Deploying FortiGate-VM HA on OCI within one AD
FortiGate active-passive HA
FortiGate's native active-passive HA feature (without using an OCI supplementary mechanism such as a load balancer) can be configured with two FortiGate-VM instances: one acting as the primary node and the other as the secondary node, both located in the same AD. This guide refers to the primary and secondary nodes as FortiGate A and FortiGate B, respectively. This is called "unicast HA" and is specific to cloud environments, including OCI, to be compliant to their network restrictions in comparison to an equivalent feature that physical FortiGates provided. The FortiGate-VMs run heartbeats between dedicated ports and synchronize OS configurations. When the primary node fails, the secondary node takes over as the primary node so endpoints continue to communicate with external resources over the FortiGate-VM. Sessions are also synchronized at the time of failover.
Using the latest version of FortiGate-VM is always recommended.
When deploying a FortiGate-VM HA cluster, choose a compute VM shape that supports four or more vNICs for each FortiGate-VM instance. Two FortiGate-VM instances must be the same compute VM shape. |
Deploying and configuring FortiGate active-passive HA
For this HA deployment, you can manually configure two FortiGate-VM instances after deployment on OCI using CLI commands or run Terraform scripts. Terraform scripts for FortiOS 6.4 will be supported in the future. Your deployment will have different IP addresses than in the diagram.
Unlike other public clouds, on OCI, you must configure port 1 as the management interface. The other ports are interchangeable. Locating each port in a different subnet is considered best practice. DNS must work with port 1 to resolve OCI's API endpoint URLs at the time of HA failover.
You must configure primary private IP addresses, even where not mentioned in the diagram. Although not required for HA purposes, you must do this to comply with general networking requirements. |