High Availability between Availability Domains
Support for Active-Passive HA (High Availability) between Availability Domains (ADs) in Oracle Cloud.
This feature adds another layer of redundancy to ensure uptime if a catastrophic failure occurs to an entire availability zone. You can now deploy FortiGate units across Availability Domains in HA A-P configurations.
Following is an example structure:
- 1 VCN 10.0.0.0/16 CIDR:
- 8 Subnets:
- 4 in Availability Domain 1 - Primary FGTA has a NIC in each of these:
- Public - 10.0.0.0/24 EIP
- Internal - 10.0.1.0/24
- Heartbeat - 10.0.2.0/24
- Management - 10.0.3.0/24 EIP
- 4 in Availability Domain 2 - Secondary FGTB has a NIC in each of these:
- Public - 10.0.10.0/24
- Internal - 10.0.11.0/24
- Heartbeat - 10.0.12.0/24
- Management - 10.0.13.0/24 EIP
- 4 in Availability Domain 1 - Primary FGTA has a NIC in each of these:
- 8 Subnets:
- 3 OCI Routing Tables:
- For Public, add default route to Internet Gateway
- For Internal, add default to Primary FGT internal NIC
- For all others, use a default route table with no rules, but a local peering gateway so traffic can traverse across subnets in the same VCN
Following is a sample configuration:
config system ha
set group-name "test"
set mode a-p
set hbdev "port3" 50
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "port4"
set gateway 10.0.103.1
next
end
set override disable
set priority 1
set unicast-hb enable
set unicast-hb-peerip 10.0.2.11 <--- IP of other FortiGate for heartbeat and sync
end
After HA has synchronized, shut down the primary to trigger a failover. The following example shows that the failover was successful. Note that the failover public IP moves from primary to secondary, and the routing table for internal addresses are also moved.