High Availability for CN-Series Firewall on AWS EKS
Where Can I Use This? | What Do I Need? |
|
- CN-Series 10.2.x or above Container Images
- Panorama running PAN-OS 10.2.x or above version
- Helm 3.6 or above version client for CN-Series deployment with Helm
|
You can now deploy the CN-Series-as-a-Kubernetes-CNF
in HA. This mode of deployment supports only active/passive HA with
session and configuration synchronization.
The CN-Series-as-a-Kubernetes CNF deployment in HA with IPV6 is
not supported on AWS environment.
To ensure redundancy, you can deploy the CN-Series firewalls on AWS in an active/passive
high availability (HA) configuration. The active peer continuously synchronizes its
configuration and session information with the identically configured passive peer. A
heartbeat connection between the two devices ensures failover if the active device goes
down. You can deploy the CN-Series firewall on AWS EKS in HA through Secondary IP move.
To ensure that all traffic to your internet-facing applications passes through the
firewall, you can configure AWS ingress routing. The AWS ingress routing capability
allows you to associate route tables with the AWS Internet gateway and add route rules
to redirect the application traffic through the CN-Series firewall. This redirection
ensures that all internet traffic passes through the firewall without having to
reconfigure the application endpoints.
Secondary Move
When the active peer goes down, the passive peer detects this failure and becomes active.
Additionally, it triggers API calls to the AWS infrastructure to move the configured
secondary IP addresses from the dataplane interfaces of the failed peer to itself.
Additionally, AWS updates the route tables to ensure that traffic is directed to the
active firewall instance. These two operations ensure that inbound and outbound traffic
sessions are restored after failover. This option allows you to take advantage of DPDK
to improve the performance of your CN-Series firewall instances.