High Availability Support for CN-Series Firewall on AWS EKS
To ensure redundancy, you can deploy the CN-Series firewalls
on AWS in an active/passive high availability (HA) configuration.
The active peer continuously synchronizes its configuration and
session information with the identically configured passive peer.
A heartbeat connection between the two devices ensures failover
if the active device goes down. You can deploy the CN-Series firewall
on AWS EKS in HA through Secondary IP move.
To ensure that all traffic to your internet-facing applications
passes through the firewall, you can configure AWS ingress routing.
The AWS ingress routing capability allows you to associate route
tables with the AWS Internet gateway and add route rules to redirect
the application traffic through the CN-Series firewall. This redirection
ensures that all internet traffic passes through the firewall without
having to reconfigure the application endpoints.
When the active peer goes down, the passive peer detects this
failure and becomes active. Additionally, it triggers API calls
to the AWS infrastructure to move the configured secondary IP addresses
from the dataplane interfaces of the failed peer to itself. Additionally,
AWS updates the route tables to ensure that traffic is directed
to the active firewall instance. These two operations ensure that
inbound and outbound traffic sessions are restored after failover.
This option allows you to take advantage of DPDK to improve the
performance of your CN-Series firewall instances.
AWS requires that all API requests must be cryptographically
signed using credentials issued by them. In order to enable API
permissions for the CN-Series firewalls that will be deployed as
an HA pair, you must create a policy and attach that policy to a
role in the
AWS Identity and Access Management
(IAM) service. The role must be attached to the CN-Series
firewalls at launch. The policy gives the IAM role permissions for
initiating API actions required to move interfaces or secondary
IP addresses from the active peer to the passive peer when failover
is triggered.
The devices in an HA pair can be assigned a
device priority value to
indicate a preference for which device should assume the active
role and manage traffic upon failover. If you need to use a specific
device in the HA pair for actively securing traffic, you must enable
the preemptive behavior on both the firewalls and assign a device
priority value for each device. The device with the lower numerical value,
and therefore
higher priority, is designated as active
and manages all traffic on the network. The other device is in a
passive state, and synchronizes configuration and state information
with the active device so that it is ready to transition to an active
state should a failure occur.