Fortinet black logo

AliCloud Administration Guide

Home FortiGate Public Cloud 6.4.0 AliCloud Administration Guide

HA for FortiGate-VM on AliCloud

6.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Copy Link
Copy Doc ID 2dfcdbd0-6876-11ea-9384-00505692583a:685279
Download PDF

HA for FortiGate-VM on AliCloud

There are different ways to configure active-passive HA on FortiGate-VM for AliCloud.

The first deployment scenario, described in Deploying and configuring FortiGate-VM on AliCloud using HAVIP, depends on the HAVIP function that AliCloud provides. In this scenario, you must locate both the internal and external interface at port1. The primary and secondary FortiGates share the same IP address. Failover may be quicker than in the second scenario, since there are no EIPs or route tables to update. This scenario natively supports session pickup.

The second deployment scenario, described in Deploying FortiGate-VM HA on AliCloud using routing tables and EIPs, achieves HA by introducing EIP moving and route table updating capabilities. In this scenario, you can locate the internal and external interface on different interfaces. Optionally, you can also leverage HAVIP for external traffic on port1 and internal traffic on port2 for increased efficiency and flexibility. This scenario supports session pickup, but in a more limited way than in the first scenario.

Consider the following when deciding which HA scenario to deploy:

  • If you need session pickup capabilities and cannot disable NAT for incoming firewall policies, you must use the first scenario.
  • If you need session pickup capabilities and can disable NAT for incoming firewall policies, you can use the second scenario with HAVIP on port1 and attach an EIP to the HAVIP. This scenario does not require EIP moving but does require route table updating for internal traffic. This scenario provides the best balance between flexibility and efficiency.
  • If you cannot use port1 for external traffic, you must use the second scenario with EIP moving and route table updating. This may require more failover time.
Previous
Next

HA for FortiGate-VM on AliCloud

There are different ways to configure active-passive HA on FortiGate-VM for AliCloud.

The first deployment scenario, described in Deploying and configuring FortiGate-VM on AliCloud using HAVIP, depends on the HAVIP function that AliCloud provides. In this scenario, you must locate both the internal and external interface at port1. The primary and secondary FortiGates share the same IP address. Failover may be quicker than in the second scenario, since there are no EIPs or route tables to update. This scenario natively supports session pickup.

The second deployment scenario, described in Deploying FortiGate-VM HA on AliCloud using routing tables and EIPs, achieves HA by introducing EIP moving and route table updating capabilities. In this scenario, you can locate the internal and external interface on different interfaces. Optionally, you can also leverage HAVIP for external traffic on port1 and internal traffic on port2 for increased efficiency and flexibility. This scenario supports session pickup, but in a more limited way than in the first scenario.

Consider the following when deciding which HA scenario to deploy:

  • If you need session pickup capabilities and cannot disable NAT for incoming firewall policies, you must use the first scenario.
  • If you need session pickup capabilities and can disable NAT for incoming firewall policies, you can use the second scenario with HAVIP on port1 and attach an EIP to the HAVIP. This scenario does not require EIP moving but does require route table updating for internal traffic. This scenario provides the best balance between flexibility and efficiency.
  • If you cannot use port1 for external traffic, you must use the second scenario with EIP moving and route table updating. This may require more failover time.
Previous
Next