Fortinet black logo

Example: Set VS on AWS in HA-VRRP mode

5.4.1
Copy Link
Copy Doc ID bff5dd85-753a-11ea-9384-00505692583a:982147
Download PDF

Example: Set VS on AWS in HA-VRRP mode

Configure HA on ADC1

config system ha

set mode active-active-vrrp

set hbdev port4

set datadev port4

set group-name vrrp

set l7-persistence-pickup enable

set l4-persistence-pickup enable

set l4-session-pickup enable

set hb-type unicast

set local-address 10.1.4.253

set peer-address 10.1.4.252

end

Configure HA on ADC2

config system ha

set mode active-active-vrrp

set hbdev port4

set datadev port4

set local-node-id 1

set group-name vrrp

set priority 2

set config-priority 50

set l7-persistence-pickup enable

set l4-persistence-pickup enable

set l4-session-pickup enable

set hb-type unicast

set local-address 10.1.4.252

set peer-address 10.1.4.253

end

Configure Traffic-Group on ADC

config system traffic-group

edit "traffic_group_1"

set failover-order 0 1

set preempt enable

next

edit "traffic_group_2"

set failover-order 1 0

set preempt enable

next

end

Configure VS on ADC

config load-balance real-server

edit "10_1_2_201"

set ip 10.1.2.201

next

edit "10_1_3_201"

set ip 10.1.3.201

next

end

config load-balance pool

edit "RS_2_0"

set health-check-list LB_HLTHCK_ICMP

set real-server-ssl-profile NONE

config pool_member

edit 1

set pool_member_cookie rs1

set real-server 10_1_2_201

next

end

next

edit "RS_3_0"

set real-server-ssl-profile NONE

config pool_member

edit 1

set pool_member_cookie rs1

set real-server 10_1_3_201

next

end

next

end

config load-balance virtual-server

edit "VS1"

set type l7-load-balance

set interface port1

set ip 10.1.1.101

set load-balance-profile LB_PROF_HTTP

set load-balance-method LB_METHOD_ROUND_ROBIN

set load-balance-pool RS_2_0

set traffic-group traffic_group_1

next

edit "VS2"

set interface port1

set ip 10.1.1.102

set load-balance-profile LB_PROF_TCP

set load-balance-method LB_METHOD_ROUND_ROBIN

set load-balance-pool RS_3_0

set traffic-group traffic_group_2

next

end

Configure Floating IP on ADC

ADC1:

config system interface

edit "port2"

set vdom root

set ip 10.1.2.253/24

set allowaccess ping

config ha-node-ip-list

end

set traffic-group traffic_group_1

set floating enable

set floating-ip 10.1.2.251

next

edit "port3"

set vdom root

set ip 10.1.3.253/24

set allowaccess ping

config ha-node-ip-list

end

set traffic-group traffic_group_2

set floating enable

set floating-ip 10.1.3.251

next

end

ADC2:

config system interface

edit "port2"

set vdom root

set ip 10.1.2.252/24

set allowaccess ping

config ha-node-ip-list

end

set traffic-group traffic_group_1

set floating enable

set floating-ip 10.1.2.251

next

edit "port3"

set vdom root

set ip 10.1.3.252/24

set allowaccess ping

config ha-node-ip-list

end

set traffic-group traffic_group_2

set floating enable

set floating-ip 10.1.3.251

next

end

Configure on AWS

1. Ensure that the gateway of RS is a floating IP.

2. Assign VS IP and floating IP to AWS-EC2_ADC network interface.

In this example, you should assign VS IP 10.1.1.101 to ADC1 eth0; assign VS IP 10.1.1.102 to ADC2 eth0; assign floating IP 10.1.2.251 to ADC1 eth1; assign floating IP 10.1.2.251 to ADC2 eth2.

3. Allocate Elastic IP and bind with VS IP. User can access the VS through the public IP.

In this example, you should allocate elastic IP for VS1 IP 10.1.1.101 and VS2 IP 10.1.1.102.

