Fortinet black logo

AliCloud Administration Guide

Home FortiGate Public Cloud 7.2.0 AliCloud Administration Guide

HA for FortiGate-VM on AliCloud

7.2.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Copy Link
Copy Doc ID e21fd366-a70f-11ec-9fd1-fa163e15d75b:685279
Download PDF

HA for FortiGate-VM on AliCloud

There are different ways to configure active-passive high availability (A-P HA) on FortiGate-VM for AliCloud.

The first deployment scenario, as Deploying and configuring FortiGate-VM on AliCloud using HAVIP describes, depends on the HA virtual IP address function that AliCloud provides. In this scenario, you must locate both the internal and external interface at port1. The primary and secondary FortiGates share the same IP address. Failover may be quicker than in the second scenario, since there are no elastic IP (EIP) addresses or route tables to update. This scenario natively supports session pickup.

The second deployment scenario, as Deploying FortiGate-VM HA on AliCloud using routing tables and EIPs describes, achieves HA by introducing EIP moving and route table updating capabilities. In this scenario, you can locate the internal and external interface on different interfaces. Optionally, you can also leverage an HA virtual IP address (HAVIP) for external traffic on port1 and internal traffic on port2 for increased efficiency and flexibility. This scenario supports session pickup, but in a more limited way than in the first scenario.

Consider the following when deciding which HA scenario to deploy:

  • If you need session pickup capabilities and cannot disable NAT for incoming firewall policies, you must use the first scenario.
  • If you need session pickup capabilities and can disable NAT for incoming firewall policies, you can use the second scenario with HAVIP on port1 and attach an EIP to the HAVIP. This scenario does not require EIP moving but does require route table updating for internal traffic. This scenario provides the best balance between flexibility and efficiency.
  • If you cannot use port1 for external traffic, you must use the second scenario with EIP moving and route table updating. This may require more failover time.

In A-P HA mode, FortiGate-VM on AliCloud running FortiOS 7.2.8 and later versions supports moving all attached EIPs from the old primary instance to the new primary instance in case of failover. The option to assign multiple EIPs to a FortiGate-VM primary elastic network interface is unavailable via the AliCloud portal GUI. You can only perform the assignment via the AliCloud CLI.

Previous
Next

HA for FortiGate-VM on AliCloud

There are different ways to configure active-passive high availability (A-P HA) on FortiGate-VM for AliCloud.

The first deployment scenario, as Deploying and configuring FortiGate-VM on AliCloud using HAVIP describes, depends on the HA virtual IP address function that AliCloud provides. In this scenario, you must locate both the internal and external interface at port1. The primary and secondary FortiGates share the same IP address. Failover may be quicker than in the second scenario, since there are no elastic IP (EIP) addresses or route tables to update. This scenario natively supports session pickup.

The second deployment scenario, as Deploying FortiGate-VM HA on AliCloud using routing tables and EIPs describes, achieves HA by introducing EIP moving and route table updating capabilities. In this scenario, you can locate the internal and external interface on different interfaces. Optionally, you can also leverage an HA virtual IP address (HAVIP) for external traffic on port1 and internal traffic on port2 for increased efficiency and flexibility. This scenario supports session pickup, but in a more limited way than in the first scenario.

Consider the following when deciding which HA scenario to deploy:

  • If you need session pickup capabilities and cannot disable NAT for incoming firewall policies, you must use the first scenario.
  • If you need session pickup capabilities and can disable NAT for incoming firewall policies, you can use the second scenario with HAVIP on port1 and attach an EIP to the HAVIP. This scenario does not require EIP moving but does require route table updating for internal traffic. This scenario provides the best balance between flexibility and efficiency.
  • If you cannot use port1 for external traffic, you must use the second scenario with EIP moving and route table updating. This may require more failover time.

In A-P HA mode, FortiGate-VM on AliCloud running FortiOS 7.2.8 and later versions supports moving all attached EIPs from the old primary instance to the new primary instance in case of failover. The option to assign multiple EIPs to a FortiGate-VM primary elastic network interface is unavailable via the AliCloud portal GUI. You can only perform the assignment via the AliCloud CLI.

Previous
Next