: High Availability Support for CN-Series Firewall on AWS EKS
Focus
Focus

High Availability Support for CN-Series Firewall on AWS EKS

Table of Contents

High Availability Support for CN-Series Firewall on AWS EKS

To ensure redundancy, you can deploy the CN-Series firewalls on AWS in an active/passive high availability (HA) configuration. The active peer continuously synchronizes its configuration and session information with the identically configured passive peer. A heartbeat connection between the two devices ensures failover if the active device goes down. You can deploy the CN-Series firewall on AWS EKS in HA through Secondary IP move.
To ensure that all traffic to your internet-facing applications passes through the firewall, you can configure AWS ingress routing. The AWS ingress routing capability allows you to associate route tables with the AWS Internet gateway and add route rules to redirect the application traffic through the CN-Series firewall. This redirection ensures that all internet traffic passes through the firewall without having to reconfigure the application endpoints.
When the active peer goes down, the passive peer detects this failure and becomes active. Additionally, it triggers API calls to the AWS infrastructure to move the configured secondary IP addresses from the dataplane interfaces of the failed peer to itself. Additionally, AWS updates the route tables to ensure that traffic is directed to the active firewall instance. These two operations ensure that inbound and outbound traffic sessions are restored after failover. This option allows you to take advantage of DPDK to improve the performance of your CN-Series firewall instances.
AWS requires that all API requests must be cryptographically signed using credentials issued by them. In order to enable API permissions for the CN-Series firewalls that will be deployed as an HA pair, you must create a policy and attach that policy to a role in the AWS Identity and Access Management (IAM) service. The role must be attached to the CN-Series firewalls at launch. The policy gives the IAM role permissions for initiating API actions required to move interfaces or secondary IP addresses from the active peer to the passive peer when failover is triggered.
The devices in an HA pair can be assigned a device priority value to indicate a preference for which device should assume the active role and manage traffic upon failover. If you need to use a specific device in the HA pair for actively securing traffic, you must enable the preemptive behavior on both the firewalls and assign a device priority value for each device. The device with the lower numerical value, and therefore higher priority, is designated as active and manages all traffic on the network. The other device is in a passive state, and synchronizes configuration and state information with the active device so that it is ready to transition to an active state should a failure occur.