Appendix C: Setting up an HA Cluster IP based on Azure Load Balancer
You can also use Azure Load Balancer to set up an HA Cluster IP. With the Public Load Balancer, there is a public IP which will be our Cluster IP. The Cluster IP will always point to the Primary unit.
The Load Balancer we build for FortiSandbox Cluster will use port 514 to do the health check for all the units in the backend pool. Normally a rule is used to define how incoming traffic is distributed to all the instances within the backend pool. Since only Primary is listening port 514 in Cluster which will be the only instance that can pass the health check, then the given frontend IP will always point to Primary.
To set up the load balancer:
- In the Azure portal of the Primary FortiSandbox, click menu Load Balancing.
- Click Add load balancing to add a new Load Balancer, then select Create new > Load balancer.
- Enter the following parameters:
Load balancer name
The Load balancer name, such as
fsa-lb
.Type
Select Public for this case. this will be the cluster IP.
Protocol
Select TCP .
Load balancer rule
The Load balancer rule here is used to build the first rule. You can use any port to suit your needs. In this case, we will use:
- Port: 443
- Backend Port: 443
Port 443 is for HTTPs.
- After the Load balancer builds successfully, click the load balancer name and check all the parameters.
-
In the Overview of the load balancer, Azure will automatically generate Backend pool, Load balancing rule, and Health probe with the prefix of the load balancer name such as
fsa-lb-xxxx
. You will need to check each setting one-by-one to ensure they match your requirements. - Click the menu Fronted IP configuration in the portal. One IP configuration should be listed with the public IP.
- Click the menu Backend pool. Add the interface of the secondary port1. If you need to change the unit type of a cluster node from Worker to Secondary, we recommend adding all the interfaces of cluster nodes in the pool.
-
Click the Load balancing rule. There should be a rule generated by Azure. Click the rule and make sure both Port and Backend port is 443.
If you want to use SSH to log in for some CLI operations, create one more rule for SSH by clicking Add. For the new rule, set Port as 22 and Backend port as 22.
If there are other ports that need to be accessed, you can add rules for them as well. Such as for a FortiGate connection, create rule for port 514.
- Click the Health probe. Verify the Protocol is TCP and the Port is 514 which will be used to do the health check.
- Log in with the public IP of the Load Balancer. It will point to the Primary unit even after failover has occurred.