.75.88",
-        "20.52.95.48"
+        "51.116.75.89",
+        "51.116.75.90",
+        "98.67.183.186"
       ],
       "centralindia": [
-        "20.192.168.150",
-        "20.192.153.104"
+        "4.187.107.68",
+        "20.192.47.134",
+        "20.192.47.135",
+        "20.192.152.150",
+        "20.192.152.151",
+        "20.192.153.104",
+        "20.207.175.96",
+        "52.172.82.199",
+        "98.70.20.180"
       ],
       "southindia": [
-        "20.192.168.150",
-        "20.192.153.104"
+        "4.187.107.68",
+        "20.192.47.134",
+        "20.192.47.135",
+        "20.192.152.150",
+        "20.192.152.151",
+        "20.192.153.104",
+        "20.207.175.96",
+        "52.172.82.199",
+        "98.70.20.180"
       ],
       "westindia": [
-        "20.192.168.150",
-        "20.192.153.104"
+        "4.187.107.68",
+        "20.192.47.134",
+        "20.192.47.135",
+        "20.192.152.150",
+        "20.192.152.151",
+        "20.192.153.104",
+        "20.207.175.96",
+        "52.172.82.199",
+        "98.70.20.180"
       ],
       "japaneast": [
+        "20.18.7.188",
         "20.43.70.205",
-        "20.189.228.222"
+        "20.89.12.192",
+        "20.89.12.193",
+        "20.189.194.100",
+        "20.189.228.222",
+        "20.189.228.223",
+        "20.210.144.254"
       ],
       "japanwest": [
+        "20.18.7.188",
         "20.43.70.205",
-        "20.189.228.222"
+        "20.89.12.192",
+        "20.89.12.193",
+        "20.189.194.100",
+        "20.189.228.222",
+        "20.189.228.223",
+        "20.210.144.254"
       ],
       "koreacentral": [
+        "20.200.166.136",
+        "20.200.194.238",
+        "20.200.194.239",
         "20.200.196.96",
-        "52.147.119.29"
+        "20.214.133.81",
+        "52.147.119.28",
+        "52.147.119.29",
+        "52.147.119.30"
       ],
       "koreasouth": [
+        "20.200.166.136",
+        "20.200.194.238",
+        "20.200.194.239",
         "20.200.196.96",
-        "52.147.119.29"
+        "20.214.133.81",
+        "52.147.119.28",
+        "52.147.119.29",
+        "52.147.119.30"
       ],
       "norwaywest": [
+        "20.100.1.154",
+        "20.100.1.155",
         "20.100.1.184",
-        "51.13.138.76"
+        "20.100.21.182",
+        "51.13.138.76",
+        "51.13.138.77",
+        "51.13.138.78",
+        "51.120.183.54"
       ],
       "norwayeast": [
+        "20.100.1.154",
+        "20.100.1.155",
         "20.100.1.184",
-        "51.13.138.76"
+        "20.100.21.182",
+        "51.13.138.76",
+        "51.13.138.77",
+        "51.13.138.78",
+        "51.120.183.54"
       ],
       "switzerlandnorth": [
+        "20.199.207.188",
         "20.208.4.98",
-        "51.107.251.190"
+        "20.208.4.99",
+        "20.208.4.120",
+        "20.208.149.229",
+        "51.107.251.190",
+        "51.107.251.191",
+        "51.107.255.176"
       ],
       "switzerlandwest": [
+        "20.199.207.188",
         "20.208.4.98",
-        "51.107.251.190"
+        "20.208.4.99",
+        "20.208.4.120",
+        "20.208.149.229",
+        "51.107.251.190",
+        "51.107.251.191",
+        "51.107.255.176"
       ],
       "uaecentral": [
+        "20.38.141.5",
+        "20.45.95.64",
+        "20.45.95.65",
         "20.45.95.66",
-        "20.38.141.5"
+        "20.203.93.198",
+        "20.233.132.205",
+        "40.120.87.50",
+        "40.120.87.51"
       ],
       "uaenorth": [
+        "20.38.141.5",
+        "20.45.95.64",
+        "20.45.95.65",
         "20.45.95.66",
-        "20.38.141.5"
+        "20.203.93.198",
+        "20.233.132.205",
+        "40.120.87.50",
+        "40.120.87.51"
       ],
       "uksouth": [
+        "20.58.68.62",
+        "20.58.68.63",
+        "20.90.32.180",
         "20.90.132.144",
-        "20.58.68.62"
+        "20.90.132.145",
+        "51.104.30.169",
+        "172.187.0.26",
+        "172.187.65.53"
       ],
       "ukwest": [
+        "20.58.68.62",
+        "20.58.68.63",
+        "20.90.32.180",
         "20.90.132.144",
-        "20.58.68.62"
+        "20.90.132.145",
+        "51.104.30.169",
+        "172.187.0.26",
+        "172.187.65.53"
       ],
       "swedencentral": [
+        "20.91.100.236",
+        "51.12.22.174",
+        "51.12.22.175",
+        "51.12.22.204",
+        "51.12.72.222",
         "51.12.72.223",
-        "51.12.22.174"
+        "51.12.73.92",
+        "172.160.216.6"
       ],
       "swedensouth": [
+        "20.91.100.236",
+        "51.12.22.174",
+        "51.12.22.175",
+        "51.12.22.204",
+        "51.12.72.222",
         "51.12.72.223",
-        "51.12.22.174"
+        "51.12.73.92",
+        "172.160.216.6"
       ],
       "centralus": [
-        "20.98.146.84",
-        "20.98.194.64",
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "eastus2": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "eastus2": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "eastus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "eastus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "northcentralus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "northcentralus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "southcentralus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "southcentralus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "westus2": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "westus2": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "westus3": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "westus3": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "westcentralus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "westcentralus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "westus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "westus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
+        "20.98.146.84",
+        "20.98.146.85",
+        "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
       ],
       "eastus2euap": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
         "20.45.242.18",
-        "20.51.21.252"
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
+        "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
+        "20.83.222.102",
+        "20.98.146.84",
+        "20.98.146.85",
+        "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
       ],
       "centraluseuap": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
         "20.45.242.18",
-        "20.51.21.252"
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
+        "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
+        "20.83.222.102",
+        "20.98.146.84",
+        "20.98.146.85",
+        "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
       ],
       "usgovarizona": [
+        "20.140.104.48",
+        "20.140.105.3",
+        "20.140.144.58",
+        "20.140.144.59",
+        "20.140.147.168",
+        "20.140.53.121",
         "20.141.10.130",
-        "52.127.55.131"
+        "20.141.10.131",
+        "20.141.13.121",
+        "20.141.15.104",
+        "52.127.55.131",
+        "52.235.252.252",
+        "52.235.252.253",
+        "52.243.247.124",
+        "52.245.155.139",
+        "52.245.156.185",
+        "62.10.196.24",
+        "62.10.196.25",
+        "62.10.84.240",
+        "62.11.6.64",
+        "62.11.6.65"
       ],
       "usgovvirginia": [
+        "20.140.104.48",
+        "20.140.105.3",
+        "20.140.144.58",
+        "20.140.144.59",
+        "20.140.147.168",
+        "20.140.53.121",
         "20.141.10.130",
-        "52.127.55.131"
+        "20.141.10.131",
+        "20.141.13.121",
+        "20.141.15.104",
+        "52.127.55.131",
+        "52.235.252.252",
+        "52.235.252.253",
+        "52.243.247.124",
+        "52.245.155.139",
+        "52.245.156.185",
+        "62.10.196.24",
+        "62.10.196.25",
+        "62.10.84.240",
+        "62.11.6.64",
+        "62.11.6.65"
       ],
       "usgovtexas": [
+        "20.140.104.48",
+        "20.140.105.3",
+        "20.140.144.58",
+        "20.140.144.59",
+        "20.140.147.168",
+        "20.140.53.121",
         "20.141.10.130",
-        "52.127.55.131"
+        "20.141.10.131",
+        "20.141.13.121",
+        "20.141.15.104",
+        "52.127.55.131",
+        "52.235.252.252",
+        "52.235.252.253",
+        "52.243.247.124",
+        "52.245.155.139",
+        "52.245.156.185",
+        "62.10.196.24",
+        "62.10.196.25",
+        "62.10.84.240",
+        "62.11.6.64",
+        "62.11.6.65"
       ],
       "chinanorth": [
         "139.217.51.16",
@@ -732,7 +1313,7 @@
     "count": 2,
     "bootstrapScript64": "[base64(parameters('bootstrapScript'))]",
     "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]",
-    "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/',parameters('_artifactsLocation'))]",
+    "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/',parameters('_artifactsLocation'))]",
     "networkSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vnet-2-subnet-ha2-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]",
     "ExsitingNsgRoleAssignmentURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/existing-nsg-RoleAssignment', '.json'))]",
     "sicKey": "[parameters('sicKey')]",
@@ -877,13 +1458,14 @@
       "properties": {
         "mode": "Incremental",
         "template": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
           "contentVersion": "1.0.0.0",
           "resources": []
         }
       }
     },
     {
+      "condition": "[equals(parameters('storageAccountDeployMode'), 'New')]",
       "type": "Microsoft.Storage/storageAccounts",
       "name": "[variables('storageAccountName')]",
       "apiVersion": "2022-09-01",
@@ -901,7 +1483,7 @@
       "sku": {
         "name": "[variables('storageAccountType')]"
       },
-      "kind": "Storage",
+      "kind": "StorageV2",
       "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]"
     },
     {
@@ -1206,7 +1788,7 @@
     },
     {
       "type": "Microsoft.Compute/virtualMachines",
-      "apiVersion": "2022-11-01",
+      "apiVersion": "2023-09-01",
       "dependsOn": [
         "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",
         "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]",
@@ -1227,10 +1809,7 @@
         "UserData": "[base64(concat(variables('customData')[copyIndex()], 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefixes.value[0], reference('networkExistingSetup').outputs.vnetAddressPrefixes.value[0]), '\"', '\n'))]",
         "availabilitySet": "[if(not(variables('useAZ')), variables('availabilitySetProperty'), json('null'))]",
         "diagnosticsProfile": {
-          "bootDiagnostics": {
-            "enabled": "true",
-            "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2023-05-01').primaryEndpoints.blob]"
-          }
+          "bootDiagnostics": "[if(equals(parameters('storageAccountDeployMode'), 'None'), createObject('enabled', false()), if(equals(parameters('storageAccountDeployMode'), 'Managed'), createObject('enabled', true()), createObject('enabled', true(), 'storageUri', if(equals(parameters('storageAccountDeployMode'), 'New'), reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2023-05-01').primaryEndpoints.blob, reference(parameters('existingStorageAccountId'), '2023-05-01').primaryEndpoints.blob))))]"
         },
         "hardwareProfile": {
           "vmSize": "[parameters('vmSize')]"
@@ -1332,7 +1911,7 @@
       "properties": {
         "roleDefinitionId": "[variables('roleDefinitionIds')[if(greater(copyIndex(1), 2), 1, 0)]]",
         "scope": "[resourceGroup().id]",
-        "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), if(equals(mod(copyIndex(1), 2), 1), '1', '2'))), '2022-11-01', 'Full').identity.principalId]"
+        "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), if(equals(mod(copyIndex(1), 2), 1), '1', '2'))), '2023-09-01', 'Full').identity.principalId]"
       },
       "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Authorization/roleAssignments'), parameters('tagsByResource')['Microsoft.Authorization/roleAssignments'], json('{}')) ]"
     },
@@ -1367,10 +1946,10 @@
             "value": "[variables('roleDefinitionIds')[copyIndex()]]"
           },
           "principalId1": {
-            "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), '1')), '2022-11-01', 'Full').identity.principalId]"
+            "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), '1')), '2023-09-01', 'Full').identity.principalId]"
           },
           "principalId2": {
-            "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), '2')), '2022-11-01', 'Full').identity.principalId]"
+            "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), '2')), '2023-09-01', 'Full').identity.principalId]"
           },
           "index": {
             "value": "[copyIndex()]"
diff --git a/china/azure/marketplace-management/README.md b/china/azure/marketplace-management/README.md
index 0371dd80..8a626c31 100644
--- a/china/azure/marketplace-management/README.md
+++ b/china/azure/marketplace-management/README.md
@@ -11,11 +11,11 @@ Benefits:
 · Provides consistent security policy management, enforcement, and reporting with a single pane of glass, using Check Point Unified Security Management
 
 
-<a href="https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2FChina%2Fazure%2ftemplates%2Fmarketplace-management%2FmainTemplate.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2FChina%2Fazure%2ftemplates%2Fmarketplace-management%2FcreateUiDefinition.json">
+<a href="https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fchina%2Fazure%2ftemplates%2Fmarketplace-management%2FmainTemplate.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fchina%2Fazure%2ftemplates%2Fmarketplace-management%2FcreateUiDefinition.json">
  <img src="https://aka.ms/deploytoazurebutton" alt="Deploy to Azure" />
 </a>
 
 
-To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2FChina%2Fazure%2ftemplates%2Fmarketplace-management%2FmainTemplate.json)
+To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fchina%2Fazure%2ftemplates%2Fmarketplace-management%2FmainTemplate.json)
 
