It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Login Sign Up Contact & Support

United States – English (GMT-5)

Email Protection

Total Email Protection

Email Gateway Defense (Email Security)

Impersonation Protection (Sentinel)

Cloud Archiving Service

Security Awareness Training (PhishLine)

Email Security Gateway

Domain Fraud Protection

Incident Response

Message Archiver

WAF-as-a-Service

Web Application Firewall

Cloud Security Guardian

Load Balancer ADC

Vulnerability Manager

Vulnerability Remediation Service

WAF Control Center

Active DDoS Prevention

CloudGen Firewall

CloudGen Access

Network Access Client

Firewall Insights

Web Security Gateway

Web Security Agent

Firewall Policy Manager

Cloud-to-Cloud Backup

RMM (Managed Workplace)

Managed Security Awareness Training (Managed Phishline)

Intronis Backup (ECHOplatform)

MSP Knowledge Base

Site Security Scanner

MSP – Partner Enablement

NextGen Firewall X

Server Backup (Yosemite)

Campus Help Center / Reference

Onboarding Portal

Network Security

Support Services

Barracuda CloudGen Firewall

Overview Documentation Training Certification Materials

Email Protection

Total Email Protection

Email Gateway Defense (Email Security)

Impersonation Protection (Sentinel)

Cloud Archiving Service

Security Awareness Training (PhishLine)

Email Security Gateway

Domain Fraud Protection

Incident Response

Message Archiver

WAF-as-a-Service

Web Application Firewall

Cloud Security Guardian

Load Balancer ADC

Vulnerability Manager

Vulnerability Remediation Service

WAF Control Center

Active DDoS Prevention

CloudGen Firewall

CloudGen Access

Network Access Client

Firewall Insights

Web Security Gateway

Web Security Agent

Firewall Policy Manager

Cloud-to-Cloud Backup

RMM (Managed Workplace)

Managed Security Awareness Training (Managed Phishline)

Intronis Backup (ECHOplatform)

MSP Knowledge Base

Site Security Scanner

MSP – Partner Enablement

NextGen Firewall X

Server Backup (Yosemite)

Campus Help Center / Reference

Onboarding Portal

Network Security

Support Services

Login Sign Up Contact & Support

United States – English (GMT-5)

High Availability in Azure

Last updated on 2024-06-17 10:00:23

Deploying a Barracuda CloudGen Firewall HA cluster in the Microsoft Azure Public Cloud requires a custom deployment and configuration to integrate the CloudGen Firewall with the Azure networking stack. Barracuda Firewall Control Centers in Azure do not support high availability configurations. For backend servers to be able to send traffic through the currently active unit, there are two high availability methods available for Azure:

Cloud Integration – With this method, the Firewall can directly manipulate the Azure routing table so that routing entries always point to the active unit of the HA cluster. Due to the limitation of Azure networking, all active sessions will time out whenever a failover occurs.

or

Standard Load Balancer – With this method, a new type of load balancer is used in Azure to be the destination for the route tables. The load balancer will monitor for the active firewall and direct traffic on all ports to the active unit.

Within Azure, IP addresses are fixed and non-transferable between VMs. Therefore, IP traffic must be redirected by either rewriting the UDR routes in Azure or by using a standard load balancer.

Azure Route Tables and Standard Load Balancers

The Azure Load Balancer polls a service that is reachable through the Forwarding Firewall service on the active firewall. The fastest failover method available within Azure is to use the new Standard Load Balancer product from Microsoft. The Standard Load Balancer actively probes the firewalls to determine which one is active; subnet route tables will point to an internal load balancer's IP. When the firewall service fails over to the other unit, the load balancer will follow with a latency of a couple of seconds, and change the active IP to the forwarding unit. Using the new rule type HA ports for health probes, the load balancer will actively redirect all traffic to the IP of the active firewall. This method is stateful and fails over as quickly as the load balancer probes can indicate failure. Note that Barracuda Session Sync is not supported with standard load balancers.

For more information, see: How to Configure a High Availability Cluster in Azure with the Standard Load Balancer.

You cannot directly migrate between a Cloud Integration design and a Standard Load Balancer design because the load balancers and any public IPs used need to be built using a new Standard type. It is not possible to combine the old IPs, which are considered Basic, with any Standard components.

Standard load balancer designs require a Network Security Group (NSG) to be present in order to pass any traffic. The NSG can permit Any inbound and Any outbound to allow the firewall to filter instead.

Choosing a Failover Method

Cloud Integration	Standard Load Balancers
No additional costs	Charges per rule and traffic volume
Slow failover as API calls	Fast failover as LB monitors
Non-stateful due to routes being rewritten	Stateful failover
Poor for multi-VNET designs	Best for multi-VNET designs

Azure Route Table Rewriting with Azure Cloud Integration

User-defined routing is limited to one VM as the gateway device when creating a route. When you are using a high availability cluster as the gateway, the VM that is used changes when the service fails over. Both firewalls are configured to access the Azure fabric and reconfigure the routing table when a failover occurs. For the firewall to rewrite the routes, you must configure Azure cloud integration.

For more information, see How to Deploy a High Availability Cluster with Cloud Integration from the Microsoft Azure Marketplace and How to Configure Azure Cloud Integration Using ARM.

Deploy a High Availability Cluster

Create a high availability cluster by deploying two CloudGen Firewall VMs in the same subnet and availability zone. Incoming traffic is then forwarded to the active firewall by an Azure Load Balancer. User-defined routing and the rewriting of the routes by the active firewall ensure that the backend VMs always use the active firewall as the gateway device.

For more information, see How to Configure a High Availability Cluster in Azure using PowerShell and ARM.

Example Video

Watch the following video to see a high availability firewall cluster using SD-WAN for a hybrid cloud setup:

Videolink:

https://campus.barracuda.com/