Is there any detailed documentation on the HA capabilities of the Azure based NSVs?
I'm trialing NSv270s in Active Passive HA and other than very very brief deployment KB, I can find no detailed information about the HA technology / methodology / supported features etc. being used in Azure.
For example, a major issue I've hit is that Multiple WAN IPs do not move with the HA. I've about 30-40 public IPs I'd hoped to consolidate onto the WAN interface (that works fine) but upon failover only the 1st of them will failover to the now active device.
Also the Failover itself takes up to 5 mins, rather than instantly as on my physical devices. OK I can deal with this, now I know about it, but it is not documented anywhere.
Does anybody know if a feature list, or detailed technical documentation exists for Azure based HA?
I found below information related for the NSv HA using Azure.
How to deploy Sonicwall NSv HA using Azure LB;
FIVE MIN failover for active-passive for an nsv?
You gotta be kidding, we cannot live with that, so active-active for us then if that is the case.
Can someone from Sonicwall confirm?
Ajishlal, can you take a quick look at the thread I created on this topic and advise? I think for us the load balancing and active-active is the way to go, but I really need some ideas as to the downside of such a setup.
There are two different ways to implement HA on Azure, either Active/Passive, or Active/Active. Active/Passive closely resembles Active/Passive of a SonicWall appliance with the exception that the new primary has to signal to Azure that it is the primary to move the VIP (Virtual IP Addresses) – there are no MAC addresses in Azure. Likewise, the HA link needs to be terminated on L3 interfaces because of the lack of multicast support in Azure. Active/Passive HA supports both SPI state synchronization and config sync. As with other virtual firewall implementations of stateful high availability, failover may take several minutes. The solution to slow failover is to deploy the NSv instance in Active/Active. Likewise in the non-virtual world, Active/Active does not support Stateful Packet Inspection (SPI) state sync, although this may not be as important anymore in a world of Deep Packet Inspection (DPI). But unlike Active/Active on a SonicWall hardware appliance, config sync is also not supported. HA Active/Active is more an architecture than a feature, and has some similarities to the Firewall Sandwich (FSW). An outside load balancer, preferably the Microsoft Azure Load Balancer, is used to direct traffic on the WAN side to one or multiple Active/Active high availability pairs. On egress, the NSv marks flows by swapping the src-ip with dynamic NAT. Config sync can be achieved via inheritance on Global Management Server (GMS) or Capture Security Center (CSC).
For more info see the NSv on Azure start guide;
Appreciate the comment!
The on-prem firewalls we have in active-passive failover instantly it seems, is this different for the NSVs?
A few seconds or the odd ping is "OK" I guess, but anything measured with "up to minutes" is a 100% no go for us!
If that really is the case, then it will be the active-active for us. Would we be able to load balance both ends despite the dynamic nat on the appliances? So an LB on the front end for incoming traffic, and a LB on the back end to balance outgoing traffic over each appliance...?
Thank you :)
@T16 , A/P in Azure will failover around 3-5 minutes. This is mainly on the Azure side since we have to use API's to move the secondary interfaces between hosts. It does not work like hardware HA since Azure does not support multiple devices simultaneously having the same IP on the same subnet and failing over in milliseconds using gratuitous arp etc..
Is there already any better solution for HA? As i can see NSv is not available as Active/Active.
I think this is the Doc for Active/Active - as usual the Sonciwall Azure documentation is terrible.
okay, thats an Active Active construct, with manual sync of the configuration....
"Microsoft does not support L2 HA deployment and requires manually Sync by importing the .exp file every time from NSv_Azure_HA-01 to NSv_Azure_HA-02 or with the help of Cloud GMS."
I was hoping to get a better solution...
Does the available HA Deployment have the API request already included? If not, where and how it need to be configured?
If I recall correctly from a discussion with support, the API call is built into the Firmware of the NSv. It is not configurable.
But how i can check this, since my HA environment is not siwtiching the IP address.
@Manuel, are the two units deployed in the same resource group with the identity and permissions?
Please see https://www.sonicwall.com/techdocs/pdf/nsv-series-on-azure-6-5-4-getting-started-guide.pdf on page 16-20. It is on the older UI but the concepts are the same.
@MasterRoshi Yes i did everything like it is described in the manual, this is also part of the newest HA Deployment script. Hmm, what i did to test the failover, was the manual failover process inside the Firewall Cluster under HA Advanced settings, maybe this is not triggering the API?
Hi all, I hope you all are doing fine.
Would there be any update or progress regarding this?
We're also looking into the SonicWall HA A/A or A/P setup but the official information is still pretty high level.
Mainly interested in processing of multiple public IP's and the amount of downtime during a (un)planned failover.
Thanks a lot!