 
diff --git a/china/azure/marketplace-management/createUiDefinition.json b/china/azure/marketplace-management/createUiDefinition.json
index 79b76ad6..068d7370 100644
--- a/china/azure/marketplace-management/createUiDefinition.json
+++ b/china/azure/marketplace-management/createUiDefinition.json
@@ -88,6 +88,10 @@
                 {
                   "label": "R82",
                   "value": "R82"
+                },
+                {
+                  "label": "R82.10",
+                  "value": "R82.10"
                 }
               ]
             }
@@ -291,6 +295,62 @@
             },
             "count": 1
           },
+          {
+            "name": "R8210vmSizeUiBYOL",
+            "type": "Microsoft.Compute.SizeSelector",
+            "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82.10'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]",
+            "label": "Virtual machine size",
+            "toolTip": "The VM size of the Security Gateway",
+            "recommendedSizes": [
+              "Standard_D4d_v4"
+            ],
+            "constraints": {
+              "excludedSizes": [
+                "Standard_A1_v2",
+                "Standard_D1_v2",
+                "Standard_DS1_v2",
+                "Standard_F1",
+                "Standard_F1s",
+                "Standard_G1",
+                "Standard_GS1"
+              ]
+            },
+            "osPlatform": "Linux",
+            "imageReference": {
+              "publisher": "1740992136172",
+              "offer": "check-point-cg-r8210",
+              "sku": "mgmt-byol"
+            },
+            "count": 1
+          },
+          {
+            "name": "R8210vmSizeUiMGMT25",
+            "type": "Microsoft.Compute.SizeSelector",
+            "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82.10'), contains(steps('chkp').R80Offer, '(NGTP)'))]",
+            "label": "Virtual machine size",
+            "toolTip": "The VM size of the Security Gateway",
+            "recommendedSizes": [
+              "Standard_D4d_v4"
+            ],
+            "constraints": {
+              "excludedSizes": [
+                "Standard_A1_v2",
+                "Standard_D1_v2",
+                "Standard_DS1_v2",
+                "Standard_F1",
+                "Standard_F1s",
+                "Standard_G1",
+                "Standard_GS1"
+              ]
+            },
+            "osPlatform": "Linux",
+            "imageReference": {
+              "publisher": "1740992136172",
+              "offer": "check-point-cg-r8210",
+              "sku": "mgmt-25"
+            },
+            "count": 1
+          },
           {
             "name": "managementGUIClientNetwork",
             "type": "Microsoft.Common.TextBox",
@@ -712,6 +772,35 @@
               "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long."
             },
             "visible": "[steps('network').NSG]"
+          }, 
+          {
+            "name": "storageAccountDeployMode",
+            "type": "Microsoft.Common.DropDown",
+            "label": "Storage Account Deployment Mode",
+            "toolTip": "Select your preferred Storage Account deployment mode, New to a new Storage Account, Existing to an existing Storage Account, Managed to managed Storage Account, None to deploy without a Storage Account",
+            "defaultValue": "New",
+            "constraints": {
+              "allowedValues": [
+                {
+                  "label": "New",
+                  "value": "New"
+                },
+                {
+                  "label": "Existing",
+                  "value": "Existing"
+                },
+                {
+                  "label": "Managed",
+                  "value": "Managed"
+                },
+                {
+                  "label": "None",
+                  "value": "None"
+                }
+              ],
+              "required": true
+            },
+            "visible": true
           },
           {
             "name": "addStorageAccountIpRules",
@@ -730,9 +819,48 @@
                   "value": true
                 }
               ],
-              "required": true
+              "required": "[equals(steps('network').storageAccountDeployMode, 'New')]"
             },
-            "visible": true
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'New')]"
+          },
+          {
+            "name": "existingStorageAccount",
+            "type": "Microsoft.Solutions.ResourceSelector",
+            "label": "Storage Account",
+            "defaultValue": "null",
+            "toolTip": "Choose an existing Storage Account",
+            "resourceType": "Microsoft.Storage/storageAccounts",
+            "constraints": {
+              "required": "[equals(steps('network').storageAccountDeployMode, 'Existing')]"
+            },
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'Existing')]"
+          },
+          {
+            "name": "infoExistingStorageAccount",
+            "type": "Microsoft.Common.InfoBox",
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'Existing')]",
+            "options": {
+              "icon": "Info",
+              "text": "The Storage Account must allow network access from the Serial Console feature, for more information - <a href='https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/linux/serial-console-linux?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef' target='_blank'>Serial Console Security</a>."
+            }
+          },
+          {
+            "name": "infoManagedStorageAccount",
+            "type": "Microsoft.Common.InfoBox",
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'Managed')]",
+            "options": {
+              "icon": "Info",
+              "text": "Azure will use a managed Storage Account for the deployment, no additional configuration is required."
+            }
+          },
+          {
+            "name": "warningNoneStorageAccount",
+            "type": "Microsoft.Common.InfoBox",
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'None')]",
+            "options": {
+              "icon": "Warning",
+              "text": "Please note that deploying without a Storage Account will not allow you to use the Serial Console feature. For more information - <a href='https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/linux/serial-console-linux?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef' target='_blank'>Azure Serial Console</a>."
+            }
           }
         ]
       },
@@ -773,7 +901,7 @@
       "authenticationType": "[basics('auth').authenticationType]",
       "sshPublicKey": "[basics('auth').sshPublicKey]",
       "vmName": "[basics('gatewayNameUi')]",
-      "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiMGMT25, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R8120vmSizeUiMGMT25, steps('chkp').R82vmSizeUiBYOL, steps('chkp').R82vmSizeUiMGMT25)]",
+      "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiMGMT25, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R8120vmSizeUiMGMT25, steps('chkp').R82vmSizeUiBYOL, steps('chkp').R82vmSizeUiMGMT25, steps('chkp').R8210vmSizeUiBYOL, steps('chkp').R8210vmSizeUiMGMT25)]",
       "virtualNetworkName": "[steps('network').virtualNetwork.name]",
       "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]",
       "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]",
@@ -786,7 +914,7 @@
       "bootstrapScript": "[steps('chkp-advanced').bootstrapScript]",
       "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp-advanced').allowUploadDownload, 'true')]",
       "additionalDiskSizeGB": "[int(steps('chkp-advanced').additionalDiskSizeGB)]",
-      "msi": "[steps('chkp-advanced').identityAccessManagement]",
+      "msi" : "[steps('chkp-advanced').identityAccessManagement]",
       "diskType": "[if(contains('R81.10' , steps('chkp').cloudGuardVersion) , steps('chkp-advanced').VMDiskTypeOldVersions , steps('chkp-advanced').VMDiskType)]",
       "sourceImageVhdUri": "[coalesce(steps('chkp-advanced').sourceImageVhdUri, 'noCustomUri')]",
       "enableApi": "[steps('chkp-advanced').enableApi]",
@@ -794,8 +922,10 @@
       "tagsByResource": "[steps('tags').tagsByResource]",
       "deployNewNSG": "[steps('network').NSG]",
       "ExistingNSG": "[steps('network').nsgSelector]",
-      "NewNsgName": "[steps('network').NSGName]",
-      "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]",
+      "NewNsgName": "[steps('network').NSGName]",      
+      "storageAccountDeployMode": "[steps('network').storageAccountDeployMode]",
+      "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]",
+      "existingStorageAccountId": "[steps('network').existingStorageAccount]",
       "SerialConsolePasswordHash": "[steps('chkp-advanced').AdditionalPassword]",
       "MaintenanceModePasswordHash": "[steps('chkp-advanced').MaintenanceModePassword]"
     }
diff --git a/china/azure/marketplace-management/mainTemplate.json b/china/azure/marketplace-management/mainTemplate.json
index d7e1777d..0fe332f0 100644
--- a/china/azure/marketplace-management/mainTemplate.json
+++ b/china/azure/marketplace-management/mainTemplate.json
@@ -14,7 +14,8 @@
       "allowedValues": [
         "R81.10 - Bring Your Own License",
         "R81.20 - Bring Your Own License",
-        "R82 - Bring Your Own License"
+        "R82 - Bring Your Own License",
+        "R82.10 - Bring Your Own License"
       ],
       "defaultValue": "R82 - Bring Your Own License",
       "metadata": {
@@ -224,7 +225,7 @@
     "_artifactsLocation": {
       "type": "string",
       "metadata": {
-        "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/"
+        "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/"
       },
       "defaultValue": "[deployment().properties.templateLink.uri]"
     },
@@ -251,19 +252,39 @@
       "type": "string",
       "defaultValue": "[concat(parameters('vmName'),'-nsg')]"
     },
+    "storageAccountDeployMode": {
+      "type": "string",
+      "defaultValue": "New",
+      "metadata": {
+        "description": "Choose the Storage Account mode: 'New' creates a new account, 'Existing' uses one already available, 'Managed' provisions a managed account, and 'None' skips account creation."
+      },
+      "allowedValues": [
+        "New",
+        "Existing",
+        "Managed",
+        "None"
+      ]
+    },
     "addStorageAccountIpRules": {
       "type": "bool",
       "metadata": {
-        "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled"
+        "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled. Only relevant when 'Storage Account Deploy Mode' is set to 'New'."
       },
       "defaultValue": false
     },
     "storageAccountAdditionalIps": {
       "type": "array",
       "metadata": {
-        "description": "IPs/CIDRs that are allowed access to the Storage Account"
+        "description": "IPs/CIDRs that are allowed access to the Storage Account. Format should be an array of strings. Only relevant when 'Storage Account Deploy Mode' is set to 'New'."
       },
       "defaultValue": []
+    },
+    "existingStorageAccountId": {
+      "type": "string",
+      "metadata": {
+        "description": "The ID of the existing Storage Account. Only relevant when 'Storage Account Deploy Mode' is set to 'Existing'."
+      },
+      "defaultValue": ""
     }
   },
   "variables": {
@@ -276,7 +297,9 @@
       "R81.20 - Bring Your Own License": "BYOL",
       "R81.20 - Pay As You Go (MGMT25)": "MGMT25",
       "R82 - Bring Your Own License": "BYOL",
-      "R82 - Pay As You Go (MGMT25)": "MGMT25"
+      "R82 - Pay As You Go (MGMT25)": "MGMT25",
+      "R82.10 - Bring Your Own License": "BYOL",
+      "R82.10 - Pay As You Go (MGMT25)": "MGMT25"
     },
     "offer": "[variables('offers')[parameters('cloudGuardVersion')]]",
     "osVersions": {
@@ -285,224 +308,780 @@
       "R81.20 - Bring Your Own License": "R8120",
       "R81.20 - Pay As You Go (MGMT25)": "R8120",
       "R82 - Bring Your Own License": "R82",
-      "R82 - Pay As You Go (MGMT25)": "R82"
+      "R82 - Pay As You Go (MGMT25)": "R82",
+      "R82.10 - Bring Your Own License": "R8210",
+      "R82.10 - Pay As You Go (MGMT25)": "R8210"
     },
     "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]",
     "serialConsoleGeographies": {
       "eastasia": [
+        "4.145.74.168",
+        "20.195.85.180",
+        "20.195.85.181",
+        "20.205.68.106",
+        "20.205.68.107",
         "20.205.69.28",
-        "20.195.85.180"
+        "23.97.88.117",
+        "23.98.106.151"
       ],
       "southeastasia": [
+        "4.145.74.168",
+        "20.195.85.180",
+        "20.195.85.181",
+        "20.205.68.106",
+        "20.205.68.107",
         "20.205.69.28",
-        "20.195.85.180"
+        "23.97.88.117",
+        "23.98.106.151"
       ],
       "australiacentral": [
+        "4.198.45.55",
+        "4.200.251.224",
+        "20.167.131.228",
+        "20.53.52.250",
         "20.53.53.224",
-        "20.70.222.112"
+        "20.53.55.174",
+        "20.70.222.112",
+        "20.70.222.113",
+        "68.218.123.133"
       ],
       "australiacentral2": [
+        "4.198.45.55",
+        "4.200.251.224",
+        "20.167.131.228",
+        "20.53.52.250",
         "20.53.53.224",
-        "20.70.222.112"
+        "20.53.55.174",
+        "20.70.222.112",
+        "20.70.222.113",
+        "68.218.123.133"
       ],
       "australiaeast": [
+        "4.198.45.55",
+        "4.200.251.224",
+        "20.167.131.228",
+        "20.53.52.250",
         "20.53.53.224",
-        "20.70.222.112"
+        "20.53.55.174",
+        "20.70.222.112",
+        "20.70.222.113",
+        "68.218.123.133"
       ],
       "australiasoutheast": [
+        "4.198.45.55",
+        "4.200.251.224",
+        "20.167.131.228",
+        "20.53.52.250",
         "20.53.53.224",
-        "20.70.222.112"
+        "20.53.55.174",
+        "20.70.222.112",
+        "20.70.222.113",
+        "68.218.123.133"
       ],
       "brazilsouth": [
-        "91.234.136.63",
-        "20.206.0.194"
+        "20.206.0.192",
+        "20.206.0.193",
+        "20.206.0.194",
+        "20.226.211.157",
+        "108.140.5.172",
+        "191.234.136.63",
+        "191.238.77.232",
+        "191.238.77.233"
       ],
       "brazilsoutheast": [
-        "91.234.136.63",
-        "20.206.0.194"
+        "20.206.0.192",
