Deploying FortiGate-VM HA on AliCloud between availability zones
This guide provides sample configuration of active-passive FortiGate-VM HA on AliCloud between availability zones (AZ)s:
The following depicts the network topology for this sample deployment:
The following lists the IP address assignments for this sample deployment for FortiGate-A:
|
Port |
AliCloud primary address |
Subnet |
|---|---|---|
|
port1 |
10.0.11.11 |
10.0.11.0/24 EIP3 |
|
port2 |
10.0.12.11 |
10.0.12.0/24 |
|
port3 |
10.0.13.11 |
10.0.13.0/24 |
|
port4 |
10.0.14.11 |
10.0.14.0/24 EIP1 |
The following lists the IP address assignments for this sample deployment for FortiGate-B:
|
Port |
AliCloud primary address |
Subnet |
|---|---|---|
|
port1 |
10.0.21.12 |
10.0.21.0/24 |
|
port2 |
10.0.22.12 |
10.0.22.0/24 |
|
port3 |
10.0.23.12 |
10.0.23.0/24 |
|
port4 |
10.0.24.12 |
10.0.24.0/24 EIP2 |
|
IPsec VPN phase 1 configuration does not synchronize between primary and secondary FortiGates across AZs. Phase 2 configuration does synchronize. |
To check the prerequisites:
The following prerequisites must be met for this deployment:
- One VPC with one subnet each for management, external, internal, and heartbeat purposes for each AZ
- Three public IP addresses:
- EIP1 and EIP2 for FortiGate-A and FortiGate-B management
- EIP3 for the HA external traffic IP address
- Two FortiGate-VM instances, both PAYG or BYOL
- The following summarizes minimum sufficient RAM roles for this deployment:
- AliyunECSFullAccess
- AliyunEIPFullAccess
- AliyunVPCFullAccess
Actual role configurations may differ depending on your environments. Check with your company's public cloud administrators for more details.
To configure FortiGate-VM HA in AliCloud:
- In the AliCloud management console, create a VPC with eight VSwitches (four for each AZ):
VSwitch
Purpose
net1-external-za
External data traffic on the public network-facing side.
net2-internal-za
Internal data traffic interface on the protected/trusted network-facing side.
net3-heartbeat-za
Heartbeat between two FortiGate nodes. This is unicast communication.
net4-mgmt-za
Dedicated management interface.
net1-external-zb
External data traffic on the public network-facing side.
net2-internal-zb
Internal data traffic interface on the protected/trusted network-facing side.
net3-heartbeat-zb
Heartbeat between two FortiGate nodes. This is unicast communication.
net4-mgmt-zb
Dedicated management interface.
- Add six ENIs: three for each AZ:
- Create two routing tables:
- Create a routing table called "rtb-internal" for the net2-internal VSwitch. Set the NIC2 secondary IP address (10.0.2.23) as rtb-internal's default gateway. You can create this routing table after configuring NIC2 on FortiGate-A. Ensure that the default gateway is FortiGate-A's port2 ENI.
- Create a routing table called "rtb-external" for the remaining VSwitches. Set this VCN's Internet gateway as its default gateway. Ensure that this routing table can access the Internet.
- Create a routing table called "rtb-internal" for the net2-internal VSwitch. Set the NIC2 secondary IP address (10.0.2.23) as rtb-internal's default gateway. You can create this routing table after configuring NIC2 on FortiGate-A. Ensure that the default gateway is FortiGate-A's port2 ENI.
To deploy the FortiGate-VMs in AliCloud:
To take advantage of A-P HA, you need four vNICs (port1 to port4) on each FortiGate-VM that constitutes an A-P HA cluster. Configure all required network interfaces (AliCloud ENIs and FortiGate-VM network interface configuration) that support A-P HA. You must choose an AliCloud instance type that supports at least four vNICs.
Ensure the following:
- You have configured the security group on each subnet for egress and ingress interfaces appropriately. It is particularly important that the management interfaces have egress Internet access for API calls to the AliCloud metadata server.
- You attached four NICs for each FortiGate-VM, and assigned the static private IP address.
- EIP1 was bound to the FortiGate-A port4 management interface.
- EIP3 was bound to the FortiGate-A port1 external interface.
- EIP2 was bound to the FortiGate-B port4 management interface.
To configure FortiGate-A using the CLI:
The next steps show you how to configure A-P HA settings by using CLI commands on the GUI or via SSH. If using SSH, the FortiGate may lose connection due to routing table changes, so configuring HA via the GUI is recommended.
config system interface
edit "port1"
set mode static
set ip 10.0.11.11 255.255.255.0
set allowaccess ping https ssh snmp http fgfm
next
edit "port2"
set ip 10.0.12.11 255.255.255.0
set allowaccess ping https ssh snmp http telnet
next
edit "port3"
set ip 10.0.13.11 255.255.255.0
set allowaccess ping https ssh snmp http telnet
next
edit "port4"
set ip 10.0.14.11 255.255.255.0
set allowaccess ping https ssh snmp http telnet
next
end
config router static
edit 1
set gateway 10.0.11.253
set device "port1"
next
end
config firewall policy
edit 1
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
config system ha
set group-name "FGT-HA"
set mode a-p
set hbdev "port3" 50
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "port4"
set gateway 10.0.14.253
next
end
set priority 192
set unicast-hb enable
set unicast-hb-peerip 10.0.23.12
end
To configure FortiGate-B using the CLI:
The next steps show you how to configure A-P HA settings by using CLI commands on the GUI or via SSH. If using SSH, the FortiGate may lose connection due to routing table changes, so configuring HA via the GUI is recommended.
config system interface
edit "port1"
set mode static
set ip 10.0.21.12 255.255.255.0
set allowaccess ping https ssh snmp http fgfm
next
edit "port2"
set ip 10.0.22.12 255.255.255.0
set allowaccess ping https ssh snmp http telnet
next
edit "port3"
set ip 10.0.23.12 255.255.255.0
set allowaccess ping https ssh snmp http telnet
next
edit "port4"
set ip 10.0.24.12 255.255.255.0
set allowaccess ping https ssh snmp http telnet
next
end
config router static
edit 1
set gateway 10.0.21.253
set device "port1"
next
end
config firewall policy
edit 1
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
config system ha
set group-name "FGT-HA"
set mode a-p
set hbdev "port3" 50
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "port4"
set gateway 10.0.24.253
next
end
set priority 64
set unicast-hb enable
set unicast-hb-peerip 10.0.13.21
end
|
|
You must set the FortiGate-B HA priority to a value lower than FortiGate-A's priority level. The node with the lower priority level is determined as the secondary node. |
To check the HA status and function:
- In FortiOS on the primary FortiGate, go to System > HA. Check that the HA status is synchronized.
- Log into a PC that is located in the internal subnet. Verify that the PC can access the Internet via FortiGate-A when FortiGate-A is the primary node.
- Shut down FortiGate-A. Verify that FortiGate-B becomes the primary node. Use an API call to verify that the secondary private IP address moves to FortiGate-B.
- Log into the PC. Verify that the PC can access the Internet via FortiGate-B when FortiGate-B is the primary node.
- You can use the
diagnose debug application alicloud-ha -1command to see if the secondary private IP address moves from FortiGate-A to FortiGate-B during failover.