Best HA option for Azure?
We will shortly be deploying out some NSV appliances probably, and I would like to have fully active-active mode for them, UNLESS it is better to configure them a different way?
We are connecting into an ExpressRoute circuit, and require firewalling between that and our v-nets on our side of the circuit.
I see there is this:-
Which looks to me like two separate appliances with loadbalancers, each not aware of the other, and you would need to sync config changes between them manually?
I guess the other option is active-passive, with some small break in connectivity when maintenance needs to be done on one or the other.
Confusingly I also see this link where it talks of setting up an L3 zone and virtual IP's, can the same not be done for L2 and use virtual IPs for Active-Active also?
Perhaps for us to have 100% reliability, we need to have both firewalls running with load balancers? We would rather not have the few seconds downtime as the firewalls switch between passive and active.
Any comments/ideas welcome, what do others do for borderline mission critical appliance firewalling in Azure and/or AWS?
Thanks!
Answers
Hi @T16
There are two different ways to implement HA on Azure, either Active/Passive, or Active/Active. Active/Passive closely resembles.
Active/Passive of a SonicWall appliance with the exception that the new primary has to signal to Azure that it is the primary to move the VIP (Virtual IP Addresses) – there are no MAC addresses in Azure. Likewise, the HA link needs to be terminated on L3 interfaces because of the lack of multicast support in Azure. Active/Passive HA supports both SPI state synchronization and config sync. As with other virtual firewall implementations of stateful high availability, failover may take several minutes.
The solution to slow failover is to deploy the NSv instance in Active/Active. Likewise in the non-virtual world, Active/Active does not support Stateful Packet Inspection (SPI) state sync, although this may not be as important anymore in a world of Deep Packet Inspection (DPI). But unlike Active/Active on a SonicWall hardware appliance, config sync is also not supported. HA Active/Active is more an architecture than a feature, and has some similarities to the Firewall Sandwich (FSW). An outside load balancer, preferably the Microsoft Azure Load Balancer, is used to direct traffic on the WAN side to one or multiple Active/Active high availability pairs. On egress, the NSv marks flows by swapping the src-ip with dynamic NAT. Config sync can be achieved via inheritance on Global Management Server (GMS) or Capture Security Center (CSC).
For more info see the NSv on Azure start guide;