High Resiliency for VM-Series Firewall on IBM Cloud

You can deploy the VM-Series firewalls on IBM Cloud to ensure redundancy in the network by using the active/active high availability (HA) configuration. The Network Load Balancer (NLB) Route Mode feature is used to support the VM-Series HA and is currently supported only with private IP and TCP data traffic.
The ingress routing capability allows you to associate route tables with the IBM Internet gateway and add route rules to redirect the application traffic through the VM-Series firewall. This redirection ensures that all internet traffic passes through the firewall without having to reconfigure the application endpoints.
For more information on Network Load Balancer for VPC Gen 2 Offering, see

Configure IBM VPC VM-Series for HA

To configure the VPC resources for HA you will need to:
  • Create a VPC. For instructions on creating a VPC network, see Getting Started with VPC network.
  • Create one subnet for the VM-Series management traffic interface. This can be shared between multiple VM-Series to support clustering.
  • Create one subnet that will be shared between the VM-Series data traffic interface and the Network Load Balancer (NLB).
  • Create any additional subnets needed for the VSI workloads that will be routed through the NLB or VNF's.
  • Grant a service authorization for your IBM Cloud Account to allow the NLB to modify custom routes if an NLB failover occurs.

Deploy the VM-Series Firewall

While deploying the VM-Series firewall in HA mode, you will need to ensure the following:
  • The VM-Series data interface is on the same shared subnet as the NLB we will provision later.
  • Allow IP Spoofing
    is enabled on the VM-Series data interface (shared subnet with NLB) through the Network Interfaces page of the VPC VSI User Interface.
  • Health checks
    for the VNF configuration is enabled from the NLB.

Deploy the NLB

You can deploy an NLB using the UI, CLI, or REST API. For instructions on deploying an NLB, see Creating a route mode Network Load Balancer for VPC.

Configure Security Groups

The VM-Series data network interface is attached to a VPC Security Group. While configuring the Security Groups, ensure that the Security Group has Inbound rules that allow traffic on the health port setup between the NLB and the VM-Series. For example, if the health check is set up for TCP on Port 80 (HTTP), then create an inbound rule under the same Security Group. Additionally, ensure that the rules are created to allow or restrict data traffic.

Configure Custom Routes

Custom routes are created to ensure that the ingress data traffic is routed through the NLB on its way to the VM-Series and target destination. In some cases custom routes may also be needed to ensure egress traffic is returned to the original client source. For more information, see About routing tables and routes.

Considerations for NLB Failovers and Custom Routes

  • Deploy the NLB as an active/passive cluster. Ensure that each node has a distinct IP and the active IP is used in the custom routes that are created. You can use an
    on the NLB hostname, to determine the primary IP for use in your route config.
  • Configure the VM-Series to allow traffic from both the active and passive NLB nodes. This is needed for the health check. The NLB IP's can be retrieved from the
    NLB UI
    Private IPs
  • The custom routes are automatically updated to hop to the new NLB IP, if the NLB fails over to the other node.

Recommended For You