Configure Active/Passive HA on AWS EKS Using a Secondary IP

Before you deploy the CN-Series firewalls for your HA pair, ensure the following:
Deploy both HA peers in the same AWS availability zone. See IAM Roles for HA.
Create an IAM role and assign the role to the worker nodes running the CN-series firewalls when you deploy the instances.
The active and passive firewalls must have at least three interfaces each— management interface, HA2 interface, and data interface.
By default, the management interface will be used as the HA1 interface.
Create network interfaces on AWS in the same availability zone as the cluster. Add tag on the
eni
so that it is not managed by AWS and can be used by multus:
node.k8s.amazonaws.com/no_manage: True
Verify that the network and security components are defined suitably.
Enable communication to the internet. The default VPC includes an internet gateway, and if you install the CN-Series firewall in the default subnet it has access to the internet.
Create subnets. Subnets are segments of the IP address range assigned to the VPC in which you can launch the EC2 instances. The CN-Series firewall must belong to the public subnet so that it can be configured to access the internet.
Create a data security group that includes the firewall data interfaces. Additionally, configure the security to allow all traffic, so security is enforced by the firewalls. This is required to maintain existing sessions during failover.
Add routes to the route table for a private subnet to ensure that traffic can be routed across subnets and security groups in the VPC, as applicable.
When deploying the CN-series firewall on EKS, IMDSv2 token retrieval fails if the
http-put-response-hop-limit
value is set to default value of 1. You must ensure that the hop limit value is set to 3 or more when IMDSv2 is enabled.
For example:
Run the following command:
aws ec2 modify-instance-metadata-options --instance-id <your-instance-id> --http-tokens required --http-endpoint enabled --http-put-response-hop-limit 3
Deploy the CN-Series Firewall on EKS.
Configure ethernet 1/1 as the HA2 interface on each HA peer.
Open the Amazon EC2 console.
Select Network Interface and then choose then select your network interface.
Select
Actions
Manage IP Addresses.
Leave the field blank to allow AWS to assign an IP address dynamically or enter an IP address within the subnet range for the CN-Series firewall. This will assign a secondary IP to the HA2 interface.
Click
Yes
and
Update
.
Select
Actions
Change Source/Dest. Check
and select
Disable
.
Repeat this process on the second (to be passive) HA peer.
Add a secondary IP address to your dataplane interfaces on the first (to be active) HA peer.
Select
Network Interface
and then choose then select your network interface.
Select
Actions
Manage IP Addresses
IPv4 Addresses
Assign new IP
.
Leave the field blank to allow AWS to assign an IP address dynamically or enter an IP address within the subnet range for the CN-Series firewall.
Click
Yes
and
Update
.
Associate a secondary Elastic (public) IP address with the untrust interface of the active peer.
Select
Elastic IPs
and then choose then select the Elastic IP address to associate.
Select
Actions
Associate Elastic IP
.
Under
Resource Type
, select
Network Interface
.
Select the network interface with which to associate the Elastic IP address.
Click
Associate
.
For outbound traffic inspection, add an entry to the subnet route table that sets the next-hop as the firewall trust interface.
Select
VPC
Route Tables
.
Choose your subnet route table.
Select
Actions
Edit routes
Add route
.
Enter the
Destination
CIDR Block or IP address.
For
Target
, enter the network interface of the firewall trust interface.
Click
Save routes
.
To use AWS Ingress Routing, create a route table and associate the internet gateway to it. Then add an entry with the next-hop set as the active firewall untrust interface.
Select
Route Tables
Create route table
.
(
Optional
) Enter a descriptive
Name tag
for your route table.
Click
Create
.
Click your route table and select
Actions
Edit edge associations
.
Select
Internet gateways
and choose your VPC internet gateway.
Click
Save
.
Click your route table and select
Actions
Edit routes
.
For the
Target
, select
Network Interface
and choose the untrust interface of the active firewall.
Click
Save routes
.
Enable HA.
To enable the HA support, you should ensure that the PAN_HA_SUPPORT parameter value is true in the following YAML files:
pan-cn-mgmt-configmap-0.yaml
pan-cn-mgmt-configmap-1.yaml
The peer HA1 IP address gets auto-configured.
Retrieve the static IP address of the HA2 interface from the corresponding node instance on the AWS console and add it to the address parameter of
net-attach def-ha2-0.yaml
and
net-attach-def-ha2-1.yaml
file.
(
Optional
) Modify the
Threshold
for
HA2 Keep-alive
packets. By default,
HA2 Keep-alive
is enabled for monitoring the HA2 data link between the peers. If a failure occurs and this threshold (default is 10000 ms) is exceeded, the defined action will occur. A critical system log message is generated when an HA2 keep-alive failure occurs.
You can configure the
HA2 keep-alive
option on both devices, or just one device in the HA pair. If you enable this option on one device, only that device will send the keep-alive messages.
Verify that the firewalls are paired in active/passive HA.
Access the
Dashboard
on both firewalls and view the High Availability widget.
On the active HA peer, click
Sync to peer
.
Confirm that the firewalls are paired and synced.
On the passive firewall: the state of the local firewall should display
Passive
and the
Running Config
should show as Synchronized.
On the active firewall: the state of the local firewall should display
Active
and the
Running Config
should show as Synchronized.
From the firewall command line interface, execute the following commands:
To verify failover readiness:
show plugins vmw_series aws ha state
To show secondary IP mapping:
show plugins vm_series aws ha ips