+        "20.206.0.193",
+        "20.206.0.194",
+        "20.226.211.157",
+        "108.140.5.172",
+        "191.234.136.63",
+        "191.238.77.232",
+        "191.238.77.233"
       ],
       "canadacentral": [
+        "20.175.7.183",
+        "20.48.201.78",
+        "20.48.201.79",
+        "20.220.7.246",
+        "52.139.106.74",
+        "52.139.106.75",
         "52.228.86.177",
         "52.242.40.90"
       ],
       "canadaeast": [
+        "20.175.7.183",
+        "20.48.201.78",
+        "20.48.201.79",
+        "20.220.7.246",
+        "52.139.106.74",
+        "52.139.106.75",
         "52.228.86.177",
         "52.242.40.90"
       ],
       "northeurope": [
+        "4.210.131.60",
+        "20.105.209.72",
+        "20.105.209.73",
+        "40.113.178.49",
+        "52.146.137.65",
         "52.146.139.220",
-        "20.105.209.72"
+        "52.146.139.221",
+        "98.71.107.78"
       ],
       "westeurope": [
+        "4.210.131.60",
+        "20.105.209.72",
+        "20.105.209.73",
+        "40.113.178.49",
+        "52.146.137.65",
         "52.146.139.220",
-        "20.105.209.72"
+        "52.146.139.221",
+        "98.71.107.78"
       ],
       "francecentral": [
         "20.111.0.244",
-        "52.136.191.10"
+        "40.80.103.247",
+        "51.138.215.126",
+        "51.138.215.127",
+        "52.136.191.8",
+        "52.136.191.9",
+        "52.136.191.10",
+        "98.66.128.35"
       ],
       "francesouth": [
         "20.111.0.244",
-        "52.136.191.10"
+        "40.80.103.247",
+        "51.138.215.126",
+        "51.138.215.127",
+        "52.136.191.8",
+        "52.136.191.9",
+        "52.136.191.10",
+        "98.66.128.35"
       ],
       "germanynorth": [
+        "20.52.94.114",
+        "20.52.94.115",
+        "20.52.95.48",
+        "20.113.251.155",
         "51.116.75.88",
-        "20.52.95.48"
+        "51.116.75.89",
+        "51.116.75.90",
+        "98.67.183.186"
       ],
       "germanywestcentral": [
+        "20.52.94.114",
+        "20.52.94.115",
+        "20.52.95.48",
+        "20.113.251.155",
         "51.116.75.88",
-        "20.52.95.48"
+        "51.116.75.89",
+        "51.116.75.90",
+        "98.67.183.186"
       ],
       "centralindia": [
-        "20.192.168.150",
-        "20.192.153.104"
+        "4.187.107.68",
+        "20.192.47.134",
+        "20.192.47.135",
+        "20.192.152.150",
+        "20.192.152.151",
+        "20.192.153.104",
+        "20.207.175.96",
+        "52.172.82.199",
+        "98.70.20.180"
       ],
       "southindia": [
-        "20.192.168.150",
-        "20.192.153.104"
+        "4.187.107.68",
+        "20.192.47.134",
+        "20.192.47.135",
+        "20.192.152.150",
+        "20.192.152.151",
+        "20.192.153.104",
+        "20.207.175.96",
+        "52.172.82.199",
+        "98.70.20.180"
       ],
       "westindia": [
-        "20.192.168.150",
-        "20.192.153.104"
+        "4.187.107.68",
+        "20.192.47.134",
+        "20.192.47.135",
+        "20.192.152.150",
+        "20.192.152.151",
+        "20.192.153.104",
+        "20.207.175.96",
+        "52.172.82.199",
+        "98.70.20.180"
       ],
       "japaneast": [
+        "20.18.7.188",
         "20.43.70.205",
-        "20.189.228.222"
+        "20.89.12.192",
+        "20.89.12.193",
+        "20.189.194.100",
+        "20.189.228.222",
+        "20.189.228.223",
+        "20.210.144.254"
       ],
       "japanwest": [
+        "20.18.7.188",
         "20.43.70.205",
-        "20.189.228.222"
+        "20.89.12.192",
+        "20.89.12.193",
+        "20.189.194.100",
+        "20.189.228.222",
+        "20.189.228.223",
+        "20.210.144.254"
       ],
       "koreacentral": [
+        "20.200.166.136",
+        "20.200.194.238",
+        "20.200.194.239",
         "20.200.196.96",
-        "52.147.119.29"
+        "20.214.133.81",
+        "52.147.119.28",
+        "52.147.119.29",
+        "52.147.119.30"
       ],
       "koreasouth": [
+        "20.200.166.136",
+        "20.200.194.238",
+        "20.200.194.239",
         "20.200.196.96",
-        "52.147.119.29"
+        "20.214.133.81",
+        "52.147.119.28",
+        "52.147.119.29",
+        "52.147.119.30"
       ],
       "norwaywest": [
+        "20.100.1.154",
+        "20.100.1.155",
         "20.100.1.184",
-        "51.13.138.76"
+        "20.100.21.182",
+        "51.13.138.76",
+        "51.13.138.77",
+        "51.13.138.78",
+        "51.120.183.54"
       ],
       "norwayeast": [
+        "20.100.1.154",
+        "20.100.1.155",
         "20.100.1.184",
-        "51.13.138.76"
+        "20.100.21.182",
+        "51.13.138.76",
+        "51.13.138.77",
+        "51.13.138.78",
+        "51.120.183.54"
       ],
       "switzerlandnorth": [
+        "20.199.207.188",
         "20.208.4.98",
-        "51.107.251.190"
+        "20.208.4.99",
+        "20.208.4.120",
+        "20.208.149.229",
+        "51.107.251.190",
+        "51.107.251.191",
+        "51.107.255.176"
       ],
       "switzerlandwest": [
+        "20.199.207.188",
         "20.208.4.98",
-        "51.107.251.190"
+        "20.208.4.99",
+        "20.208.4.120",
+        "20.208.149.229",
+        "51.107.251.190",
+        "51.107.251.191",
+        "51.107.255.176"
       ],
       "uaecentral": [
+        "20.38.141.5",
+        "20.45.95.64",
+        "20.45.95.65",
         "20.45.95.66",
-        "20.38.141.5"
+        "20.203.93.198",
+        "20.233.132.205",
+        "40.120.87.50",
+        "40.120.87.51"
       ],
       "uaenorth": [
+        "20.38.141.5",
+        "20.45.95.64",
+        "20.45.95.65",
         "20.45.95.66",
-        "20.38.141.5"
+        "20.203.93.198",
+        "20.233.132.205",
+        "40.120.87.50",
+        "40.120.87.51"
       ],
       "uksouth": [
+        "20.58.68.62",
+        "20.58.68.63",
+        "20.90.32.180",
         "20.90.132.144",
-        "20.58.68.62"
+        "20.90.132.145",
+        "51.104.30.169",
+        "172.187.0.26",
+        "172.187.65.53"
       ],
       "ukwest": [
+        "20.58.68.62",
+        "20.58.68.63",
+        "20.90.32.180",
         "20.90.132.144",
-        "20.58.68.62"
+        "20.90.132.145",
+        "51.104.30.169",
+        "172.187.0.26",
+        "172.187.65.53"
       ],
       "swedencentral": [
+        "20.91.100.236",
+        "51.12.22.174",
+        "51.12.22.175",
+        "51.12.22.204",
+        "51.12.72.222",
         "51.12.72.223",
-        "51.12.22.174"
+        "51.12.73.92",
+        "172.160.216.6"
       ],
       "swedensouth": [
+        "20.91.100.236",
+        "51.12.22.174",
+        "51.12.22.175",
+        "51.12.22.204",
+        "51.12.72.222",
         "51.12.72.223",
-        "51.12.22.174"
+        "51.12.73.92",
+        "172.160.216.6"
       ],
       "centralus": [
-        "20.98.146.84",
-        "20.98.194.64",
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "eastus2": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "eastus2": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "eastus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "eastus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "northcentralus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "northcentralus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "southcentralus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "southcentralus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "westus2": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "westus2": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "westus3": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "westus3": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "westcentralus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "westcentralus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "westus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "westus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
+        "20.98.146.84",
+        "20.98.146.85",
+        "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
       ],
       "eastus2euap": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
         "20.45.242.18",
-        "20.51.21.252"
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
+        "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
+        "20.83.222.102",
+        "20.98.146.84",
+        "20.98.146.85",
+        "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
       ],
       "centraluseuap": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
         "20.45.242.18",
-        "20.51.21.252"
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
+        "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
+        "20.83.222.102",
+        "20.98.146.84",
+        "20.98.146.85",
+        "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
       ],
       "usgovarizona": [
+        "20.140.104.48",
+        "20.140.105.3",
+        "20.140.144.58",
+        "20.140.144.59",
+        "20.140.147.168",
+        "20.140.53.121",
         "20.141.10.130",
-        "52.127.55.131"
+        "20.141.10.131",
+        "20.141.13.121",
+        "20.141.15.104",
+        "52.127.55.131",
+        "52.235.252.252",
+        "52.235.252.253",
+        "52.243.247.124",
+        "52.245.155.139",
+        "52.245.156.185",
+        "62.10.196.24",
+        "62.10.196.25",
+        "62.10.84.240",
+        "62.11.6.64",
+        "62.11.6.65"
       ],
       "usgovvirginia": [
+        "20.140.104.48",
+        "20.140.105.3",
+        "20.140.144.58",
+        "20.140.144.59",
+        "20.140.147.168",
+        "20.140.53.121",
         "20.141.10.130",
-        "52.127.55.131"
+        "20.141.10.131",
+        "20.141.13.121",
+        "20.141.15.104",
+        "52.127.55.131",
+        "52.235.252.252",
+        "52.235.252.253",
+        "52.243.247.124",
+        "52.245.155.139",
+        "52.245.156.185",
+        "62.10.196.24",
+        "62.10.196.25",
+        "62.10.84.240",
+        "62.11.6.64",
+        "62.11.6.65"
       ],
       "usgovtexas": [
+        "20.140.104.48",
+        "20.140.105.3",
+        "20.140.144.58",
+        "20.140.144.59",
+        "20.140.147.168",
+        "20.140.53.121",
         "20.141.10.130",
-        "52.127.55.131"
+        "20.141.10.131",
+        "20.141.13.121",
+        "20.141.15.104",
+        "52.127.55.131",
+        "52.235.252.252",
+        "52.235.252.253",
+        "52.243.247.124",
+        "52.245.155.139",
+        "52.245.156.185",
+        "62.10.196.24",
+        "62.10.196.25",
+        "62.10.84.240",
+        "62.11.6.64",
+        "62.11.6.65"
       ],
       "chinanorth": [
         "139.217.51.16",
@@ -582,7 +1161,7 @@
     "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]",
     "bootstrapScript64": "[base64(parameters('bootstrapScript'))]",
     "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]",
-    "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/',parameters('_artifactsLocation'))]",
+    "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/',parameters('_artifactsLocation'))]",
     "networkSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vnet-1-subnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]",
     "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]",
     "deployNewVnet": "[equals(parameters('vnetNewOrExisting'), 'new')]",
@@ -599,13 +1178,14 @@
       "properties": {
         "mode": "Incremental",
         "template": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
           "contentVersion": "1.0.0.0",
           "resources": []
         }
       }
     },
     {
+      "condition": "[equals(parameters('storageAccountDeployMode'), 'New')]",
       "type": "Microsoft.Storage/storageAccounts",
       "name": "[variables('storageAccountName')]",
       "apiVersion": "2022-09-01",
@@ -623,7 +1203,7 @@
       "sku": {
         "name": "[variables('storageAccountType')]"
       },
-      "kind": "Storage",
+      "kind": "StorageV2",
       "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]"
     },
     {
@@ -720,6 +1300,7 @@
     },
     {
       "condition": "[parameters('deployNewNSG')]",
+      "dependsOn": ["[variables('publicIPAddressId')]"],
       "type": "Microsoft.Network/networkSecurityGroups",
       "apiVersion": "2020-06-01",
       "location": "[variables('location')]",
@@ -837,6 +1418,20 @@
               "priority": "170",
               "direction": "Inbound"
             }
+          },
+          {
+            "name": "Allow-self-IP-inbound",
+            "properties": {
+              "description": "Allow inbound traffic from the VM's public IP address",
+              "protocol": "*",
+              "sourcePortRange": "*",
+              "destinationPortRange": "*",
+              "sourceAddressPrefix": "[reference(variables('publicIPAddressId')).IpAddress]",
+              "destinationAddressPrefix": "*",
+              "access": "Allow",
+              "priority": "180",
+              "direction": "Inbound"
+            }
           }
         ]
       },
@@ -907,10 +1502,7 @@
       "properties": {
         "UserData": "[variables('customData64')]",
         "diagnosticsProfile": {
-          "bootDiagnostics": {
-            "enabled": "true",
-            "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2023-05-01').primaryEndpoints.blob]"
-          }
+          "bootDiagnostics": "[if(equals(parameters('storageAccountDeployMode'), 'None'), createObject('enabled', false()), if(equals(parameters('storageAccountDeployMode'), 'Managed'), createObject('enabled', true()), createObject('enabled', true(), 'storageUri', if(equals(parameters('storageAccountDeployMode'), 'New'), reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2023-05-01').primaryEndpoints.blob, reference(parameters('existingStorageAccountId'), '2023-05-01').primaryEndpoints.blob))))]"
         },
         "hardwareProfile": {
           "vmSize": "[parameters('vmSize')]"
diff --git a/china/azure/marketplace-mds/README.md b/china/azure/marketplace-mds/README.md
index dfd4de9d..d3797206 100644
--- a/china/azure/marketplace-mds/README.md
+++ b/china/azure/marketplace-mds/README.md
@@ -11,12 +11,12 @@ Benefits:
 · Provides consistent security policy management, enforcement, and reporting with a single pane of glass, using Check Point Unified Security Management
 
