Overview of HA on AWS

To ensure redundancy, you can deploy the VM-Series firewalls on AWS in an active/passive high availability (HA) configuration. The active peer continuously synchronizes its configuration and session information with the identically configured passive peer. A heartbeat connection between the two devices ensures failover if the active device goes down. When the passive peer detects this failure it becomes active and triggers API calls to the AWS infrastructure to move all the dataplane interfaces (ENIs) from the failed peer to itself. The failover time can vary from 20 seconds to over a minute depending on the responsiveness from the AWS infrastructure.
To ensure that all traffic to your internet-facing applications passes through the firewall, you have two options. You can either configure the application’s public IP address on the Untrust interface (E1/2 in the illustration above) of the VM-Series firewall, or you can configure AWS ingress routing. The AWS ingress routing capability allows you to associate route tables with the AWS Internet gateway and add route rules to redirect the application traffic through the VM-Series firewall. This redirection ensures that all internet traffic passes through the firewall without having to reconfigure the application endpoints.

Recommended For You