High Resiliency for VM-Series Firewall on IBM Cloud
Use the active/active high availability (HA) configuration to ensure high resiliency
for the VM-Series firewall on IBM cloud.
| Where Can I Use This? | What Do I Need? |
|---|
|
|
- VM-Series License (BYOL)
- VM-Series plugin
- Panorama
- Panorama plugin for IBM Cloud
|
You can deploy the VM-Series firewalls on IBM Cloud
to ensure redundancy in the network by using the active/active high
availability (HA) configuration. The Network Load Balancer (NLB)
Route Mode feature is used to support the VM-Series HA and is currently
supported only with private IP and TCP data traffic.
The ingress routing capability allows you to associate route tables with the IBM internet gateway
and add route rules to redirect the application traffic through the VM-Series firewall.
This redirection ensures that all internet traffic passes through the firewall without
having to reconfigure the application endpoints.
For more information on network load balancer for VPC Gen 2 Offering, see
Configure IBM VPC VM-Series for HA
To configure the VPC resources for HA, you will need to:
- Create a VPC. For instructions on creating a VPC network,
see Getting Started with VPC network.
- Create one subnet for the VM-Series management traffic interface.
This can be shared between multiple VM-Series to support clustering.
- Create one subnet that will be shared between the VM-Series
data traffic interface and the Network Load Balancer (NLB).
- Create any additional subnets needed for the VSI workloads that will be routed through the NLB
or VNFs.
- Grant a service authorization for your IBM Cloud Account to
allow the NLB to modify custom routes if an NLB failover occurs.
Deploy the VM-Series Firewall
While deploying the VM-Series firewall in HA mode, you
will need to ensure the following:
- The VM-Series data interface
is on the same shared subnet as the NLB we will provision later.
- Allow IP Spoofing is enabled on the VM-Series
data interface (shared subnet with NLB) through the Network Interfaces
page of the VPC VSI User Interface.
- Health checks for the VNF configuration
is enabled from the NLB.
Configure Security Groups
The VM-Series data network interface is attached to a VPC Security Group. While configuring the
Security Groups, ensure that the Security Group has Inbound rules that allow traffic
on the health port setup between the NLB and the VM-Series. For example, if the
health check is set up for TCP on port 80 (HTTP), then create an inbound rule under
the same Security Group. Additionally, ensure that the rules are created to allow or
restrict data traffic.
Configure Custom Routes
Custom routes are created to ensure that the ingress
data traffic is routed through the NLB on its way to the VM-Series
and target destination. In some cases custom routes may also be
needed to ensure egress traffic is returned to the original client
source. For more information, see
About routing tables and routes.
Considerations for NLB Failovers and Custom Routes
- Deploy the NLB as an active/passive cluster.
Ensure that each node has a distinct IP and the active IP is used
in the custom routes that are created. You can use an nslookup on
the NLB hostname, to determine the primary IP for use in your route
config.
- Configure the VM-Series to allow traffic from both the active and passive NLB
nodes. This is needed for the health check. The NLB IPs can be retrieved
from the .
- The custom routes are automatically updated to hop to the new
NLB IP, if the NLB fails over to the other node.
