To ensure redundancy, you can deploy the VM-Series firewalls
on AWS in an active/passive high availability (HA) configuration.
The active peer continuously synchronizes its configuration and
session information with the identically configured passive peer.
A heartbeat connection between the two devices ensures failover
if the active device goes down. When the passive peer detects this
failure it becomes active and triggers API calls to the AWS infrastructure
to move all the dataplane interfaces (ENIs) from the failed peer
to itself. The failover time can vary from 20 seconds to over a
minute depending on the responsiveness from the AWS infrastructure.
To ensure that all traffic to your internet-facing applications
passes through the firewall, you have two options. You can either
configure the application’s public IP address on the Untrust interface
(E1/2 in the illustration above) of the VM-Series firewall, or you
can configure AWS ingress routing. The AWS ingress routing capability
allows you to associate route tables with the AWS Internet gateway
and add route rules to redirect the application traffic through
the VM-Series firewall. This redirection ensures that all internet
traffic passes through the firewall without having to reconfigure
the application endpoints.