 
-<a href="https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2FChina%2Fazure%2ftemplates%2Fmarketplace-mds%2FmainTemplate.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2FChina%2Fazure%2ftemplates%2Fmarketplace-mds%2FcreateUiDefinition.json
+<a href="https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fchina%2Fazure%2ftemplates%2Fmarketplace-mds%2FmainTemplate.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fchina%2Fazure%2ftemplates%2Fmarketplace-mds%2FcreateUiDefinition.json
 ">
  <img src="https://aka.ms/deploytoazurebutton" alt="Deploy to Azure" />
 </a>
 
 
-To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2FChina%2Fazure%2ftemplates%2Fmarketplace-mds%2FmainTemplate.json)
+To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fchina%2Fazure%2ftemplates%2Fmarketplace-mds%2FmainTemplate.json)
 
 
diff --git a/china/azure/marketplace-mds/createUiDefinition.json b/china/azure/marketplace-mds/createUiDefinition.json
index 125e6e1e..7ab848ea 100644
--- a/china/azure/marketplace-mds/createUiDefinition.json
+++ b/china/azure/marketplace-mds/createUiDefinition.json
@@ -88,6 +88,10 @@
                 {
                   "label": "R82",
                   "value": "R82"
+                },
+                {
+                  "label": "R82.10",
+                  "value": "R82.10"
                 }
               ]
             }
@@ -204,6 +208,35 @@
             },
             "count": 1
           },
+          {
+            "name": "R8210vmSizeUiBYOL",
+            "type": "Microsoft.Compute.SizeSelector",
+            "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82.10'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]",
+            "label": "Virtual machine size",
+            "toolTip": "The VM size. Minimum of 16 cores and 64 GB RAM is required.",
+            "recommendedSizes": [
+              "Standard_D4ds_v4",
+              "Standard_D4d_v4"
+            ],
+            "constraints": {
+              "excludedSizes": [
+                "Standard_A1_v2",
+                "Standard_D1_v2",
+                "Standard_DS1_v2",
+                "Standard_F1",
+                "Standard_F1s",
+                "Standard_G1",
+                "Standard_GS1"
+              ]
+            },
+            "osPlatform": "Linux",
+            "imageReference": {
+              "publisher": "1740992136172",
+              "offer": "check-point-cg-r8210",
+              "sku": "mgmt-byol"
+            },
+            "count": 1
+          },
           {
             "name": "managementGUIClientNetwork",
             "type": "Microsoft.Common.TextBox",
@@ -296,7 +329,7 @@
             }
           },
           {
-            "visible": "[bool(basics('auth').sshPublicKey)]",
+             "visible": "[bool(basics('auth').sshPublicKey)]",
             "name": "EnableSerialConsolePassword",
             "type": "Microsoft.Common.OptionsGroup",
             "label": "Enable Serial console password",
@@ -624,6 +657,35 @@
             },
             "visible": "[steps('network').NSG]"
           },
+          {
+            "name": "storageAccountDeployMode",
+            "type": "Microsoft.Common.DropDown",
+            "label": "Storage Account Deployment Mode",
+            "toolTip": "Select your preferred Storage Account deployment mode, New to a new Storage Account, Existing to an existing Storage Account, Managed to managed Storage Account, None to deploy without a Storage Account",
+            "defaultValue": "New",
+            "constraints": {
+              "allowedValues": [
+                {
+                  "label": "New",
+                  "value": "New"
+                },
+                {
+                  "label": "Existing",
+                  "value": "Existing"
+                },
+                {
+                  "label": "Managed",
+                  "value": "Managed"
+                },
+                {
+                  "label": "None",
+                  "value": "None"
+                }
+              ],
+              "required": true
+            },
+            "visible": true
+          },
           {
             "name": "addStorageAccountIpRules",
             "type": "Microsoft.Common.OptionsGroup",
@@ -641,9 +703,48 @@
                   "value": true
                 }
               ],
-              "required": true
+              "required": "[equals(steps('network').storageAccountDeployMode, 'New')]"
             },
-            "visible": true
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'New')]"
+          },
+          {
+            "name": "existingStorageAccount",
+            "type": "Microsoft.Solutions.ResourceSelector",
+            "label": "Storage Account",
+            "defaultValue": "null",
+            "toolTip": "Choose an existing Storage Account",
+            "resourceType": "Microsoft.Storage/storageAccounts",
+            "constraints": {
+              "required": "[equals(steps('network').storageAccountDeployMode, 'Existing')]"
+            },
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'Existing')]"
+          },
+          {
+            "name": "infoExistingStorageAccount",
+            "type": "Microsoft.Common.InfoBox",
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'Existing')]",
+            "options": {
+              "icon": "Info",
+              "text": "The Storage Account must allow network access from the Serial Console feature, for more information - <a href='https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/linux/serial-console-linux?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef' target='_blank'>Serial Console Security</a>."
+            }
+          },
+          {
+            "name": "infoManagedStorageAccount",
+            "type": "Microsoft.Common.InfoBox",
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'Managed')]",
+            "options": {
+              "icon": "Info",
+              "text": "Azure will use a managed Storage Account for the deployment, no additional configuration is required."
+            }
+          },
+          {
+            "name": "warningNoneStorageAccount",
+            "type": "Microsoft.Common.InfoBox",
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'None')]",
+            "options": {
+              "icon": "Warning",
+              "text": "Please note that deploying without a Storage Account will not allow you to use the Serial Console feature. For more information - <a href='https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/linux/serial-console-linux?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef' target='_blank'>Azure Serial Console</a>."
+            }
           }
         ]
       },
@@ -684,7 +785,7 @@
       "authenticationType": "[basics('auth').authenticationType]",
       "sshPublicKey": "[basics('auth').sshPublicKey]",
       "vmName": "[basics('gatewayNameUi')]",
-      "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R82vmSizeUiBYOL)]",
+      "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R82vmSizeUiBYOL, steps('chkp').R8210vmSizeUiBYOL)]",
       "virtualNetworkName": "[steps('network').virtualNetwork.name]",
       "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]",
       "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]",
@@ -705,8 +806,10 @@
       "tagsByResource": "[steps('tags').tagsByResource]",
       "deployNewNSG": "[steps('network').NSG]",
       "ExistingNSG": "[steps('network').nsgSelector]",
-      "NewNsgName": "[steps('network').NSGName]",
-      "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]",
+      "NewNsgName": "[steps('network').NSGName]",      
+      "storageAccountDeployMode": "[steps('network').storageAccountDeployMode]",
+      "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]",
+      "existingStorageAccountId": "[steps('network').existingStorageAccount]",
       "SerialConsolePasswordHash": "[steps('chkp-advanced').AdditionalPassword]",
       "MaintenanceModePasswordHash": "[steps('chkp-advanced').MaintenanceModePassword]"
     }
diff --git a/china/azure/marketplace-mds/mainTemplate.json b/china/azure/marketplace-mds/mainTemplate.json
index 852acf6e..2ea055bc 100644
--- a/china/azure/marketplace-mds/mainTemplate.json
+++ b/china/azure/marketplace-mds/mainTemplate.json
@@ -14,7 +14,8 @@
       "allowedValues": [
         "R81.10 - Bring Your Own License",
         "R81.20 - Bring Your Own License",
-        "R82 - Bring Your Own License"
+        "R82 - Bring Your Own License",
+        "R82.10 - Bring Your Own License"
       ],
       "defaultValue": "R82 - Bring Your Own License",
       "metadata": {
@@ -219,7 +220,7 @@
     "_artifactsLocation": {
       "type": "string",
       "metadata": {
-        "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/"
+        "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/"
       },
       "defaultValue": "[deployment().properties.templateLink.uri]"
     },
@@ -246,19 +247,39 @@
       "type": "string",
       "defaultValue": "[concat(parameters('vmName'),'-nsg')]"
     },
+    "storageAccountDeployMode": {
+      "type": "string",
+      "defaultValue": "New",
+      "metadata": {
+        "description": "Choose the Storage Account mode: 'New' creates a new account, 'Existing' uses one already available, 'Managed' provisions a managed account, and 'None' skips account creation."
+      },
+      "allowedValues": [
+        "New",
+        "Existing",
+        "Managed",
+        "None"
+      ]
+    },
     "addStorageAccountIpRules": {
       "type": "bool",
       "metadata": {
-        "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled"
+        "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled. Only relevant when 'Storage Account Deploy Mode' is set to 'New'."
       },
       "defaultValue": false
     },
     "storageAccountAdditionalIps": {
       "type": "array",
       "metadata": {
-        "description": "IPs/CIDRs that are allowed access to the Storage Account"
+        "description": "IPs/CIDRs that are allowed access to the Storage Account. Format should be an array of strings. Only relevant when 'Storage Account Deploy Mode' is set to 'New'."
       },
       "defaultValue": []
+    },
+    "existingStorageAccountId": {
+      "type": "string",
+      "metadata": {
+        "description": "The ID of the existing Storage Account. Only relevant when 'Storage Account Deploy Mode' is set to 'Existing'."
+      },
+      "defaultValue": ""
     }
   },
   "variables": {
@@ -268,230 +289,802 @@
     "offers": {
       "R81.10 - Bring Your Own License": "BYOL",
       "R81.20 - Bring Your Own License": "BYOL",
-      "R82 - Bring Your Own License": "BYOL"
+      "R82 - Bring Your Own License": "BYOL",
+      "R82.10 - Bring Your Own License": "BYOL"
     },
     "offer": "[variables('offers')[parameters('cloudGuardVersion')]]",
     "osVersions": {
       "R81.10 - Bring Your Own License": "R8110",
       "R81.20 - Bring Your Own License": "R8120",
-      "R82 - Bring Your Own License": "R82"
+      "R82 - Bring Your Own License": "R82",
+      "R82.10 - Bring Your Own License": "R8210"
     },
     "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]",
     "serialConsoleGeographies": {
       "eastasia": [
+        "4.145.74.168",
+        "20.195.85.180",
+        "20.195.85.181",
+        "20.205.68.106",
+        "20.205.68.107",
         "20.205.69.28",
-        "20.195.85.180"
+        "23.97.88.117",
+        "23.98.106.151"
       ],
       "southeastasia": [
+        "4.145.74.168",
+        "20.195.85.180",
+        "20.195.85.181",
+        "20.205.68.106",
+        "20.205.68.107",
         "20.205.69.28",
-        "20.195.85.180"
+        "23.97.88.117",
+        "23.98.106.151"
       ],
       "australiacentral": [
+        "4.198.45.55",
+        "4.200.251.224",
+        "20.167.131.228",
+        "20.53.52.250",
         "20.53.53.224",
-        "20.70.222.112"
+        "20.53.55.174",
+        "20.70.222.112",
+        "20.70.222.113",
+        "68.218.123.133"
       ],
       "australiacentral2": [
+        "4.198.45.55",
+        "4.200.251.224",
+        "20.167.131.228",
+        "20.53.52.250",
         "20.53.53.224",
-        "20.70.222.112"
+        "20.53.55.174",
+        "20.70.222.112",
+        "20.70.222.113",
+        "68.218.123.133"
       ],
       "australiaeast": [
+        "4.198.45.55",
+        "4.200.251.224",
+        "20.167.131.228",
+        "20.53.52.250",
         "20.53.53.224",
-        "20.70.222.112"
+        "20.53.55.174",
+        "20.70.222.112",
+        "20.70.222.113",
+        "68.218.123.133"
       ],
       "australiasoutheast": [
+        "4.198.45.55",
+        "4.200.251.224",
+        "20.167.131.228",
+        "20.53.52.250",
         "20.53.53.224",
-        "20.70.222.112"
+        "20.53.55.174",
+        "20.70.222.112",
+        "20.70.222.113",
+        "68.218.123.133"
       ],
       "brazilsouth": [
-        "91.234.136.63",
-        "20.206.0.194"
+        "20.206.0.192",
+        "20.206.0.193",
+        "20.206.0.194",
+        "20.226.211.157",
+        "108.140.5.172",
+        "191.234.136.63",
+        "191.238.77.232",
+        "191.238.77.233"
       ],
       "brazilsoutheast": [
-        "91.234.136.63",
-        "20.206.0.194"
+        "20.206.0.192",
+        "20.206.0.193",
+        "20.206.0.194",
+        "20.226.211.157",
+        "108.140.5.172",
+        "191.234.136.63",
+        "191.238.77.232",
+        "191.238.77.233"
       ],
       "canadacentral": [
+        "20.175.7.183",
+        "20.48.201.78",
+        "20.48.201.79",
+        "20.220.7.246",
+        "52.139.106.74",
+        "52.139.106.75",
         "52.228.86.177",
         "52.242.40.90"
       ],
       "canadaeast": [
+        "20.175.7.183",
+        "20.48.201.78",
+        "20.48.201.79",
+        "20.220.7.246",
+        "52.139.106.74",
+        "52.139.106.75",
         "52.228.86.177",
         "52.242.40.90"
       ],
       "northeurope": [
+        "4.210.131.60",
+        "20.105.209.72",
+        "20.105.209.73",
+        "40.113.178.49",
+        "52.146.137.65",
         "52.146.139.220",
-        "20.105.209.72"
+        "52.146.139.221",
+        "98.71.107.78"
       ],
       "westeurope": [
+        "4.210.131.60",
+        "20.105.209.72",
+        "20.105.209.73",
+        "40.113.178.49",
+        "52.146.137.65",
         "52.146.139.220",
-        "20.105.209.72"
+        "52.146.139.221",
+        "98.71.107.78"
       ],
       "francecentral": [
         "20.111.0.244",
-        "52.136.191.10"
+        "40.80.103.247",
+        "51.138.215.126",
+        "51.138.215.127",
+        "52.136.191.8",
+        "52.136.191.9",
+        "52.136.191.10",
+        "98.66.128.35"
       ],
       "francesouth": [
         "20.111.0.244",
-        "52.136.191.10"
+        "40.80.103.247",
+        "51.138.215.126",
+        "51.138.215.127",
+        "52.136.191.8",
+        "52.136.191.9",
+        "52.136.191.10",
+        "98.66.128.35"
       ],
       "germanynorth": [
+        "20.52.94.114",
+        "20.52.94.115",
+        "20.52.95.48",
+        "20.113.251.155",
         "51.116.75.88",
-        "20.52.95.48"
+        "51.116.75.89",
+        "51.116.75.90",
+        "98.67.183.186"
       ],
       "germanywestcentral": [
+        "20.52.94.114",
+        "20.52.94.115",
+        "20.52.95.48",
+        "20.113.251.155",
         "51.116.75.88",
-        "20.52.95.48"
+        "51.116.75.89",
+        "51.116.75.90",
+        "98.67.183.186"
       ],
       "centralindia": [
-        "20.192.168.150",
-        "20.192.153.104"
+        "4.187.107.68",
+        "20.192.47.134",
+        "20.192.47.135",
+        "20.192.152.150",
+        "20.192.152.151",
+        "20.192.153.104",
+        "20.207.175.96",
+        "52.172.82.199",
+        "98.70.20.180"
       ],
       "southindia": [
-        "20.192.168.150",
-        "20.192.153.104"
+        "4.187.107.68",
+        "20.192.47.134",
+        "20.192.47.135",
+        "20.192.152.150",
+        "20.192.152.151",
+        "20.192.153.104",
+        "20.207.175.96",
+        "52.172.82.199",
+        "98.70.20.180"
       ],
       "westindia": [
-        "20.192.168.150",
-        "20.192.153.104"
+        "4.187.107.68",
+        "20.192.47.134",
+        "20.192.47.135",
+        "20.192.152.150",
+        "20.192.152.151",
+        "20.192.153.104",
+        "20.207.175.96",
+        "52.172.82.199",
+        "98.70.20.180"
       ],
       "japaneast": [
+        "20.18.7.188",
         "20.43.70.205",
-        "20.189.228.222"
+        "20.89.12.192",
+        "20.89.12.193",
+        "20.189.194.100",
+        "20.189.228.222",
+        "20.189.228.223",
+        "20.210.144.254"
       ],
       "japanwest": [
+        "20.18.7.188",
         "20.43.70.205",
-        "20.189.228.222"
+        "20.89.12.192",
+        "20.89.12.193",
+        "20.189.194.100",
+        "20.189.228.222",
+        "20.189.228.223",
+        "20.210.144.254"
       ],
       "koreacentral": [
+        "20.200.166.136",
+        "20.200.194.238",
+        "20.200.194.239",
         "20.200.196.96",
-        "52.147.119.29"
+        "20.214.133.81",
+        "52.147.119.28",
+        "52.147.119.29",
+        "52.147.119.30"
       ],
       "koreasouth": [
+        "20.200.166.136",
+        "20.200.194.238",
+        "20.200.194.239",
         "20.200.196.96",
-        "52.147.119.29"
+        "20.214.133.81",
+        "52.147.119.28",
+        "52.147.119.29",
+        "52.147.119.30"
       ],
       "norwaywest": [
+        "20.100.1.154",
+        "20.100.1.155",
         "20.100.1.184",
-        "51.13.138.76"
+        "20.100.21.182",
+        "51.13.138.76",
+        "51.13.138.77",
+        "51.13.138.78",
+        "51.120.183.54"
       ],
       "norwayeast": [
+        "20.100.1.154",
+        "20.100.1.155",
         "20.100.1.184",
-        "51.13.138.76"
+        "20.100.21.182",
+        "51.13.138.76",
+        "51.13.138.77",
+        "51.13.138.78",
+        "51.120.183.54"
       ],
       "switzerlandnorth": [
+        "20.199.207.188",
         "20.208.4.98",
-        "51.107.251.190"
+        "20.208.4.99",
+        "20.208.4.120",
+        "20.208.149.229",
+        "51.107.251.190",
+        "51.107.251.191",
+        "51.107.255.176"
       ],
       "switzerlandwest": [
+        "20.199.207.188",
         "20.208.4.98",
-        "51.107.251.190"
+        "20.208.4.99",
+        "20.208.4.120",
+        "20.208.149.229",
+        "51.107.251.190",
+        "51.107.251.191",
+        "51.107.255.176"
       ],
       "uaecentral": [
+        "20.38.141.5",
+        "20.45.95.64",
+        "20.45.95.65",
         "20.45.95.66",
-        "20.38.141.5"
+        "20.203.93.198",
+        "20.233.132.205",
+        "40.120.87.50",
+        "40.120.87.51"
       ],
       "uaenorth": [
+        "20.38.141.5",
+        "20.45.95.64",
+        "20.45.95.65",
         "20.45.95.66",
-        "20.38.141.5"
+        "20.203.93.198",
+        "20.233.132.205",
+        "40.120.87.50",
+        "40.120.87.51"
       ],
       "uksouth": [
+        "20.58.68.62",
+        "20.58.68.63",
+        "20.90.32.180",
         "20.90.132.144",
-        "20.58.68.62"
+        "20.90.132.145",
+        "51.104.30.169",
+        "172.187.0.26",
+        "172.187.65.53"
       ],
       "ukwest": [
+        "20.58.68.62",
+        "20.58.68.63",
+        "20.90.32.180",
         "20.90.132.144",
-        "20.58.68.62"
+        "20.90.132.145",
+        "51.104.30.169",
+        "172.187.0.26",
+        "172.187.65.53"
       ],
       "swedencentral": [
+        "20.91.100.236",
+        "51.12.22.174",
+        "51.12.22.175",
+        "51.12.22.204",
+        "51.12.72.222",
         "51.12.72.223",
-        "51.12.22.174"
+        "51.12.73.92",
+        "172.160.216.6"
       ],
       "swedensouth": [
+        "20.91.100.236",
+        "51.12.22.174",
+        "51.12.22.175",
+        "51.12.22.204",
+        "51.12.72.222",
         "51.12.72.223",
-        "51.12.22.174"
+        "51.12.73.92",
+        "172.160.216.6"
       ],
       "centralus": [
-        "20.98.146.84",
-        "20.98.194.64",
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "eastus2": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "eastus2": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "eastus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "eastus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "northcentralus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "northcentralus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "southcentralus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "southcentralus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "westus2": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "westus2": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "westus3": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "westus3": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "westcentralus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "westcentralus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "westus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "westus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
+        "20.98.146.84",
+        "20.98.146.85",
+        "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
       ],
       "eastus2euap": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
         "20.45.242.18",
-        "20.51.21.252"
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
+        "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
+        "20.83.222.102",
+        "20.98.146.84",
+        "20.98.146.85",
+        "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
       ],
       "centraluseuap": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
         "20.45.242.18",
-        "20.51.21.252"
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
+        "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
+        "20.83.222.102",
+        "20.98.146.84",
+        "20.98.146.85",
+        "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
       ],
       "usgovarizona": [
+        "20.140.104.48",
+        "20.140.105.3",
+        "20.140.144.58",
+        "20.140.144.59",
+        "20.140.147.168",
+        "20.140.53.121",
         "20.141.10.130",
-        "52.127.55.131"
+        "20.141.10.131",
+        "20.141.13.121",
+        "20.141.15.104",
+        "52.127.55.131",
+        "52.235.252.252",
+        "52.235.252.253",
+        "52.243.247.124",
+        "52.245.155.139",
+        "52.245.156.185",
+        "62.10.196.24",
+        "62.10.196.25",
+        "62.10.84.240",
+        "62.11.6.64",
+        "62.11.6.65"
       ],
       "usgovvirginia": [
+        "20.140.104.48",
+        "20.140.105.3",
+        "20.140.144.58",
+        "20.140.144.59",
+        "20.140.147.168",
+        "20.140.53.121",
         "20.141.10.130",
-        "52.127.55.131"
+        "20.141.10.131",
+        "20.141.13.121",
+        "20.141.15.104",
+        "52.127.55.131",
+        "52.235.252.252",
+        "52.235.252.253",
+        "52.243.247.124",
+        "52.245.155.139",
+        "52.245.156.185",
+        "62.10.196.24",
+        "62.10.196.25",
+        "62.10.84.240",
+        "62.11.6.64",
+        "62.11.6.65"
       ],
       "usgovtexas": [
+        "20.140.104.48",
+        "20.140.105.3",
+        "20.140.144.58",
+        "20.140.144.59",
+        "20.140.147.168",
+        "20.140.53.121",
         "20.141.10.130",
-        "52.127.55.131"
+        "20.141.10.131",
+        "20.141.13.121",
+        "20.141.15.104",
+        "52.127.55.131",
+        "52.235.252.252",
+        "52.235.252.253",
+        "52.243.247.124",
+        "52.245.155.139",
+        "52.245.156.185",
+        "62.10.196.24",
+        "62.10.196.25",
+        "62.10.84.240",
+        "62.11.6.64",
+        "62.11.6.65"
+      ],
+      "chinanorth": [
+        "139.217.51.16",
+        "139.217.171.176"
+      ],
+      "chinanorth2": [
+        "40.73.96.39",
+        "40.73.33.105"
+      ],
+      "chinaeast": [
+        "139.217.171.176",
+        "139.217.51.16"
+      ],
+      "chinaeast2": [
+        "40.73.33.105",
+        "40.73.96.39"
       ]
     },
     "serialConsoleIps": "[if(contains(variables('serialConsoleGeographies'),variables('location')),variables('serialConsoleGeographies')[variables('location')],createArray())]",
@@ -547,7 +1140,7 @@
     "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]",
     "bootstrapScript64": "[base64(parameters('bootstrapScript'))]",
     "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]",
-    "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/',parameters('_artifactsLocation'))]",
+    "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/',parameters('_artifactsLocation'))]",
     "networkSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vnet-1-subnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]",
     "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]",
     "deployNewVnet": "[equals(parameters('vnetNewOrExisting'), 'new')]",
@@ -564,13 +1157,14 @@
       "properties": {
         "mode": "Incremental",
         "template": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
           "contentVersion": "1.0.0.0",
           "resources": []
         }
       }
     },
     {
+      "condition": "[equals(parameters('storageAccountDeployMode'), 'New')]",
       "type": "Microsoft.Storage/storageAccounts",
       "name": "[variables('storageAccountName')]",
       "apiVersion": "2022-09-01",
@@ -588,7 +1182,7 @@
       "sku": {
         "name": "[variables('storageAccountType')]"
       },
-      "kind": "Storage",
+      "kind": "StorageV2",
       "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]"
     },
     {
@@ -872,10 +1466,7 @@
       "properties": {
         "UserData": "[variables('customData64')]",
         "diagnosticsProfile": {
-          "bootDiagnostics": {
-            "enabled": "true",
-            "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2023-05-01').primaryEndpoints.blob]"
-          }
+          "bootDiagnostics": "[if(equals(parameters('storageAccountDeployMode'), 'None'), createObject('enabled', false()), if(equals(parameters('storageAccountDeployMode'), 'Managed'), createObject('enabled', true()), createObject('enabled', true(), 'storageUri', if(equals(parameters('storageAccountDeployMode'), 'New'), reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2023-05-01').primaryEndpoints.blob, reference(parameters('existingStorageAccountId'), '2023-05-01').primaryEndpoints.blob))))]"
         },
         "hardwareProfile": {
           "vmSize": "[parameters('vmSize')]"
diff --git a/china/azure/marketplace-single/README.md b/china/azure/marketplace-single/README.md
index 70e2b3ef..361b6517 100644
--- a/china/azure/marketplace-single/README.md
+++ b/china/azure/marketplace-single/README.md
@@ -11,12 +11,12 @@ Benefits:
 · Provides consistent security policy management, enforcement, and reporting with a single pane of glass, using Check Point Unified Security Management
 
 
-<a href="https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2FChina%2Fazure%2ftemplates%2Fmarketplace-single%2FmainTemplate.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2FChina%2Fazure%2ftemplates%2Fmarketplace-single%2FcreateUiDefinition.json">
+<a href="https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fchina%2Fazure%2ftemplates%2Fmarketplace-single%2FmainTemplate.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fchina%2Fazure%2ftemplates%2Fmarketplace-single%2FcreateUiDefinition.json">
  <img src="https://aka.ms/deploytoazurebutton" alt="Deploy to Azure" />
 </a>
 
 
-To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2FChina%2Fazure%2ftemplates%2Fmarketplace-single%2FmainTemplate.json)
+To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fchina%2Fazure%2ftemplates%2Fmarketplace-single%2FmainTemplate.json)
 
 
 
