: Architecture of Active/Passive HA on GCP
Focus
Focus

Architecture of Active/Passive HA on GCP

Table of Contents

Architecture of Active/Passive HA on GCP

The architecture is very similar to the traditional Load Balancer(LB) architecture recommended for GCP in which the external LB points manages the untrust traffic and an internal LB manages the trust/egress or east-west traffic.
The VM-Series Firewalls are deployed as an active-passive pair and the HA2 interface is dedicated to the HA2 interface of the VM-Series firewall on NIC 3.
The HA setup on GCP supports connection tracking which tracks the connection between an external client server through the external LB to the backend of the firewall. During a firewall fail-over, the LBs carry over the connections to the secondary firewall (which now becomes active) without any disruptions.
The internal LBs (backend pool) are set to active-active, but the standby firewall will not process any traffic. The LBs perform a health-check and if they realize that the active firewall is down and the standby firewall is now active, they run a health check on the new active firewall. The traffic is now distributed over the firewall which has now become active.
Note: GCP HA supports interface connection tracking. However, in situations beyond interfaces (such as having rules in google infrastructure to stop health checks), LB health checks are not tracked as a part of HA transition.
The following are the use-cases for deploying HA in GCP:
  • IPSec termination of site to site VPNs.
  • Legacy applications that need visibility of the original source client IP (No SNAT solution) for inbound traffic flows.
  • Requirements for session fail-over on failure of the VM-Series firewall.