Bind an Elastic IP(EIP) Address

1. Click the HAVIP you created to enter its configuration.
2. Create an Elastic IP Address (EIP) and click Bind, to bind the EIP to the HAVIP.

Bind an ECS Instance

1. Click the Bind button under ECS Instances.
2. Choose ENI as the resource type, and then choose the Instance and ENI to bind to the HAVIP.
3. Repeat the same procedure for the other Untrust interface.

   Once the EIP and both Untrust interfaces are bound to the HAVIP, you may find them in the HAVIP configuration page.
4. Repeat the same procedure to create the Internal HAVIP. For the Internal HAVIP, there is no need to bind any EIP to it. The configuration for the Internal HAVIP should be similar to the image below:

Configure Route Table

Traffic from the servers should be routed to the Internal HAVIP. To achieve this, a static route is configured in the route table associated with the server subnet.

Click VPCRoute Tables.

After creating the route table, add a custom route entry to point the default route to the Internal HAVIP, and associate this route table with the server vSwitch.

Configure the VM-Series Firewall

1. Configure the Untrust and Trust interfaces with static IPs. The Untrust interface is configured with the private IP address of the External HAVIP, while the Trust interface is configured with the private IP address of the Internal HAVIP. As configuration sync is enabled, when a failover occurs, the newly active VM-Series firewall will use the same set of IP addresses for its Untrust and Trust interfaces.
2. Ensure that the route table in the VM-Series firewall includes the default route via the Untrust interface, and a route to the server subnet via the Trust interface.
3. Configure the NAT rules for Inbound and Outbound traffic.

   For Inbound traffic, the NAT rule must have a destination address match on the private IP address of the External HAVIP. This destination address is translated to the web server address by the NAT rule.

   For Outbound traffic, the SNAT rule will match the source addresses of the servers. The source address will then be SNAT to the private IP address of the External HAVIP. The External HAVIP in turn SNATs the traffic to the public IP address of the External HAVIP.

Test the Traffic

The web server is accessed via the public IP address of the External HAVIP. In the following diagrams, observe that the client can successfully access the web server, as well as the public IP address of the client.

Testing Outbound Traffic

Accessing the internet from the server, the source IP address used is detected to be that of the External HAVIP.

Failover Testing

Start a ping test on the server. The active VM-Series firewall gets suspended and the passive VM-Series firewall will then become active. From the ping test, there could be around 11 ping drops before the traffic resumes. So, the failover time is around 11 seconds.

Two VM-Series firewalls can be deployed on Alibaba Cloud in active/passive HA mode with Alibaba Cloud HAVIP to provide high availability. This provides session and configuration sync between the two VM-Series firewalls. However, this only works in a single availability zone.

If an increase in capacity is required, the VM-Series firewalls need to be scaled-up, for example VM-300 → VM-500.

Virtual CPU (vCPU) Instance Types

The VM-Series firewalls used in the testing have four network interfaces: Management, Untrust, Trust, and HA2. On most Alibaba Cloud instance types, the four vCPU instance types provide three network interfaces. The eight vCPU instance types and above provide four or more network interfaces.

If four vCPU instance types need to be used, the VM-Series firewalls need to be deployed in one-arm mode as there can only be three network interfaces attached to each firewall. Inbound and outbound traffic will traverse the same data interface.