diff --git a/china/azure/marketplace-single/createUiDefinition.json b/china/azure/marketplace-single/createUiDefinition.json
index e19c85b8..d6e3bbdf 100644
--- a/china/azure/marketplace-single/createUiDefinition.json
+++ b/china/azure/marketplace-single/createUiDefinition.json
@@ -88,6 +88,10 @@
                 {
                   "label": "R82",
                   "value": "R82"
+                },
+                {
+                  "label": "R82.10",
+                  "value": "R82.10"
                 }
               ]
             }
@@ -711,6 +715,204 @@
             },
             "count": 1
           },
+          {
+            "name": "R8210vmSizeUiBYOL",
+            "type": "Microsoft.Compute.SizeSelector",
+            "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82.10'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]",
+            "label": "Virtual machine size",
+            "toolTip": "The VM size of the Security Gateway",
+            "recommendedSizes": [
+              "Standard_D4ds_v4",
+              "Standard_D4d_v4"
+            ],
+            "constraints": {
+              "allowedSizes": [
+                "Standard_D4_v4",
+                "Standard_D8_v4",
+                "Standard_D16_v4",
+                "Standard_D32_v4",
+                "Standard_D48_v4",
+                "Standard_D64_v4",
+                "Standard_D4s_v4",
+                "Standard_D8s_v4",
+                "Standard_D16s_v4",
+                "Standard_D32s_v4",
+                "Standard_D48s_v4",
+                "Standard_D64s_v4",
+                "Standard_D2_v4",
+                "Standard_D4_v4",
+                "Standard_D8_v4",
+                "Standard_D16_v4",
+                "Standard_D32_v4",
+                "Standard_D2s_v4",
+                "Standard_D4s_v4",
+                "Standard_D8s_v4",
+                "Standard_D16s_v4",
+                "Standard_D2d_v4",
+                "Standard_D4d_v4",
+                "Standard_D8d_v4",
+                "Standard_D16d_v4",
+                "Standard_D32d_v4",
+                "Standard_D2ds_v4",
+                "Standard_D4ds_v4",
+                "Standard_D8ds_v4",
+                "Standard_D16ds_v4",
+                "Standard_D32ds_v4",
+                "Standard_F2s",
+                "Standard_F4s",
+                "Standard_F8s",
+                "Standard_F16s",
+                "Standard_M8ms",
+                "Standard_M16ms",
+                "Standard_M32ms",
+                "Standard_M64ms",
+                "Standard_M64s",
+                "Standard_F2",
+                "Standard_F4",
+                "Standard_F8",
+                "Standard_F16"
+              ]
+            },
+            "osPlatform": "Linux",
+            "imageReference": {
+              "publisher": "1740992136172",
+              "offer": "check-point-cg-r8210",
+              "sku": "sg-byol"
+            },
+            "count": 1
+          },
+          {
+            "name": "R8210vmSizeUiNGTP",
+            "type": "Microsoft.Compute.SizeSelector",
+            "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82.10'), contains(steps('chkp').R80Offer, '(NGTP)'))]",
+            "label": "Virtual machine size",
+            "toolTip": "The VM size of the Security Gateway",
+            "recommendedSizes": [
+              "Standard_D4ds_v4",
+              "Standard_D4d_v4"
+            ],
+            "constraints": {
+              "allowedSizes": [
+                "Standard_D4_v4",
+                "Standard_D8_v4",
+                "Standard_D16_v4",
+                "Standard_D32_v4",
+                "Standard_D48_v4",
+                "Standard_D64_v4",
+                "Standard_D4s_v4",
+                "Standard_D8s_v4",
+                "Standard_D16s_v4",
+                "Standard_D32s_v4",
+                "Standard_D48s_v4",
+                "Standard_D64s_v4",
+                "Standard_D2_v4",
+                "Standard_D4_v4",
+                "Standard_D8_v4",
+                "Standard_D16_v4",
+                "Standard_D32_v4",
+                "Standard_D2s_v4",
+                "Standard_D4s_v4",
+                "Standard_D8s_v4",
+                "Standard_D16s_v4",
+                "Standard_D2d_v4",
+                "Standard_D4d_v4",
+                "Standard_D8d_v4",
+                "Standard_D16d_v4",
+                "Standard_D32d_v4",
+                "Standard_D2ds_v4",
+                "Standard_D4ds_v4",
+                "Standard_D8ds_v4",
+                "Standard_D16ds_v4",
+                "Standard_D32ds_v4",
+                "Standard_F2s",
+                "Standard_F4s",
+                "Standard_F8s",
+                "Standard_F16s",
+                "Standard_M8ms",
+                "Standard_M16ms",
+                "Standard_M32ms",
+                "Standard_M64ms",
+                "Standard_M64s",
+                "Standard_F2",
+                "Standard_F4",
+                "Standard_F8",
+                "Standard_F16"
+              ]
+            },
+            "osPlatform": "Linux",
+            "imageReference": {
+              "publisher": "1740992136172",
+              "offer": "check-point-cg-r8210",
+              "sku": "sg-ngtp"
+            },
+            "count": 1
+          },
+          {
+            "name": "R8210vmSizeUiNGTX",
+            "type": "Microsoft.Compute.SizeSelector",
+            "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82.10'), contains(steps('chkp').R80Offer, '(NGTX)'))]",
+            "label": "Virtual machine size",
+            "toolTip": "The VM size of the Security Gateway",
+            "recommendedSizes": [
+              "Standard_D4ds_v4",
+              "Standard_D4d_v4"
+            ],
+            "constraints": {
+              "allowedSizes": [
+                "Standard_D4_v4",
+                "Standard_D8_v4",
+                "Standard_D16_v4",
+                "Standard_D32_v4",
+                "Standard_D48_v4",
+                "Standard_D64_v4",
+                "Standard_D4s_v4",
+                "Standard_D8s_v4",
+                "Standard_D16s_v4",
+                "Standard_D32s_v4",
+                "Standard_D48s_v4",
+                "Standard_D64s_v4",
+                "Standard_D2_v4",
+                "Standard_D4_v4",
+                "Standard_D8_v4",
+                "Standard_D16_v4",
+                "Standard_D32_v4",
+                "Standard_D2s_v4",
+                "Standard_D4s_v4",
+                "Standard_D8s_v4",
+                "Standard_D16s_v4",
+                "Standard_D2d_v4",
+                "Standard_D4d_v4",
+                "Standard_D8d_v4",
+                "Standard_D16d_v4",
+                "Standard_D32d_v4",
+                "Standard_D2ds_v4",
+                "Standard_D4ds_v4",
+                "Standard_D8ds_v4",
+                "Standard_D16ds_v4",
+                "Standard_D32ds_v4",
+                "Standard_F2s",
+                "Standard_F4s",
+                "Standard_F8s",
+                "Standard_F16s",
+                "Standard_M8ms",
+                "Standard_M16ms",
+                "Standard_M32ms",
+                "Standard_M64ms",
+                "Standard_M64s",
+                "Standard_F2",
+                "Standard_F4",
+                "Standard_F8",
+                "Standard_F16"
+              ]
+            },
+            "osPlatform": "Linux",
+            "imageReference": {
+              "publisher": "1740992136172",
+              "offer": "check-point-cg-r8210",
+              "sku": "sg-ngtx"
+            },
+            "count": 1
+          },
           {
             "name": "sicKeyUi",
             "type": "Microsoft.Common.PasswordBox",
@@ -1190,6 +1392,35 @@
             },
             "visible": "[steps('network').NSG]"
           },
+          {
+            "name": "storageAccountDeployMode",
+            "type": "Microsoft.Common.DropDown",
+            "label": "Storage Account Deployment Mode",
+            "toolTip": "Select your preferred Storage Account deployment mode, New to a new Storage Account, Existing to an existing Storage Account, Managed to managed Storage Account, None to deploy without a Storage Account",
+            "defaultValue": "New",
+            "constraints": {
+              "allowedValues": [
+                {
+                  "label": "New",
+                  "value": "New"
+                },
+                {
+                  "label": "Existing",
+                  "value": "Existing"
+                },
+                {
+                  "label": "Managed",
+                  "value": "Managed"
+                },
+                {
+                  "label": "None",
+                  "value": "None"
+                }
+              ],
+              "required": true
+            },
+            "visible": true
+          },
           {
             "name": "addStorageAccountIpRules",
             "type": "Microsoft.Common.OptionsGroup",
@@ -1207,9 +1438,48 @@
                   "value": true
                 }
               ],
-              "required": true
+              "required": "[equals(steps('network').storageAccountDeployMode, 'New')]"
             },
-            "visible": true
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'New')]"
+          },
+          {
+            "name": "existingStorageAccount",
+            "type": "Microsoft.Solutions.ResourceSelector",
+            "label": "Storage Account",
+            "defaultValue": "null",
+            "toolTip": "Choose an existing Storage Account",
+            "resourceType": "Microsoft.Storage/storageAccounts",
+            "constraints": {
+              "required": "[equals(steps('network').storageAccountDeployMode, 'Existing')]"
+            },
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'Existing')]"
+          },
+          {
+            "name": "infoExistingStorageAccount",
+            "type": "Microsoft.Common.InfoBox",
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'Existing')]",
+            "options": {
+              "icon": "Info",
+              "text": "The Storage Account must allow network access from the Serial Console feature, for more information - <a href='https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/linux/serial-console-linux?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef' target='_blank'>Serial Console Security</a>."
+            }
+          },
+          {
+            "name": "infoManagedStorageAccount",
+            "type": "Microsoft.Common.InfoBox",
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'Managed')]",
+            "options": {
+              "icon": "Info",
+              "text": "Azure will use a managed Storage Account for the deployment, no additional configuration is required."
+            }
+          },
+          {
+            "name": "warningNoneStorageAccount",
+            "type": "Microsoft.Common.InfoBox",
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'None')]",
+            "options": {
+              "icon": "Warning",
+              "text": "Please note that deploying without a Storage Account will not allow you to use the Serial Console feature. For more information - <a href='https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/linux/serial-console-linux?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef' target='_blank'>Azure Serial Console</a>."
+            }
           }
         ]
       },
@@ -1251,7 +1521,7 @@
       "authenticationType": "[basics('auth').authenticationType]",
       "sshPublicKey": "[basics('auth').sshPublicKey]",
       "vmName": "[basics('gatewayNameUi')]",
-      "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiNGTP, steps('chkp').R8110vmSizeUiNGTX, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R8120vmSizeUiNGTP, steps('chkp').R8120vmSizeUiNGTX, steps('chkp').R82vmSizeUiBYOL, steps('chkp').R82vmSizeUiNGTP, steps('chkp').R82vmSizeUiNGTX )]",
+      "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiNGTP, steps('chkp').R8110vmSizeUiNGTX, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R8120vmSizeUiNGTP, steps('chkp').R8120vmSizeUiNGTX, steps('chkp').R82vmSizeUiBYOL, steps('chkp').R82vmSizeUiNGTP, steps('chkp').R82vmSizeUiNGTX, steps('chkp').R8210vmSizeUiBYOL, steps('chkp').R8210vmSizeUiNGTP, steps('chkp').R8210vmSizeUiNGTX)]",
       "sicKey": "[coalesce(steps('chkp').sicKeyUi, 'notused')]",
       "virtualNetworkName": "[steps('network').virtualNetwork.name]",
       "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]",
@@ -1277,7 +1547,10 @@
       "deployNewNSG": "[steps('network').NSG]",
       "ExistingNSG": "[steps('network').nsgSelector]",
       "NewNsgName": "[steps('network').NSGName]",
-      "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]"
+      "storageAccountDeployMode": "[steps('network').storageAccountDeployMode]",
+      "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]",
+      "existingStorageAccountId": "[steps('network').existingStorageAccount]"
     }
   }
 }
+
diff --git a/china/azure/marketplace-single/mainTemplate.json b/china/azure/marketplace-single/mainTemplate.json
index 927e838f..3b8b3291 100644
--- a/china/azure/marketplace-single/mainTemplate.json
+++ b/china/azure/marketplace-single/mainTemplate.json
@@ -21,7 +21,8 @@
       "allowedValues": [
         "R81.10 - Bring Your Own License",
         "R81.20 - Bring Your Own License",
-        "R82 - Bring Your Own License"
+        "R82 - Bring Your Own License",
+        "R82.10 - Bring Your Own License"
       ],
       "defaultValue": "R82 - Bring Your Own License",
       "metadata": {
@@ -240,7 +241,7 @@
     "_artifactsLocation": {
       "type": "string",
       "metadata": {
-        "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/"
+        "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/"
       },
       "defaultValue": "[deployment().properties.templateLink.uri]"
     },
@@ -286,19 +287,39 @@
       "type": "string",
       "defaultValue": "[concat(parameters('vmName'),'-nsg')]"
     },
+    "storageAccountDeployMode": {
+      "type": "string",
+      "defaultValue": "New",
+      "metadata": {
+        "description": "Choose the Storage Account mode: 'New' creates a new account, 'Existing' uses one already available, 'Managed' provisions a managed account, and 'None' skips account creation."
+      },
+      "allowedValues": [
+        "New",
+        "Existing",
+        "Managed",
+        "None"
+      ]
+    },
     "addStorageAccountIpRules": {
       "type": "bool",
       "metadata": {
-        "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled"
+        "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled. Only relevant when 'Storage Account Deploy Mode' is set to 'New'."
       },
       "defaultValue": false
     },
     "storageAccountAdditionalIps": {
       "type": "array",
       "metadata": {
-        "description": "IPs/CIDRs that are allowed access to the Storage Account"
+        "description": "IPs/CIDRs that are allowed access to the Storage Account. Format should be an array of strings. Only relevant when 'Storage Account Deploy Mode' is set to 'New'."
       },
       "defaultValue": []
+    },
+    "existingStorageAccountId": {
+      "type": "string",
+      "metadata": {
+        "description": "The ID of the existing Storage Account. Only relevant when 'Storage Account Deploy Mode' is set to 'Existing'."
+      },
+      "defaultValue": ""
     }
   },
   "variables": {
@@ -314,7 +335,10 @@
       "R81.20 - Pay As You Go (NGTX)": "NGTX",
       "R82 - Bring Your Own License": "BYOL",
       "R82 - Pay As You Go (NGTP)": "NGTP",
-      "R82 - Pay As You Go (NGTX)": "NGTX"
+      "R82 - Pay As You Go (NGTX)": "NGTX",
+      "R82.10 - Bring Your Own License": "BYOL",
+      "R82.10 - Pay As You Go (NGTP)": "NGTP",
+      "R82.10 - Pay As You Go (NGTX)": "NGTX"
     },
     "offer": "[variables('offers')[parameters('cloudGuardVersion')]]",
     "osVersions": {
@@ -326,224 +350,781 @@
       "R81.20 - Pay As You Go (NGTX)": "R8120",
       "R82 - Bring Your Own License": "R82",
       "R82 - Pay As You Go (NGTP)": "R82",
-      "R82 - Pay As You Go (NGTX)": "R82"
+      "R82 - Pay As You Go (NGTX)": "R82",
+      "R82.10 - Bring Your Own License": "R8210",
+      "R82.10 - Pay As You Go (NGTP)": "R8210",
+      "R82.10 - Pay As You Go (NGTX)": "R8210"
     },
     "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]",
     "serialConsoleGeographies": {
