Active-Active Performance Setup with Load Balancing and VPN Termination

The following example explains Azure active-active deployment with load balancing and and VPN termination. The CloudGen Firewall configuration in Microsoft Azure supports repositories, conf templates, and the distributed firewall. For more information, see Repositories, Distributed Firewall, and How to Work with Configuration Templates on Different Levels in the Configuration Tree.

Before You Begin

Before proceeding with deploying the Barracuda CloudGen Firewall HA template, make sure that your network infrastructure meets the service requirements listed in CloudGen Firewall Active-Active Performance in Microsoft Azure.

Otherwise, do the following:

• Create a resource group
• Create a storage account
• Create VNET and subnet
• Get a CGF image

For more information, see How to Create a Resource Network in Azure.

Step 1. Deploy a Barracuda Virtual Machine Scale Set

1. Log into your Azure Portal.
2. Go to the resource group created in the prerequisites. (See the Before You Begin section for more information.)
3. Click + to create a new resource.
4. Search for VMSS in the Marketplace.
5. Choose Virtual machine scale set.
   
6. Click Create.
7. On the next page, configure the following settings:
   • Virtual machine scale set name – Enter a name.
   • Region – Select your region.
   • Availability zone – Select your preferred availability zone.
     
   • Image – Select image cgf/cgf-byol/latest.
   • VM Architecture – Select x64.
   • Size – Select the VM size.
   • Username – Enter a username.
   • Password – Enter a password.
8. On the next page, configure Spot settings according to your requirements.
   
9. On the next page, set up Disks according to your requirements.
   
10. On the next page, configure following settings:
    • Virtual network – Select the virtual network created in the "Before You Begin" section.
    • Edit NIC – Select the subnet you want to deploy the scale set to.
    • Load balancing options – Select None. The load balancer will be added later.
      
11. On the next page, choose your scaling settings:
    • Initial Instance count – Enter 2
    • Scaling Policy – Select Manual.
      
12. On the next page, choose the storage account or create a new one.
    
13. Click Next to continue on the Health page.
14. Click Next to continue on the Advanced page.
    • Optional: Add a user data script to get retrieve par file configuration in case the instance is relaunched.
15. Click Next to continue on the Tags page.
16. Verify the settings on the Review and Create page.
17. Click Create to create the scale set.

Step 2. Virtual Machine Scale Set – Post-Deployment Steps

Go to the resource group the scale set has been deployed to.

1. Select the Network Security Group created along with VMSS.
   • Configure inbound security rules – Allow port 443, 807, 801, 22, 691
   • Configure outbound security rules according to your specification.
2. Go back to the resource group.
3. For each VMSS instance, select the corresponding network interface.
4. In IP configuration, make sure that Enable IP forwarding is selected. 

Step 3. Create a Load Balancer

1. From the resource group, click + to create a new resource.
2. Type in Load Balancer and select the resource from the list. The Load Balancer page opens.
   
3. Click Create to create a new load balancer.
4. On the next page, choose your settings:
   • SKU – Select the desired SKU (default: Standard).
   • Type – Select Public.
   • Tier – Select Regional.
     
5. On the next page, configure your frontend IP settings:
6. Click Add a frontend IP.
7. The Add Frontend IP window opens. Configure the following settings:
   
   • Name – Enter a descriptive name.
   • Virtual Network – Select the virtual network where the VMSS resides.
   • Subnet – Select the subnet where the VMSS resides.
   • Assignment – Select Static.
   • IP Address – Select Public IP.
   • Availibility Zone – Select Zone-redundant.
     
8. Click Save.
9. Proceed with the Backend pool:
   1. Provide a Name.
   2. Click + to add a backend pool.
   3. Select the related NICs from VM scale set.
   4. Click Add and Save.
      
10. Click Next to continue with Inbound rules:
11. Click + Add a load balancing rule, and specify the following settings:
    • Name – Enter a name.
    • IP Version – Select IPv4.
    • Frontend IP address – Select the IP address.
    • Backend Pool – Select the backend pool.
    • Protocol – Select TCP.
    • Backend Port – Enter 80
    • Port – Enter 80
    • Health Probe – Create a new entry.
      • Name – Enter a name.
      • Protocol – TCP
      • Port – Enter 65000
      • Interval seconds – Enter 5
    • Idle timeout – Select 4 (default)
    • Enable TCP Reset – Leave unchecked.
    • Floating IP – Leave unchecked.
      
