Overview of HA on AWS

To ensure redundancy, you can deploy the VM-Series firewalls on AWS in an active/passive high availability (HA) configuration. The active peer continuously synchronizes its configuration and session information with the identically configured passive peer. A heartbeat connection between the two devices ensures failover if the active device goes down. There are two options for deploying the VM-Series firewall on AWS in HA—Secondary IP move and Dataplane Interface (ENI) move.
To ensure that all traffic to your internet-facing applications passes through the firewall, you have two options. You can either configure the application’s public IP address on the Untrust interface (E1/2 in the illustration above) of the VM-Series firewall, or you can configure AWS ingress routing. The AWS ingress routing capability allows you to associate route tables with the AWS Internet gateway and add route rules to redirect the application traffic through the VM-Series firewall. This redirection ensures that all internet traffic passes through the firewall without having to reconfigure the application endpoints.
HA-routing-options-AWS.png

Secondary IP Move

When the active peer goes down, the passive peer detects this failure and becomes active. Additionally, it triggers API calls to the AWS infrastructure to move the configured secondary IP addresses from the dataplane interfaces of the failed peer to itself. Additionally, AWS updates the route tables to ensure that traffic is directed to the active firewall instance. These two operations ensure that inbound and outbound traffic sessions are restored after failover. This option allows you to take advantage of DPDK to improve the performance of your VM-Series firewall instances and provides better failover time than interface-move HA, while supporting all the features provided by interface-move.
Secondary IP Move HA requires VM-Series plugin 2.0.1 or later.
aws-secondary-ip-ha-deployment.png

Dataplane Interface Move

When the active peer goes down, the passive peer detects the failure and becomes active. Additionally, it triggers API calls to the AWS infrastructure to move all the dataplane interfaces (ENIs) from the failed peer to itself.
HAinAWS.png

Recommended For You