       "eastasia": [
+        "4.145.74.168",
+        "20.195.85.180",
+        "20.195.85.181",
+        "20.205.68.106",
+        "20.205.68.107",
         "20.205.69.28",
-        "20.195.85.180"
+        "23.97.88.117",
+        "23.98.106.151"
       ],
       "southeastasia": [
+        "4.145.74.168",
+        "20.195.85.180",
+        "20.195.85.181",
+        "20.205.68.106",
+        "20.205.68.107",
         "20.205.69.28",
-        "20.195.85.180"
+        "23.97.88.117",
+        "23.98.106.151"
       ],
       "australiacentral": [
+        "4.198.45.55",
+        "4.200.251.224",
+        "20.167.131.228",
+        "20.53.52.250",
         "20.53.53.224",
-        "20.70.222.112"
+        "20.53.55.174",
+        "20.70.222.112",
+        "20.70.222.113",
+        "68.218.123.133"
       ],
       "australiacentral2": [
+        "4.198.45.55",
+        "4.200.251.224",
+        "20.167.131.228",
+        "20.53.52.250",
         "20.53.53.224",
-        "20.70.222.112"
+        "20.53.55.174",
+        "20.70.222.112",
+        "20.70.222.113",
+        "68.218.123.133"
       ],
       "australiaeast": [
+        "4.198.45.55",
+        "4.200.251.224",
+        "20.167.131.228",
+        "20.53.52.250",
         "20.53.53.224",
-        "20.70.222.112"
+        "20.53.55.174",
+        "20.70.222.112",
+        "20.70.222.113",
+        "68.218.123.133"
       ],
       "australiasoutheast": [
+        "4.198.45.55",
+        "4.200.251.224",
+        "20.167.131.228",
+        "20.53.52.250",
         "20.53.53.224",
-        "20.70.222.112"
+        "20.53.55.174",
+        "20.70.222.112",
+        "20.70.222.113",
+        "68.218.123.133"
       ],
       "brazilsouth": [
-        "91.234.136.63",
-        "20.206.0.194"
+        "20.206.0.192",
+        "20.206.0.193",
+        "20.206.0.194",
+        "20.226.211.157",
+        "108.140.5.172",
+        "191.234.136.63",
+        "191.238.77.232",
+        "191.238.77.233"
       ],
       "brazilsoutheast": [
-        "91.234.136.63",
-        "20.206.0.194"
+        "20.206.0.192",
+        "20.206.0.193",
+        "20.206.0.194",
+        "20.226.211.157",
+        "108.140.5.172",
+        "191.234.136.63",
+        "191.238.77.232",
+        "191.238.77.233"
       ],
       "canadacentral": [
+        "20.175.7.183",
+        "20.48.201.78",
+        "20.48.201.79",
+        "20.220.7.246",
+        "52.139.106.74",
+        "52.139.106.75",
         "52.228.86.177",
         "52.242.40.90"
       ],
       "canadaeast": [
+        "20.175.7.183",
+        "20.48.201.78",
+        "20.48.201.79",
+        "20.220.7.246",
+        "52.139.106.74",
+        "52.139.106.75",
         "52.228.86.177",
         "52.242.40.90"
       ],
       "northeurope": [
+        "4.210.131.60",
+        "20.105.209.72",
+        "20.105.209.73",
+        "40.113.178.49",
+        "52.146.137.65",
         "52.146.139.220",
-        "20.105.209.72"
+        "52.146.139.221",
+        "98.71.107.78"
       ],
       "westeurope": [
+        "4.210.131.60",
+        "20.105.209.72",
+        "20.105.209.73",
+        "40.113.178.49",
+        "52.146.137.65",
         "52.146.139.220",
-        "20.105.209.72"
+        "52.146.139.221",
+        "98.71.107.78"
       ],
       "francecentral": [
         "20.111.0.244",
-        "52.136.191.10"
+        "40.80.103.247",
+        "51.138.215.126",
+        "51.138.215.127",
+        "52.136.191.8",
+        "52.136.191.9",
+        "52.136.191.10",
+        "98.66.128.35"
       ],
       "francesouth": [
         "20.111.0.244",
-        "52.136.191.10"
+        "40.80.103.247",
+        "51.138.215.126",
+        "51.138.215.127",
+        "52.136.191.8",
+        "52.136.191.9",
+        "52.136.191.10",
+        "98.66.128.35"
       ],
       "germanynorth": [
+        "20.52.94.114",
+        "20.52.94.115",
+        "20.52.95.48",
+        "20.113.251.155",
         "51.116.75.88",
-        "20.52.95.48"
+        "51.116.75.89",
+        "51.116.75.90",
+        "98.67.183.186"
       ],
       "germanywestcentral": [
+        "20.52.94.114",
+        "20.52.94.115",
+        "20.52.95.48",
+        "20.113.251.155",
         "51.116.75.88",
-        "20.52.95.48"
+        "51.116.75.89",
+        "51.116.75.90",
+        "98.67.183.186"
       ],
       "centralindia": [
-        "20.192.168.150",
-        "20.192.153.104"
+        "4.187.107.68",
+        "20.192.47.134",
+        "20.192.47.135",
+        "20.192.152.150",
+        "20.192.152.151",
+        "20.192.153.104",
+        "20.207.175.96",
+        "52.172.82.199",
+        "98.70.20.180"
       ],
       "southindia": [
-        "20.192.168.150",
-        "20.192.153.104"
+        "4.187.107.68",
+        "20.192.47.134",
+        "20.192.47.135",
+        "20.192.152.150",
+        "20.192.152.151",
+        "20.192.153.104",
+        "20.207.175.96",
+        "52.172.82.199",
+        "98.70.20.180"
       ],
       "westindia": [
-        "20.192.168.150",
-        "20.192.153.104"
+        "4.187.107.68",
+        "20.192.47.134",
+        "20.192.47.135",
+        "20.192.152.150",
+        "20.192.152.151",
+        "20.192.153.104",
+        "20.207.175.96",
+        "52.172.82.199",
+        "98.70.20.180"
       ],
       "japaneast": [
+        "20.18.7.188",
         "20.43.70.205",
-        "20.189.228.222"
+        "20.89.12.192",
+        "20.89.12.193",
+        "20.189.194.100",
+        "20.189.228.222",
+        "20.189.228.223",
+        "20.210.144.254"
       ],
       "japanwest": [
+        "20.18.7.188",
         "20.43.70.205",
-        "20.189.228.222"
+        "20.89.12.192",
+        "20.89.12.193",
+        "20.189.194.100",
+        "20.189.228.222",
+        "20.189.228.223",
+        "20.210.144.254"
       ],
       "koreacentral": [
+        "20.200.166.136",
+        "20.200.194.238",
+        "20.200.194.239",
         "20.200.196.96",
-        "52.147.119.29"
+        "20.214.133.81",
+        "52.147.119.28",
+        "52.147.119.29",
+        "52.147.119.30"
       ],
       "koreasouth": [
+        "20.200.166.136",
+        "20.200.194.238",
+        "20.200.194.239",
         "20.200.196.96",
-        "52.147.119.29"
+        "20.214.133.81",
+        "52.147.119.28",
+        "52.147.119.29",
+        "52.147.119.30"
       ],
       "norwaywest": [
+        "20.100.1.154",
+        "20.100.1.155",
         "20.100.1.184",
-        "51.13.138.76"
+        "20.100.21.182",
+        "51.13.138.76",
+        "51.13.138.77",
+        "51.13.138.78",
+        "51.120.183.54"
       ],
       "norwayeast": [
+        "20.100.1.154",
+        "20.100.1.155",
         "20.100.1.184",
-        "51.13.138.76"
+        "20.100.21.182",
+        "51.13.138.76",
+        "51.13.138.77",
+        "51.13.138.78",
+        "51.120.183.54"
       ],
       "switzerlandnorth": [
+        "20.199.207.188",
         "20.208.4.98",
-        "51.107.251.190"
+        "20.208.4.99",
+        "20.208.4.120",
+        "20.208.149.229",
+        "51.107.251.190",
+        "51.107.251.191",
+        "51.107.255.176"
       ],
       "switzerlandwest": [
+        "20.199.207.188",
         "20.208.4.98",
-        "51.107.251.190"
+        "20.208.4.99",
+        "20.208.4.120",
+        "20.208.149.229",
+        "51.107.251.190",
+        "51.107.251.191",
+        "51.107.255.176"
       ],
       "uaecentral": [
+        "20.38.141.5",
+        "20.45.95.64",
+        "20.45.95.65",
         "20.45.95.66",
-        "20.38.141.5"
+        "20.203.93.198",
+        "20.233.132.205",
+        "40.120.87.50",
+        "40.120.87.51"
       ],
       "uaenorth": [
+        "20.38.141.5",
+        "20.45.95.64",
+        "20.45.95.65",
         "20.45.95.66",
-        "20.38.141.5"
+        "20.203.93.198",
+        "20.233.132.205",
+        "40.120.87.50",
+        "40.120.87.51"
       ],
       "uksouth": [
+        "20.58.68.62",
+        "20.58.68.63",
+        "20.90.32.180",
         "20.90.132.144",
-        "20.58.68.62"
+        "20.90.132.145",
+        "51.104.30.169",
+        "172.187.0.26",
+        "172.187.65.53"
       ],
       "ukwest": [
+        "20.58.68.62",
+        "20.58.68.63",
+        "20.90.32.180",
         "20.90.132.144",
-        "20.58.68.62"
+        "20.90.132.145",
+        "51.104.30.169",
+        "172.187.0.26",
+        "172.187.65.53"
       ],
       "swedencentral": [
+        "20.91.100.236",
+        "51.12.22.174",
+        "51.12.22.175",
+        "51.12.22.204",
+        "51.12.72.222",
         "51.12.72.223",
-        "51.12.22.174"
+        "51.12.73.92",
+        "172.160.216.6"
       ],
       "swedensouth": [
+        "20.91.100.236",
+        "51.12.22.174",
+        "51.12.22.175",
+        "51.12.22.204",
+        "51.12.72.222",
         "51.12.72.223",
-        "51.12.22.174"
+        "51.12.73.92",
+        "172.160.216.6"
       ],
       "centralus": [
-        "20.98.146.84",
-        "20.98.194.64",
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "eastus2": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "eastus2": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "eastus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "eastus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "northcentralus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "northcentralus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "southcentralus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "southcentralus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "westus2": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "westus2": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "westus3": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "westus3": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "westcentralus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "westcentralus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "westus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "westus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
+        "20.98.146.84",
+        "20.98.146.85",
+        "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
       ],
       "eastus2euap": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
         "20.45.242.18",
-        "20.51.21.252"
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
+        "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
+        "20.83.222.102",
+        "20.98.146.84",
+        "20.98.146.85",
+        "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
       ],
       "centraluseuap": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
         "20.45.242.18",
-        "20.51.21.252"
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
+        "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
+        "20.83.222.102",
+        "20.98.146.84",
+        "20.98.146.85",
+        "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
       ],
       "usgovarizona": [
+        "20.140.104.48",
+        "20.140.105.3",
+        "20.140.144.58",
+        "20.140.144.59",
+        "20.140.147.168",
+        "20.140.53.121",
         "20.141.10.130",
-        "52.127.55.131"
+        "20.141.10.131",
+        "20.141.13.121",
+        "20.141.15.104",
+        "52.127.55.131",
+        "52.235.252.252",
+        "52.235.252.253",
+        "52.243.247.124",
+        "52.245.155.139",
+        "52.245.156.185",
+        "62.10.196.24",
+        "62.10.196.25",
+        "62.10.84.240",
+        "62.11.6.64",
+        "62.11.6.65"
       ],
       "usgovvirginia": [
+        "20.140.104.48",
+        "20.140.105.3",
+        "20.140.144.58",
+        "20.140.144.59",
+        "20.140.147.168",
+        "20.140.53.121",
         "20.141.10.130",
-        "52.127.55.131"
+        "20.141.10.131",
+        "20.141.13.121",
+        "20.141.15.104",
+        "52.127.55.131",
+        "52.235.252.252",
+        "52.235.252.253",
+        "52.243.247.124",
+        "52.245.155.139",
+        "52.245.156.185",
+        "62.10.196.24",
+        "62.10.196.25",
+        "62.10.84.240",
+        "62.11.6.64",
+        "62.11.6.65"
       ],
       "usgovtexas": [
+        "20.140.104.48",
+        "20.140.105.3",
+        "20.140.144.58",
+        "20.140.144.59",
+        "20.140.147.168",
+        "20.140.53.121",
         "20.141.10.130",
-        "52.127.55.131"
+        "20.141.10.131",
+        "20.141.13.121",
+        "20.141.15.104",
+        "52.127.55.131",
+        "52.235.252.252",
+        "52.235.252.253",
+        "52.243.247.124",
+        "52.245.155.139",
+        "52.245.156.185",
+        "62.10.196.24",
+        "62.10.196.25",
+        "62.10.84.240",
+        "62.11.6.64",
+        "62.11.6.65"
       ],
       "chinanorth": [
         "139.217.51.16",
@@ -573,7 +1154,7 @@
     "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'smart1CloudToken=\"', parameters('smart1CloudToken'), '\"', '\n', 'MaintenanceModePassword=\"', parameters('MaintenanceModePasswordHash'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]",
     "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]",
     "imagePublisher": "1740992136172",
-    "imageSku": "[if(and(equals(parameters('installationType'), 'standalone'), or(equals(variables('osVersion'),'R8110'), equals(variables('osVersion'),'R8120'), equals(variables('osVersion'),'R82'))), 'mgmt-byol', 'sg-byol')]",
+    "imageSku": "[if(and(equals(parameters('installationType'), 'standalone'), or(equals(variables('osVersion'),'R8110'), equals(variables('osVersion'),'R8120'), equals(variables('osVersion'),'R82'), equals(variables('osVersion'),'R8210'))), 'mgmt-byol', 'sg-byol')]",
     "imageReferenceBYOL": {
       "offer": "[variables('imageOffer')]",
       "publisher": "[variables('imagePublisher')]",
@@ -657,7 +1238,7 @@
     "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses/', variables('publicIPAddressName'))]",
     "bootstrapScript64": "[base64(parameters('bootstrapScript'))]",
     "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]",
-    "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/',parameters('_artifactsLocation'))]",
+    "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/',parameters('_artifactsLocation'))]",
     "networkSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]",
     "sicKey": "[parameters('sicKey')]",
     "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]",
@@ -679,13 +1260,14 @@
       "properties": {
         "mode": "Incremental",
         "template": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
           "contentVersion": "1.0.0.0",
           "resources": []
         }
       }
     },
     {
+      "condition": "[equals(parameters('storageAccountDeployMode'), 'New')]",
       "type": "Microsoft.Storage/storageAccounts",
       "name": "[variables('storageAccountName')]",
       "apiVersion": "2022-09-01",
@@ -703,7 +1285,7 @@
       "sku": {
         "name": "[variables('storageAccountType')]"
       },
-      "kind": "Storage",
+      "kind": "StorageV2",
       "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]"
     },
     {
@@ -899,10 +1481,7 @@
       "properties": {
         "UserData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefix.value, reference('networkExistingSetup').outputs.vnetAddressPrefix.value), '\"', '\n' ))]",
         "diagnosticsProfile": {
-          "bootDiagnostics": {
-            "enabled": "true",
-            "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2023-05-01').primaryEndpoints.blob]"
-          }
+          "bootDiagnostics": "[if(equals(parameters('storageAccountDeployMode'), 'None'), createObject('enabled', false()), if(equals(parameters('storageAccountDeployMode'), 'Managed'), createObject('enabled', true()), createObject('enabled', true(), 'storageUri', if(equals(parameters('storageAccountDeployMode'), 'New'), reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2023-05-01').primaryEndpoints.blob, reference(parameters('existingStorageAccountId'), '2023-05-01').primaryEndpoints.blob))))]"
         },
         "hardwareProfile": {
           "vmSize": "[parameters('vmSize')]"
diff --git a/china/azure/marketplace-vmss/README.md b/china/azure/marketplace-vmss/README.md
index 6ac40698..5930a779 100644
--- a/china/azure/marketplace-vmss/README.md
+++ b/china/azure/marketplace-vmss/README.md
@@ -11,13 +11,13 @@ Benefits:
 · Provides consistent security policy management, enforcement, and reporting with a single pane of glass, using Check Point Unified Security Management
 
