High Resiliency for VM-Series Firewall on IBM Cloud
You can deploy the VM-Series firewalls on IBM Cloud
to ensure redundancy in the network by using the active/active high
availability (HA) configuration. The Network Load Balancer (NLB)
Route Mode feature is used to support the VM-Series HA and is currently
supported only with private IP and TCP data traffic.
The ingress routing capability allows you to associate route
tables with the IBM Internet gateway and add route rules to redirect
the application traffic through the VM-Series firewall. This redirection
ensures that all internet traffic passes through the firewall without
having to reconfigure the application endpoints.
For more information on Network Load Balancer for VPC Gen 2 Offering,
see
Configure IBM VPC VM-Series for HA
To configure the VPC resources for HA you will need
to:
- Create a VPC. For instructions on creating a VPC network, see Getting Started with VPC network.
- Create one subnet for the VM-Series management traffic interface. This can be shared between multiple VM-Series to support clustering.
- Create one subnet that will be shared between the VM-Series data traffic interface and the Network Load Balancer (NLB).
- Create any additional subnets needed for the VSI workloads that will be routed through the NLB or VNF's.
- Grant a service authorization for your IBM Cloud Account to allow the NLB to modify custom routes if an NLB failover occurs.
Deploy the VM-Series Firewall
While deploying the VM-Series firewall in HA mode, you
will need to ensure the following:
- The VM-Series data interface is on the same shared subnet as the NLB we will provision later.
- Allow IP Spoofingis enabled on the VM-Series data interface (shared subnet with NLB) through the Network Interfaces page of the VPC VSI User Interface.
- Health checksfor the VNF configuration is enabled from the NLB.
Deploy the NLB
You can deploy an NLB using the UI, CLI, or REST API.
For instructions on deploying an NLB, see Creating a route mode Network
Load Balancer for VPC.
Configure Security Groups
The VM-Series data network interface is attached to
a VPC Security Group. While configuring the Security Groups, ensure
that the Security Group has Inbound rules that allow traffic on
the health port setup between the NLB and the VM-Series. For example,
if the health check is set up for TCP on Port 80 (HTTP), then create
an inbound rule under the same Security Group. Additionally, ensure
that the rules are created to allow or restrict data traffic.
Configure Custom Routes
Custom routes are created to ensure that the ingress
data traffic is routed through the NLB on its way to the VM-Series
and target destination. In some cases custom routes may also be
needed to ensure egress traffic is returned to the original client
source. For more information, see About routing tables and routes.
Considerations for NLB Failovers and Custom Routes
- Deploy the NLB as an active/passive cluster. Ensure that each node has a distinct IP and the active IP is used in the custom routes that are created. You can use annslookupon the NLB hostname, to determine the primary IP for use in your route config.
- Configure the VM-Series to allow traffic from both the active and passive NLB nodes. This is needed for the health check. The NLB IP's can be retrieved from the.NLB UIOverviewPrivate IPs
- The custom routes are automatically updated to hop to the new NLB IP, if the NLB fails over to the other node.
Recommended For You
Recommended Videos
Recommended videos not found.