12. Click Save.
13. Click Next to proceed to Outbound rules.
14. Click Next to proceed to Tags.
15. On the Review and create page, verify your settings.
16. Click Create.

Step 4. Add the Firewall Instances to the Control Center

Add the CloudGen Firewall instances created with the Firewall VM scale set to the Control Center. For more information on managed firewalls, please refer to How to Import an Existing CloudGen Firewall into a Control Center.

Create a cluster- / range-level repository for the linked configuration management. For more information, see Repositories.

Step 5. Set Up Rules and Repositories, and Link Them to Your Firewall Scale Set

1. On the Control Center, go to Configuration Tree > your Range > your Cluster > your Box > Assigned Services > Firewall.
2. Right-click Forwarding Rules and select Copy to Cluster repository.
3. Provide a Name and copy the node.
4. Open the created repository.
5. Click Lock.
6. Add an App Redirect Rule rule for load balancing heath check.
   • Source – Select Any.
   • Services – Add 65000 TCP
   • Destination – Select DHCP1 Local IP.
   • Redirection – Enter 127.0.0.1:450
     
7. Add a Dst NAT rule to access the back-end server:
   • Source – Select Any.
   • Services – Add the ports for required services.
   • Destination – Select DHCP1 Local IP.
   • Redirection – Enter the IP address of your back-end server.
   • Connection Method – Select Dynamic NAT.
     
     
8. Click OK.
9. Click Send Changes.
10. Close the repository window.
11. Right-click on the firewall repository and select Multiple Object Action.
12. Select all firewall instances for the corresponding scale set.
    
13. Select Link To repository > Go.
14. Click OK.
15. Click Activate.

Step 6. Set Up a VPN Key for the Active-Active Site-to-Site Tunnel

For reference and more detailed information, please refer to the Site 2 Site VPN documentation.

For each box in the active-active setup, perform the following steps:

On the Control Center:

1. Go to Configuration > Configuration Tree > your Range > your Cluster > your Box > Assigned Services > VPN Service > VPN Settings.
2. In the left menu, select Service Keys.
3. On the first instance, create a new service key and copy the private key to clipboard.
4. On following instances, paste the private key copied in the previous step.
   
5. On the last instance, copy the public key to clipboard.

Repeat the steps above to create a new dedicated key for the on-premises instance.

Step 7. Create a Site-to-Site VPN Tunnel

For the on-premises instance, perform the following steps:

On the Control Center:

1. Go to Configuration > Configuration Tree > your Range > your Cluster > your Box > Assigned Services > VPN Service > Site to Site.
2. Create a new TINA Tunnel:
3. Configure Local Networks.
4. Configure Remote Networks.
5. Configure Transport settings:
   • Basic – Set to Active.
   • Peers – Add remote public IP addresses for each instance in the active-active setup.
   • Identity – Paste the remote pubic key from Step 6.

6. Set the remaining parameters according to your requirements.

   For multiple transports, change the order of the remote public IP for each instance to ensure efficient distribution and failover.

   

7. Select the box Packet balancing inside provider class to distribute the session.
    
8. On the Center, go to Configuration > Configuration Tree > your Range > your Cluster > your Box > Assigned Services > VPN Service > VPN Settings.
9. In the left menu, select Service Keys.
10. Copy the Public Key from the Service Key section to clipboard.

For each firewall in the scale set, perform the following steps:

On the Control Center:

1. Go to Configuration > Configuration Tree > your Range > your Cluster > your Box > Assigned Services > VPN Service > Site to Site.
2. Create a new TINA Tunnel:
3. Configure Local Networks.
4. Configure Remote Networks.
5. Configure Transport settings:
   • Basic – Set to Passive.
   • Peers – Add remote network 0.0.0.0/0
   • Identity – Paste the remote pubic key from Step 6.

6. Set the remaining parameters according to your requirements.

7. Select the box Packet balancing inside provider class to distribute the session.

Step 7. Verify the Setup

Your Barracuda CloudGen Firewall instances should have at least one transport connected to one instance. Some transports might appear offline since the secondary instance serves as fallback. We recommend that you test the fallback behavior.

Next Steps

You can now configure your routing rules on the CloudGen Firewalls according to your individual requirements.