 
-<a href="https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2FChina%2Fazure%2ftemplates%2Fmarketplace-vmss%2FmainTemplate.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2FChina%2Fazure%2ftemplates%2Fmarketplace-vmss%2FcreateUiDefinition.json">
+<a href="https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fchina%2Fazure%2ftemplates%2Fmarketplace-vmss%2FmainTemplate.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fchina%2Fazure%2ftemplates%2Fmarketplace-vmss%2FcreateUiDefinition.json">
 
  <img src="https://aka.ms/deploytoazurebutton" alt="Deploy to Azure" />
 
 </a>
 
-To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2FChina%2Fazure%2ftemplates%2Fmarketplace-vmss%2FmainTemplate.json)
+To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fchina%2Fazure%2ftemplates%2Fmarketplace-vmss%2FmainTemplate.json)
 
 
 
diff --git a/china/azure/marketplace-vmss/createUiDefinition.json b/china/azure/marketplace-vmss/createUiDefinition.json
index d4b49a95..f77dc702 100644
--- a/china/azure/marketplace-vmss/createUiDefinition.json
+++ b/china/azure/marketplace-vmss/createUiDefinition.json
@@ -99,7 +99,7 @@
               "regex": "^[a-z0-9A-Z_\\-]{1,30}$",
               "validationMessage": "Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long."
             }
-          },
+          }, 
           {
             "name": "mgmtIPaddress",
             "type": "Microsoft.Common.TextBox",
@@ -131,6 +131,10 @@
                 {
                   "label": "R82",
                   "value": "R82"
+                },
+                {
+                  "label": "R82.10",
+                  "value": "R82.10"
                 }
               ]
             }
@@ -753,6 +757,204 @@
               "sku": "sg-ngtx"
             },
             "count": "[steps('chkp-advanced').vmCount]"
+          },       
+          {
+            "name": "R8210vmSizeUiBYOL",
+            "type": "Microsoft.Compute.SizeSelector",
+            "visible": "[and(equals(steps('autoprovision').cloudGuardVersion, 'R82.10'), contains(steps('autoprovision').R80Offer, 'Bring Your Own License'))]",
+            "label": "Virtual machine size",
+            "toolTip": "The VM size of the Security Gateway",
+            "recommendedSizes": [
+              "Standard_D4ds_v4",
+              "Standard_D4d_v4"
+            ],
+            "constraints": {
+              "allowedSizes": [
+                "Standard_D4_v4",
+                "Standard_D8_v4",
+                "Standard_D16_v4",
+                "Standard_D32_v4",
+                "Standard_D48_v4",
+                "Standard_D64_v4",
+                "Standard_D4s_v4",
+                "Standard_D8s_v4",
+                "Standard_D16s_v4",
+                "Standard_D32s_v4",
+                "Standard_D48s_v4",
+                "Standard_D64s_v4",
+                "Standard_D2_v4",
+                "Standard_D4_v4",
+                "Standard_D8_v4",
+                "Standard_D16_v4",
+                "Standard_D32_v4",
+                "Standard_D2s_v4",
+                "Standard_D4s_v4",
+                "Standard_D8s_v4",
+                "Standard_D16s_v4",
+                "Standard_D2d_v4",
+                "Standard_D4d_v4",
+                "Standard_D8d_v4",
+                "Standard_D16d_v4",
+                "Standard_D32d_v4",
+                "Standard_D2ds_v4",
+                "Standard_D4ds_v4",
+                "Standard_D8ds_v4",
+                "Standard_D16ds_v4",
+                "Standard_D32ds_v4",
+                "Standard_F2s",
+                "Standard_F4s",
+                "Standard_F8s",
+                "Standard_F16s",
+                "Standard_M8ms",
+                "Standard_M16ms",
+                "Standard_M32ms",
+                "Standard_M64ms",
+                "Standard_M64s",
+                "Standard_F2",
+                "Standard_F4",
+                "Standard_F8",
+                "Standard_F16"
+              ]
+            },
+            "osPlatform": "Linux",
+            "imageReference": {
+              "publisher": "1740992136172",
+              "offer": "check-point-cg-r8210",
+              "sku": "sg-byol"
+            },
+            "count": "[steps('chkp-advanced').vmCount]"
+          },
+          {
+            "name": "R8210vmSizeUiNGTP",
+            "type": "Microsoft.Compute.SizeSelector",
+            "visible": "[and(equals(steps('autoprovision').cloudGuardVersion, 'R82.10'), contains(steps('autoprovision').R80Offer, '(NGTP)'))]",
+            "label": "Virtual machine size",
+            "toolTip": "The VM size of the Security Gateway",
+            "recommendedSizes": [
+              "Standard_D4ds_v4",
+              "Standard_D4d_v4"
+            ],
+            "constraints": {
+              "allowedSizes": [
+                "Standard_D4_v4",
+                "Standard_D8_v4",
+                "Standard_D16_v4",
+                "Standard_D32_v4",
+                "Standard_D48_v4",
+                "Standard_D64_v4",
+                "Standard_D4s_v4",
+                "Standard_D8s_v4",
+                "Standard_D16s_v4",
+                "Standard_D32s_v4",
+                "Standard_D48s_v4",
+                "Standard_D64s_v4",
+                "Standard_D2_v4",
+                "Standard_D4_v4",
+                "Standard_D8_v4",
+                "Standard_D16_v4",
+                "Standard_D32_v4",
+                "Standard_D2s_v4",
+                "Standard_D4s_v4",
+                "Standard_D8s_v4",
+                "Standard_D16s_v4",
+                "Standard_D2d_v4",
+                "Standard_D4d_v4",
+                "Standard_D8d_v4",
+                "Standard_D16d_v4",
+                "Standard_D32d_v4",
+                "Standard_D2ds_v4",
+                "Standard_D4ds_v4",
+                "Standard_D8ds_v4",
+                "Standard_D16ds_v4",
+                "Standard_D32ds_v4",
+                "Standard_F2s",
+                "Standard_F4s",
+                "Standard_F8s",
+                "Standard_F16s",
+                "Standard_M8ms",
+                "Standard_M16ms",
+                "Standard_M32ms",
+                "Standard_M64ms",
+                "Standard_M64s",
+                "Standard_F2",
+                "Standard_F4",
+                "Standard_F8",
+                "Standard_F16"
+              ]
+            },
+            "osPlatform": "Linux",
+            "imageReference": {
+              "publisher": "1740992136172",
+              "offer": "check-point-cg-r8210",
+              "sku": "sg-ngtp"
+            },
+            "count": "[steps('chkp-advanced').vmCount]"
+          },
+          {
+            "name": "R8210vmSizeUiNGTX",
+            "type": "Microsoft.Compute.SizeSelector",
+            "visible": "[and(equals(steps('autoprovision').cloudGuardVersion, 'R82.10'), contains(steps('autoprovision').R80Offer, '(NGTX)'))]",
+            "label": "Virtual machine size",
+            "toolTip": "The VM size of the Security Gateway",
+            "recommendedSizes": [
+              "Standard_D4ds_v4",
+              "Standard_D4d_v4"
+            ],
+            "constraints": {
+              "allowedSizes": [
+                "Standard_D4_v4",
+                "Standard_D8_v4",
+                "Standard_D16_v4",
+                "Standard_D32_v4",
+                "Standard_D48_v4",
+                "Standard_D64_v4",
+                "Standard_D4s_v4",
+                "Standard_D8s_v4",
+                "Standard_D16s_v4",
+                "Standard_D32s_v4",
+                "Standard_D48s_v4",
+                "Standard_D64s_v4",
+                "Standard_D2_v4",
+                "Standard_D4_v4",
+                "Standard_D8_v4",
+                "Standard_D16_v4",
+                "Standard_D32_v4",
+                "Standard_D2s_v4",
+                "Standard_D4s_v4",
+                "Standard_D8s_v4",
+                "Standard_D16s_v4",
+                "Standard_D2d_v4",
+                "Standard_D4d_v4",
+                "Standard_D8d_v4",
+                "Standard_D16d_v4",
+                "Standard_D32d_v4",
+                "Standard_D2ds_v4",
+                "Standard_D4ds_v4",
+                "Standard_D8ds_v4",
+                "Standard_D16ds_v4",
+                "Standard_D32ds_v4",
+                "Standard_F2s",
+                "Standard_F4s",
+                "Standard_F8s",
+                "Standard_F16s",
+                "Standard_M8ms",
+                "Standard_M16ms",
+                "Standard_M32ms",
+                "Standard_M64ms",
+                "Standard_M64s",
+                "Standard_F2",
+                "Standard_F4",
+                "Standard_F8",
+                "Standard_F16"
+              ]
+            },
+            "osPlatform": "Linux",
+            "imageReference": {
+              "publisher": "1740992136172",
+              "offer": "check-point-cg-r8210",
+              "sku": "sg-ngtx"
+            },
+            "count": "[steps('chkp-advanced').vmCount]"
           },
           {
             "name": "sicKeyUi",
@@ -771,6 +973,7 @@
               "hideConfirmation": false
             }
           }
+          
         ]
       },
       {
@@ -939,7 +1142,7 @@
             "name": "floatingIP",
             "type": "Microsoft.Common.OptionsGroup",
             "label": "Deploy the Load Balancers with floating IP",
-            "defaultValue": "No",
+            "defaultValue": "Yes",
             "toolTip": "Deploy the Load Balancers with floating IP.",
             "constraints": {
               "allowedValues": [
@@ -1573,6 +1776,35 @@
             },
             "visible": "[steps('network').NSG]"
           },
+          {
+            "name": "storageAccountDeployMode",
+            "type": "Microsoft.Common.DropDown",
+            "label": "Storage Account Deployment Mode",
+            "toolTip": "Select your preferred Storage Account deployment mode, New to a new Storage Account, Existing to an existing Storage Account, Managed to managed Storage Account, None to deploy without a Storage Account",
+            "defaultValue": "New",
+            "constraints": {
+              "allowedValues": [
+                {
+                  "label": "New",
+                  "value": "New"
+                },
+                {
+                  "label": "Existing",
+                  "value": "Existing"
+                },
+                {
+                  "label": "Managed",
+                  "value": "Managed"
+                },
+                {
+                  "label": "None",
+                  "value": "None"
+                }
+              ],
+              "required": true
+            },
+            "visible": true
+          },
           {
             "name": "addStorageAccountIpRules",
             "type": "Microsoft.Common.OptionsGroup",
@@ -1590,9 +1822,48 @@
                   "value": true
                 }
               ],
-              "required": true
+              "required": "[equals(steps('network').storageAccountDeployMode, 'New')]"
             },
-            "visible": true
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'New')]"
+          },
+          {
+            "name": "existingStorageAccount",
+            "type": "Microsoft.Solutions.ResourceSelector",
+            "label": "Storage Account",
+            "defaultValue": "null",
+            "toolTip": "Choose an existing Storage Account",
+            "resourceType": "Microsoft.Storage/storageAccounts",
+            "constraints": {
+              "required": "[equals(steps('network').storageAccountDeployMode, 'Existing')]"
+            },
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'Existing')]"
+          },
+          {
+            "name": "infoExistingStorageAccount",
+            "type": "Microsoft.Common.InfoBox",
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'Existing')]",
+            "options": {
+              "icon": "Info",
+              "text": "The Storage Account must allow network access from the Serial Console feature, for more information - <a href='https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/linux/serial-console-linux?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef' target='_blank'>Serial Console Security</a>."
+            }
+          },
+          {
+            "name": "infoManagedStorageAccount",
+            "type": "Microsoft.Common.InfoBox",
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'Managed')]",
+            "options": {
+              "icon": "Info",
+              "text": "Azure will use a managed Storage Account for the deployment, no additional configuration is required."
+            }
+          },
+          {
+            "name": "warningNoneStorageAccount",
+            "type": "Microsoft.Common.InfoBox",
+            "visible": "[equals(steps('network').storageAccountDeployMode, 'None')]",
+            "options": {
+              "icon": "Warning",
+              "text": "Please note that deploying without a Storage Account will not allow you to use the Serial Console feature. For more information - <a href='https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/linux/serial-console-linux?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef' target='_blank'>Azure Serial Console</a>."
+            }
           }
         ]
       },
@@ -1654,7 +1925,7 @@
       "availabilityZonesNum": "[coalesce(steps('chkp-advanced').availabilityZonesNum, int('0'))]",
       "customMetrics": "[steps('chkp-advanced').customMetrics]",
       "cloudGuardVersion": "[concat(steps('autoprovision').cloudGuardVersion, ' - ', coalesce(steps('autoprovision').R80Offer, 'Bring Your Own License'))]",
-      "vmSize": "[coalesce(steps('autoprovision').R8110vmSizeUiBYOL, steps('autoprovision').R8110vmSizeUiNGTP, steps('autoprovision').R8110vmSizeUiNGTX , steps('autoprovision').R8120vmSizeUiBYOL, steps('autoprovision').R8120vmSizeUiNGTP, steps('autoprovision').R8120vmSizeUiNGTX, steps('autoprovision').R82vmSizeUiBYOL, steps('autoprovision').R82vmSizeUiNGTP, steps('autoprovision').R82vmSizeUiNGTX)]",
+      "vmSize": "[coalesce(steps('autoprovision').R8110vmSizeUiBYOL, steps('autoprovision').R8110vmSizeUiNGTP, steps('autoprovision').R8110vmSizeUiNGTX , steps('autoprovision').R8120vmSizeUiBYOL, steps('autoprovision').R8120vmSizeUiNGTP, steps('autoprovision').R8120vmSizeUiNGTX, steps('autoprovision').R82vmSizeUiBYOL, steps('autoprovision').R82vmSizeUiNGTP, steps('autoprovision').R82vmSizeUiNGTX, steps('autoprovision').R8210vmSizeUiBYOL, steps('autoprovision').R8210vmSizeUiNGTP, steps('autoprovision').R8210vmSizeUiNGTX)]",
       "sicKey": "[steps('autoprovision').sicKeyUi]",
       "bootstrapScript": "[steps('chkp-advanced').bootstrapScript]",
       "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp-advanced').allowUploadDownload, 'true')]",
@@ -1680,7 +1951,9 @@
       "deployNewNSG": "[steps('network').NSG]",
       "ExistingNSG": "[steps('network').nsgSelector]",
       "NewNsgName": "[steps('network').NSGName]",
-      "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]",
+      "storageAccountDeployMode": "[steps('network').storageAccountDeployMode]",
+      "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]",
+      "existingStorageAccountId": "[steps('network').existingStorageAccount]",
       "SerialConsolePasswordHash": "[steps('chkp-advanced').AdditionalPassword]",
       "MaintenanceModePasswordHash": "[steps('chkp-advanced').MaintenanceModePassword]"
     }
diff --git a/china/azure/marketplace-vmss/mainTemplate.json b/china/azure/marketplace-vmss/mainTemplate.json
index abcd3f4a..b4f1e071 100644
--- a/china/azure/marketplace-vmss/mainTemplate.json
+++ b/china/azure/marketplace-vmss/mainTemplate.json
@@ -21,7 +21,8 @@
       "allowedValues": [
         "R81.10 - Bring Your Own License",
         "R81.20 - Bring Your Own License",
-        "R82 - Bring Your Own License"
+        "R82 - Bring Your Own License",
+        "R82.10 - Bring Your Own License"
       ],
       "defaultValue": "R82 - Bring Your Own License",
       "metadata": {
@@ -152,7 +153,7 @@
     },
     "floatingIP": {
       "type": "string",
-      "defaultValue": "no",
+      "defaultValue": "yes",
       "allowedValues": [
         "no",
         "yes"
@@ -438,7 +439,7 @@
     "_artifactsLocation": {
       "type": "string",
       "metadata": {
-        "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/"
+        "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/"
       },
       "defaultValue": "[deployment().properties.templateLink.uri]"
     },
@@ -480,19 +481,39 @@
       "type": "string",
       "defaultValue": "[concat(parameters('vmName'),'-nsg')]"
     },
+    "storageAccountDeployMode": {
+      "type": "string",
+      "defaultValue": "New",
+      "metadata": {
+        "description": "Choose the Storage Account mode: 'New' creates a new account, 'Existing' uses one already available, 'Managed' provisions a managed account, and 'None' skips account creation."
+      },
+      "allowedValues": [
+        "New",
+        "Existing",
+        "Managed",
+        "None"
+      ]
+    },
     "addStorageAccountIpRules": {
       "type": "bool",
       "metadata": {
-        "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled"
+        "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled. Only relevant when 'Storage Account Deploy Mode' is set to 'New'"
       },
       "defaultValue": false
     },
     "storageAccountAdditionalIps": {
       "type": "array",
       "metadata": {
-        "description": "IPs/CIDRs that are allowed access to the Storage Account"
+        "description": "IPs/CIDRs that are allowed access to the Storage Account. Format should be an array of strings. Only relevant when 'Storage Account Deploy Mode' is set to 'New'."
       },
       "defaultValue": []
+    },
+    "existingStorageAccountId": {
+      "type": "string",
+      "metadata": {
+        "description": "The ID of the existing Storage Account. Only relevant when 'Storage Account Deploy Mode' is set to 'Existing'."
+      },
+      "defaultValue": ""
     }
   },
   "variables": {
@@ -510,7 +531,10 @@
       "R81.20 - Pay As You Go (NGTX)": "NGTX",
       "R82 - Bring Your Own License": "BYOL",
       "R82 - Pay As You Go (NGTP)": "NGTP",
-      "R82 - Pay As You Go (NGTX)": "NGTX"
+      "R82 - Pay As You Go (NGTX)": "NGTX",
+      "R82.10 - Bring Your Own License": "BYOL",
+      "R82.10 - Pay As You Go (NGTP)": "NGTP",
+      "R82.10 - Pay As You Go (NGTX)": "NGTX"
     },
     "offer": "[variables('offers')[parameters('cloudGuardVersion')]]",
     "osVersions": {
@@ -522,224 +546,781 @@
       "R81.20 - Pay As You Go (NGTX)": "R8120",
       "R82 - Bring Your Own License": "R82",
       "R82 - Pay As You Go (NGTP)": "R82",
-      "R82 - Pay As You Go (NGTX)": "R82"
+      "R82 - Pay As You Go (NGTX)": "R82",
+      "R82.10 - Bring Your Own License": "R8210",
+      "R82.10 - Pay As You Go (NGTP)": "R8210",
+      "R82.10 - Pay As You Go (NGTX)": "R8210"
     },
     "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]",
     "serialConsoleGeographies": {
       "eastasia": [
+        "4.145.74.168",
+        "20.195.85.180",
+        "20.195.85.181",
+        "20.205.68.106",
+        "20.205.68.107",
         "20.205.69.28",
-        "20.195.85.180"
+        "23.97.88.117",
+        "23.98.106.151"
       ],
       "southeastasia": [
+        "4.145.74.168",
+        "20.195.85.180",
+        "20.195.85.181",
+        "20.205.68.106",
+        "20.205.68.107",
         "20.205.69.28",
-        "20.195.85.180"
+        "23.97.88.117",
+        "23.98.106.151"
       ],
       "australiacentral": [
+        "4.198.45.55",
+        "4.200.251.224",
+        "20.167.131.228",
+        "20.53.52.250",
         "20.53.53.224",
-        "20.70.222.112"
+        "20.53.55.174",
+        "20.70.222.112",
+        "20.70.222.113",
+        "68.218.123.133"
       ],