4. For L4_DNAT_VS or L7 VS enabled "client-address", you must disable “Source/Dest. Check” on AWS_EC2_ADC interface, which connects to RS.

Example: Set VS on AWS in HA-VRRP mode

Configure HA on ADC1

config system ha

set mode active-active-vrrp

set hbdev port4

set datadev port4

set group-name vrrp

set l7-persistence-pickup enable

set l4-persistence-pickup enable

set l4-session-pickup enable

set hb-type unicast

set local-address 10.1.4.253

set peer-address 10.1.4.252

end

Configure HA on ADC2

config system ha

set mode active-active-vrrp

set hbdev port4

set datadev port4

set local-node-id 1

set group-name vrrp

set priority 2

set config-priority 50

set l7-persistence-pickup enable

set l4-persistence-pickup enable

set l4-session-pickup enable

set hb-type unicast

set local-address 10.1.4.252

set peer-address 10.1.4.253

end

Configure Traffic-Group on ADC

config system traffic-group

edit "traffic_group_1"

set failover-order 0 1

set preempt enable

next

edit "traffic_group_2"

set failover-order 1 0

set preempt enable

next

end

Configure VS on ADC

config load-balance real-server

edit "10_1_2_201"

set ip 10.1.2.201

next

edit "10_1_3_201"

set ip 10.1.3.201

next

end

config load-balance pool

edit "RS_2_0"

set health-check-list LB_HLTHCK_ICMP

set real-server-ssl-profile NONE

config pool_member

edit 1

set pool_member_cookie rs1

set real-server 10_1_2_201

next

end

next

edit "RS_3_0"

set real-server-ssl-profile NONE

config pool_member

edit 1

set pool_member_cookie rs1

set real-server 10_1_3_201

next

end

next

end

config load-balance virtual-server

edit "VS1"

set type l7-load-balance

set interface port1

set ip 10.1.1.101

set load-balance-profile LB_PROF_HTTP

set load-balance-method LB_METHOD_ROUND_ROBIN

set load-balance-pool RS_2_0

set traffic-group traffic_group_1

next

edit "VS2"

set interface port1

set ip 10.1.1.102

set load-balance-profile LB_PROF_TCP

set load-balance-method LB_METHOD_ROUND_ROBIN

set load-balance-pool RS_3_0

set traffic-group traffic_group_2

next

end

Configure Floating IP on ADC

ADC1:

config system interface

edit "port2"

set vdom root

set ip 10.1.2.253/24

set allowaccess ping

config ha-node-ip-list

end

set traffic-group traffic_group_1

set floating enable

set floating-ip 10.1.2.251

next

edit "port3"

set vdom root

set ip 10.1.3.253/24

set allowaccess ping

config ha-node-ip-list

end

set traffic-group traffic_group_2

set floating enable

set floating-ip 10.1.3.251

next

end

ADC2:

config system interface

edit "port2"

set vdom root

set ip 10.1.2.252/24

set allowaccess ping

config ha-node-ip-list

end

set traffic-group traffic_group_1

set floating enable

set floating-ip 10.1.2.251

next

edit "port3"

set vdom root

set ip 10.1.3.252/24

set allowaccess ping

config ha-node-ip-list

end

set traffic-group traffic_group_2

set floating enable

set floating-ip 10.1.3.251

next

end

Configure on AWS

1. Ensure that the gateway of RS is a floating IP.

2. Assign VS IP and floating IP to AWS-EC2_ADC network interface.

In this example, you should assign VS IP 10.1.1.101 to ADC1 eth0; assign VS IP 10.1.1.102 to ADC2 eth0; assign floating IP 10.1.2.251 to ADC1 eth1; assign floating IP 10.1.2.251 to ADC2 eth2.

3. Allocate Elastic IP and bind with VS IP. User can access the VS through the public IP.

In this example, you should allocate elastic IP for VS1 IP 10.1.1.101 and VS2 IP 10.1.1.102.

4. For L4_DNAT_VS or L7 VS enabled "client-address", you must disable “Source/Dest. Check” on AWS_EC2_ADC interface, which connects to RS.