CN-Series
Configure Active/Passive HA on AWS EKS Using a Secondary IP
Table of Contents
Configure Active/Passive HA on AWS EKS Using a Secondary IP
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Complete the following procedure to deploy
new CN-Series firewalls as an HA pair with secondary IP addresses.
- Before you deploy the CN-Series firewalls for your HA pair, ensure the following:
- Deploy both HA peers in the same AWS availability zone. See IAM Roles for HA.
- Create an IAM role and assign the role to the worker nodes running the CN-series firewalls when you deploy the instances.
- The active and passive firewalls must have at least three interfaces each— management interface, HA2 interface, and data interface.By default, the management interface will be used as the HA1 interface.
- Create network interfaces on AWS in the same availability zone as the cluster. Add tag on the eni so that it is not managed by AWS and can be used by multus:node.k8s.amazonaws.com/no_manage: True
- Verify that the network and security components are defined suitably.
- Enable communication to the internet. The default VPC includes an internet gateway, and if you install the CN-Series firewall in the default subnet it has access to the internet.
- Create subnets. Subnets are segments of the IP address range assigned to the VPC in which you can launch the EC2 instances. The CN-Series firewall must belong to the public subnet so that it can be configured to access the internet.
- Create a data security group that includes the firewall data interfaces. Additionally, configure the security to allow all traffic, so security is enforced by the firewalls. This is required to maintain existing sessions during failover.
- Add routes to the route table for a private subnet to ensure that traffic can be routed across subnets and security groups in the VPC, as applicable.
When deploying the CN-series firewall on EKS, IMDSv2 token retrieval fails if the http-put-response-hop-limit value is set to default value of 1. You must ensure that the hop limit value is set to 3 or more when IMDSv2 is enabled.For example:Run the following command:aws ec2 modify-instance-metadata-options --instance-id <your-instance-id> --http-tokens required --http-endpoint enabled --http-put-response-hop-limit 3Deploy the CN-Series firewall on EKS.- Configure ethernet 1/1 as the HA2 interface on each HA peer.
- Open the Amazon EC2 console.
- Select Network Interface and then choose then select your network interface.
- Select
- Leave the field blank to allow AWS to assign an IP address dynamically or enter an IP address within the subnet range for the CN-Series firewall. This will assign a secondary IP to the HA2 interface.
- Click Yes and Update.
- Select and select Disable.
- Repeat this process on the second (to be passive) HA peer.
Add a secondary IP address to your dataplane interfaces on the first (to be active) HA peer.- Select Network Interface and then choose then select your network interface.
- Select .
- Leave the field blank to allow AWS to assign an IP address dynamically or enter an IP address within the subnet range for the CN-Series firewall.
- Click Yes and Update.
Associate a secondary Elastic (public) IP address with the untrust interface of the active peer.- Select Elastic IPs and then choose then select the Elastic IP address to associate.
- Select .
- Under Resource Type, select Network Interface.
- Select the network interface with which to associate the Elastic IP address.
- Click Associate.
For outbound traffic inspection, add an entry to the subnet route table that sets the next-hop as the firewall trust interface.- Select .
- Choose your subnet route table.
- Select .
- Enter the Destination CIDR Block or IP address.
- For Target, enter the network interface of the firewall trust interface.
- Click Save routes.
To use AWS Ingress Routing, create a route table and associate the internet gateway to it. Then add an entry with the next-hop set as the active firewall untrust interface.- Select .
- (Optional) Enter a descriptive Name tag for your route table.
- Click Create.
- Click your route table and select .
- Select Internet gateways and choose your VPC internet gateway.
- Click Save.
- Click your route table and select .
- For the Target, select Network Interface and choose the untrust interface of the active firewall.
- Click Save routes.
Enable HA.To enable the HA support, you should ensure that the PAN_HA_SUPPORT parameter value is true in the following YAML files:- pan-cn-mgmt-configmap-0.yaml
- pan-cn-mgmt-configmap-1.yaml
The peer HA1 IP address gets auto-configured.Retrieve the static IP address of the HA2 interface from the corresponding node instance on the AWS console and add it to the address parameter of net-attach def-ha2-0.yaml and net-attach-def-ha2-1.yaml file.(Optional) Modify the Threshold for HA2 Keep-alive packets. By default, HA2 Keep-alive is enabled for monitoring the HA2 data link between the peers. If a failure occurs and this threshold (default is 10000 ms) is exceeded, the defined action will occur. A critical system log message is generated when an HA2 keep-alive failure occurs.You can configure the HA2 keep-alive option on both devices, or just one device in the HA pair. If you enable this option on one device, only that device will send the keep-alive messages.Verify that the firewalls are paired in active/passive HA.- Access the Dashboard on both firewalls and view the High Availability widget.On the active HA peer, click Sync to peer.Confirm that the firewalls are paired and synced.
- On the passive firewall: the state of the local firewall should display Passive and the Running Config should show as Synchronized.
- On the active firewall: the state of the local firewall should display Active and the Running Config should show as Synchronized.
From the firewall command line interface, execute the following commands:- To verify failover readiness:show plugins vmw_series aws ha state
- To show secondary IP mapping:show plugins vm_series aws ha ips