       "australiacentral2": [
+        "4.198.45.55",
+        "4.200.251.224",
+        "20.167.131.228",
+        "20.53.52.250",
         "20.53.53.224",
-        "20.70.222.112"
+        "20.53.55.174",
+        "20.70.222.112",
+        "20.70.222.113",
+        "68.218.123.133"
       ],
       "australiaeast": [
+        "4.198.45.55",
+        "4.200.251.224",
+        "20.167.131.228",
+        "20.53.52.250",
         "20.53.53.224",
-        "20.70.222.112"
+        "20.53.55.174",
+        "20.70.222.112",
+        "20.70.222.113",
+        "68.218.123.133"
       ],
       "australiasoutheast": [
+        "4.198.45.55",
+        "4.200.251.224",
+        "20.167.131.228",
+        "20.53.52.250",
         "20.53.53.224",
-        "20.70.222.112"
+        "20.53.55.174",
+        "20.70.222.112",
+        "20.70.222.113",
+        "68.218.123.133"
       ],
       "brazilsouth": [
-        "91.234.136.63",
-        "20.206.0.194"
+        "20.206.0.192",
+        "20.206.0.193",
+        "20.206.0.194",
+        "20.226.211.157",
+        "108.140.5.172",
+        "191.234.136.63",
+        "191.238.77.232",
+        "191.238.77.233"
       ],
       "brazilsoutheast": [
-        "91.234.136.63",
-        "20.206.0.194"
+        "20.206.0.192",
+        "20.206.0.193",
+        "20.206.0.194",
+        "20.226.211.157",
+        "108.140.5.172",
+        "191.234.136.63",
+        "191.238.77.232",
+        "191.238.77.233"
       ],
       "canadacentral": [
+        "20.175.7.183",
+        "20.48.201.78",
+        "20.48.201.79",
+        "20.220.7.246",
+        "52.139.106.74",
+        "52.139.106.75",
         "52.228.86.177",
         "52.242.40.90"
       ],
       "canadaeast": [
+        "20.175.7.183",
+        "20.48.201.78",
+        "20.48.201.79",
+        "20.220.7.246",
+        "52.139.106.74",
+        "52.139.106.75",
         "52.228.86.177",
         "52.242.40.90"
       ],
       "northeurope": [
+        "4.210.131.60",
+        "20.105.209.72",
+        "20.105.209.73",
+        "40.113.178.49",
+        "52.146.137.65",
         "52.146.139.220",
-        "20.105.209.72"
+        "52.146.139.221",
+        "98.71.107.78"
       ],
       "westeurope": [
+        "4.210.131.60",
+        "20.105.209.72",
+        "20.105.209.73",
+        "40.113.178.49",
+        "52.146.137.65",
         "52.146.139.220",
-        "20.105.209.72"
+        "52.146.139.221",
+        "98.71.107.78"
       ],
       "francecentral": [
         "20.111.0.244",
-        "52.136.191.10"
+        "40.80.103.247",
+        "51.138.215.126",
+        "51.138.215.127",
+        "52.136.191.8",
+        "52.136.191.9",
+        "52.136.191.10",
+        "98.66.128.35"
       ],
       "francesouth": [
         "20.111.0.244",
-        "52.136.191.10"
+        "40.80.103.247",
+        "51.138.215.126",
+        "51.138.215.127",
+        "52.136.191.8",
+        "52.136.191.9",
+        "52.136.191.10",
+        "98.66.128.35"
       ],
       "germanynorth": [
+        "20.52.94.114",
+        "20.52.94.115",
+        "20.52.95.48",
+        "20.113.251.155",
         "51.116.75.88",
-        "20.52.95.48"
+        "51.116.75.89",
+        "51.116.75.90",
+        "98.67.183.186"
       ],
       "germanywestcentral": [
+        "20.52.94.114",
+        "20.52.94.115",
+        "20.52.95.48",
+        "20.113.251.155",
         "51.116.75.88",
-        "20.52.95.48"
+        "51.116.75.89",
+        "51.116.75.90",
+        "98.67.183.186"
       ],
       "centralindia": [
-        "20.192.168.150",
-        "20.192.153.104"
+        "4.187.107.68",
+        "20.192.47.134",
+        "20.192.47.135",
+        "20.192.152.150",
+        "20.192.152.151",
+        "20.192.153.104",
+        "20.207.175.96",
+        "52.172.82.199",
+        "98.70.20.180"
       ],
       "southindia": [
-        "20.192.168.150",
-        "20.192.153.104"
+        "4.187.107.68",
+        "20.192.47.134",
+        "20.192.47.135",
+        "20.192.152.150",
+        "20.192.152.151",
+        "20.192.153.104",
+        "20.207.175.96",
+        "52.172.82.199",
+        "98.70.20.180"
       ],
       "westindia": [
-        "20.192.168.150",
-        "20.192.153.104"
+        "4.187.107.68",
+        "20.192.47.134",
+        "20.192.47.135",
+        "20.192.152.150",
+        "20.192.152.151",
+        "20.192.153.104",
+        "20.207.175.96",
+        "52.172.82.199",
+        "98.70.20.180"
       ],
       "japaneast": [
+        "20.18.7.188",
         "20.43.70.205",
-        "20.189.228.222"
+        "20.89.12.192",
+        "20.89.12.193",
+        "20.189.194.100",
+        "20.189.228.222",
+        "20.189.228.223",
+        "20.210.144.254"
       ],
       "japanwest": [
+        "20.18.7.188",
         "20.43.70.205",
-        "20.189.228.222"
+        "20.89.12.192",
+        "20.89.12.193",
+        "20.189.194.100",
+        "20.189.228.222",
+        "20.189.228.223",
+        "20.210.144.254"
       ],
       "koreacentral": [
+        "20.200.166.136",
+        "20.200.194.238",
+        "20.200.194.239",
         "20.200.196.96",
-        "52.147.119.29"
+        "20.214.133.81",
+        "52.147.119.28",
+        "52.147.119.29",
+        "52.147.119.30"
       ],
       "koreasouth": [
+        "20.200.166.136",
+        "20.200.194.238",
+        "20.200.194.239",
         "20.200.196.96",
-        "52.147.119.29"
+        "20.214.133.81",
+        "52.147.119.28",
+        "52.147.119.29",
+        "52.147.119.30"
       ],
       "norwaywest": [
+        "20.100.1.154",
+        "20.100.1.155",
         "20.100.1.184",
-        "51.13.138.76"
+        "20.100.21.182",
+        "51.13.138.76",
+        "51.13.138.77",
+        "51.13.138.78",
+        "51.120.183.54"
       ],
       "norwayeast": [
+        "20.100.1.154",
+        "20.100.1.155",
         "20.100.1.184",
-        "51.13.138.76"
+        "20.100.21.182",
+        "51.13.138.76",
+        "51.13.138.77",
+        "51.13.138.78",
+        "51.120.183.54"
       ],
       "switzerlandnorth": [
+        "20.199.207.188",
         "20.208.4.98",
-        "51.107.251.190"
+        "20.208.4.99",
+        "20.208.4.120",
+        "20.208.149.229",
+        "51.107.251.190",
+        "51.107.251.191",
+        "51.107.255.176"
       ],
       "switzerlandwest": [
+        "20.199.207.188",
         "20.208.4.98",
-        "51.107.251.190"
+        "20.208.4.99",
+        "20.208.4.120",
+        "20.208.149.229",
+        "51.107.251.190",
+        "51.107.251.191",
+        "51.107.255.176"
       ],
       "uaecentral": [
+        "20.38.141.5",
+        "20.45.95.64",
+        "20.45.95.65",
         "20.45.95.66",
-        "20.38.141.5"
+        "20.203.93.198",
+        "20.233.132.205",
+        "40.120.87.50",
+        "40.120.87.51"
       ],
       "uaenorth": [
+        "20.38.141.5",
+        "20.45.95.64",
+        "20.45.95.65",
         "20.45.95.66",
-        "20.38.141.5"
+        "20.203.93.198",
+        "20.233.132.205",
+        "40.120.87.50",
+        "40.120.87.51"
       ],
       "uksouth": [
+        "20.58.68.62",
+        "20.58.68.63",
+        "20.90.32.180",
         "20.90.132.144",
-        "20.58.68.62"
+        "20.90.132.145",
+        "51.104.30.169",
+        "172.187.0.26",
+        "172.187.65.53"
       ],
       "ukwest": [
+        "20.58.68.62",
+        "20.58.68.63",
+        "20.90.32.180",
         "20.90.132.144",
-        "20.58.68.62"
+        "20.90.132.145",
+        "51.104.30.169",
+        "172.187.0.26",
+        "172.187.65.53"
       ],
       "swedencentral": [
+        "20.91.100.236",
+        "51.12.22.174",
+        "51.12.22.175",
+        "51.12.22.204",
+        "51.12.72.222",
         "51.12.72.223",
-        "51.12.22.174"
+        "51.12.73.92",
+        "172.160.216.6"
       ],
       "swedensouth": [
+        "20.91.100.236",
+        "51.12.22.174",
+        "51.12.22.175",
+        "51.12.22.204",
+        "51.12.72.222",
         "51.12.72.223",
-        "51.12.22.174"
+        "51.12.73.92",
+        "172.160.216.6"
       ],
       "centralus": [
-        "20.98.146.84",
-        "20.98.194.64",
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "eastus2": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "eastus2": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "eastus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "eastus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "northcentralus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "northcentralus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "southcentralus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "southcentralus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "westus2": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "westus2": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "westus3": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "westus3": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "westcentralus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "westcentralus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
-      ],
-      "westus": [
         "20.98.146.84",
+        "20.98.146.85",
         "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
+      ],
+      "westus": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
+        "20.45.242.18",
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
         "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
         "20.83.222.102",
-        "20.83.222.100"
+        "20.98.146.84",
+        "20.98.146.85",
+        "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
       ],
       "eastus2euap": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
         "20.45.242.18",
-        "20.51.21.252"
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
+        "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
+        "20.83.222.102",
+        "20.98.146.84",
+        "20.98.146.85",
+        "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
       ],
       "centraluseuap": [
+        "4.149.249.197",
+        "4.150.239.210",
+        "20.14.127.175",
+        "20.40.200.175",
         "20.45.242.18",
-        "20.51.21.252"
+        "20.45.242.19",
+        "20.45.242.20",
+        "20.47.232.186",
+        "20.51.21.252",
+        "20.69.5.160",
+        "20.69.5.161",
+        "20.69.5.162",
+        "20.83.222.100",
+        "20.83.222.101",
+        "20.83.222.102",
+        "20.98.146.84",
+        "20.98.146.85",
+        "20.98.194.64",
+        "20.98.194.65",
+        "20.98.194.66",
+        "20.168.188.34",
+        "20.241.116.153",
+        "52.159.214.194",
+        "57.152.124.244",
+        "68.220.123.194",
+        "74.249.127.175",
+        "74.249.142.218",
+        "157.55.93.0",
+        "168.61.232.59",
+        "172.183.234.204",
+        "172.191.219.35"
       ],
       "usgovarizona": [
+        "20.140.104.48",
+        "20.140.105.3",
+        "20.140.144.58",
+        "20.140.144.59",
+        "20.140.147.168",
+        "20.140.53.121",
         "20.141.10.130",
-        "52.127.55.131"
+        "20.141.10.131",
+        "20.141.13.121",
+        "20.141.15.104",
+        "52.127.55.131",
+        "52.235.252.252",
+        "52.235.252.253",
+        "52.243.247.124",
+        "52.245.155.139",
+        "52.245.156.185",
+        "62.10.196.24",
+        "62.10.196.25",
+        "62.10.84.240",
+        "62.11.6.64",
+        "62.11.6.65"
       ],
       "usgovvirginia": [
+        "20.140.104.48",
+        "20.140.105.3",
+        "20.140.144.58",
+        "20.140.144.59",
+        "20.140.147.168",
+        "20.140.53.121",
         "20.141.10.130",
-        "52.127.55.131"
+        "20.141.10.131",
+        "20.141.13.121",
+        "20.141.15.104",
+        "52.127.55.131",
+        "52.235.252.252",
+        "52.235.252.253",
+        "52.243.247.124",
+        "52.245.155.139",
+        "52.245.156.185",
+        "62.10.196.24",
+        "62.10.196.25",
+        "62.10.84.240",
+        "62.11.6.64",
+        "62.11.6.65"
       ],
       "usgovtexas": [
+        "20.140.104.48",
+        "20.140.105.3",
+        "20.140.144.58",
+        "20.140.144.59",
+        "20.140.147.168",
+        "20.140.53.121",
         "20.141.10.130",
-        "52.127.55.131"
+        "20.141.10.131",
+        "20.141.13.121",
+        "20.141.15.104",
+        "52.127.55.131",
+        "52.235.252.252",
+        "52.235.252.253",
+        "52.243.247.124",
+        "52.245.155.139",
+        "52.245.156.185",
+        "62.10.196.24",
+        "62.10.196.25",
+        "62.10.84.240",
+        "62.11.6.64",
+        "62.11.6.65"
       ],
       "chinanorth": [
         "139.217.51.16",
@@ -854,7 +1435,7 @@
     "sicKey": "[parameters('sicKey')]",
     "installationType": "vmss",
     "upgrading": "[equals(parameters('upgrading'), 'yes')]",
-    "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/',parameters('_artifactsLocation'))]",
+    "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/',parameters('_artifactsLocation'))]",
     "networkSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vnet-2-subnet-ha-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]",
     "loadBalacerSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/load-balancers.json', parameters('_artifactsLocationSasToken')))]",
     "lbsTargetRGName": "[parameters('lbsTargetRGName')]",
@@ -950,7 +1531,7 @@
       "properties": {
         "mode": "Incremental",
         "template": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
           "contentVersion": "1.0.0.0",
           "resources": []
         }
@@ -1118,6 +1699,7 @@
       }
     },
     {
+      "condition": "[equals(parameters('storageAccountDeployMode'), 'New')]",
       "type": "Microsoft.Storage/storageAccounts",
       "name": "[variables('storageAccountName')]",
       "apiVersion": "2021-04-01",
@@ -1135,7 +1717,7 @@
       "sku": {
         "name": "[variables('storageAccountType')]"
       },
-      "kind": "Storage",
+      "kind": "StorageV2",
       "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]"
     },
     {
@@ -1246,10 +1828,7 @@
             ]
           },
           "diagnosticsProfile": {
-            "bootDiagnostics": {
-              "enabled": "true",
-              "storageUri": "[reference(variables('storageAccountId'), '2023-01-01').primaryEndpoints.blob]"
-            }
+            "bootDiagnostics": "[if(equals(parameters('storageAccountDeployMode'), 'None'), createObject('enabled', false()), if(equals(parameters('storageAccountDeployMode'), 'Managed'), createObject('enabled', true()), createObject('enabled', true(), 'storageUri', if(equals(parameters('storageAccountDeployMode'), 'New'), reference(variables('storageAccountId'), '2023-01-01').primaryEndpoints.blob, reference(parameters('existingStorageAccountId'), '2023-05-01').primaryEndpoints.blob))))]"
           }
         },
         "overprovision": false
diff --git a/china/azure/nestedtemplates/azure-func-sami.json b/china/azure/nestedtemplates/azure-func-sami.json
old mode 100644
new mode 100755
diff --git a/china/azure/nestedtemplates/gateway-load-balancers.json b/china/azure/nestedtemplates/gateway-load-balancers.json
old mode 100644
new mode 100755
index 5bd9db41..88b7348a
--- a/china/azure/nestedtemplates/gateway-load-balancers.json
+++ b/china/azure/nestedtemplates/gateway-load-balancers.json
@@ -1,5 +1,5 @@
 {
-  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {
     "location": {
diff --git a/china/azure/nestedtemplates/load-balancers-waap.json b/china/azure/nestedtemplates/load-balancers-waap.json
old mode 100644
new mode 100755
diff --git a/china/azure/nestedtemplates/load-balancers.json b/china/azure/nestedtemplates/load-balancers.json
index dcdf0ae0..a3fdb935 100644
--- a/china/azure/nestedtemplates/load-balancers.json
+++ b/china/azure/nestedtemplates/load-balancers.json
@@ -61,7 +61,7 @@
     "appProbeName": "[variables('appName')]",
     "appFrontEndProtocol": "tcp",
     "appFrontEndPort": 80,
-    "appBackEndPort": 8081,
+    "appBackEndPort": 80,
     "appHealthProtocol": "tcp",
     "ilbHealthProtocol": "tcp",
     "lbHealthPort": 8117,
diff --git a/china/azure/nestedtemplates/vnet-1-subnet-existing.json b/china/azure/nestedtemplates/vnet-1-subnet-existing.json
index 81fc0d5a..cb335d9a 100644
--- a/china/azure/nestedtemplates/vnet-1-subnet-existing.json
+++ b/china/azure/nestedtemplates/vnet-1-subnet-existing.json
@@ -84,4 +84,4 @@
       "type": "object"
     }
   }
-}
+}
\ No newline at end of file
diff --git a/china/azure/nestedtemplates/vnet-2-subnet-ha2-existing.json b/china/azure/nestedtemplates/vnet-2-subnet-ha2-existing.json
index 17781d8c..04e3694c 100644
--- a/china/azure/nestedtemplates/vnet-2-subnet-ha2-existing.json
+++ b/china/azure/nestedtemplates/vnet-2-subnet-ha2-existing.json
@@ -73,4 +73,4 @@
       "type": "array"
     }
   }
-}
+}
\ No newline at end of file
diff --git a/china/azure/nestedtemplates/vnet-2-subnet-ha2-new.json b/china/azure/nestedtemplates/vnet-2-subnet-ha2-new.json
index be5ae374..d9ca08ba 100644
--- a/china/azure/nestedtemplates/vnet-2-subnet-ha2-new.json
+++ b/china/azure/nestedtemplates/vnet-2-subnet-ha2-new.json
@@ -189,4 +189,4 @@
       "type": "array"
     }
   }
-}
+}
\ No newline at end of file
diff --git a/china/azure/nestedtemplates/vnet-existing-stack-ha.json b/china/azure/nestedtemplates/vnet-existing-stack-ha.json
index 6e31b659..2f99a6f4 100644
--- a/china/azure/nestedtemplates/vnet-existing-stack-ha.json
+++ b/china/azure/nestedtemplates/vnet-existing-stack-ha.json
@@ -1,5 +1,5 @@
 {
-  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {
     "location": {
@@ -90,4 +90,4 @@
       "type": "string"
     }
   }
-}
+}
\ No newline at end of file
diff --git a/china/azure/nestedtemplates/vnet-existing-stack-mgmt.json b/china/azure/nestedtemplates/vnet-existing-stack-mgmt.json
index 1be25f0b..fd9b75d1 100644
--- a/china/azure/nestedtemplates/vnet-existing-stack-mgmt.json
+++ b/china/azure/nestedtemplates/vnet-existing-stack-mgmt.json
@@ -1,5 +1,5 @@
 {
-  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {
     "location": {
diff --git a/china/azure/nestedtemplates/vnet-existing-stack.json b/china/azure/nestedtemplates/vnet-existing-stack.json
index 1c99915b..967e485d 100644
--- a/china/azure/nestedtemplates/vnet-existing-stack.json
+++ b/china/azure/nestedtemplates/vnet-existing-stack.json
@@ -1,5 +1,5 @@
 {
-  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {
     "location": {
diff --git a/china/azure/nestedtemplates/vnet-existing.json b/china/azure/nestedtemplates/vnet-existing.json
index 415f5361..64533665 100644
--- a/china/azure/nestedtemplates/vnet-existing.json
+++ b/china/azure/nestedtemplates/vnet-existing.json
@@ -73,4 +73,4 @@
       "type": "string"
     }
   }
-}
+}
\ No newline at end of file
diff --git a/china/azure/nestedtemplates/vnet-new-stack-ha.json b/china/azure/nestedtemplates/vnet-new-stack-ha.json
index 938c82ab..c7e9b1ad 100644
--- a/china/azure/nestedtemplates/vnet-new-stack-ha.json
+++ b/china/azure/nestedtemplates/vnet-new-stack-ha.json
@@ -1,5 +1,5 @@
 {
-  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {
     "location": {
@@ -138,4 +138,4 @@
       "type": "string"
     }
   }
-}
+}
\ No newline at end of file
diff --git a/china/azure/nestedtemplates/vnet-new-stack-mgmt.json b/china/azure/nestedtemplates/vnet-new-stack-mgmt.json
index 2ecdc128..e443a759 100644
--- a/china/azure/nestedtemplates/vnet-new-stack-mgmt.json
+++ b/china/azure/nestedtemplates/vnet-new-stack-mgmt.json
@@ -1,5 +1,5 @@
 {
-  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {
     "location": {
diff --git a/china/azure/nestedtemplates/vnet-new-stack.json b/china/azure/nestedtemplates/vnet-new-stack.json
index 2deae4d9..731bd0be 100644
--- a/china/azure/nestedtemplates/vnet-new-stack.json
+++ b/china/azure/nestedtemplates/vnet-new-stack.json
@@ -1,5 +1,5 @@
 {
-  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {
     "location": {