For incoming traffic to automatically fail over to the secondary HA firewall in case of a failover, you must configure an Azure load balancer. The load balancer has its own public IP address that can be allocated either dynamically or statically. For each service that is made available through the CloudGen Firewall HA cluster, you must create a load balancer rule. At least one health probe must be configured for the load balancer to be able to determine which firewall is currently active. Depending on the probing interval, failover times may vary because the load balancer take several seconds. The load balancer only controls the incoming connections from the Internet. For internal VMs to use the secondary firewall as the default gateway, you must configure UDR routing. How to Configure Azure Route Tables (UDR) using PowerShell and ARM or How to Configure Azure Route Tables (UDR) using Azure Portal and ARM.
Example Load Balancer Deployment Script
You can combine the PowerShell commandlets to customize the deployment of the Azure Load Balancer. See below for an example script. This script assumes that you already deployed your HA cluster and that you are logged in to your Azure Account from the PowerShell.
Before You Begin
- Look up the resource group and NIC name for the primary and secondary firewall.
- Install Azure PowerShell version 2.0.1 or higher.
Step 1. (optional) Create a Resource Group for the Load Balancer
Create a resource group for the load balancer, or add it to an existing resource group.
- Open Azure PowerShell.
Create a resource group:
New-AzureRmResourceGroup -Name NETWORK_RESOURCE_GROUP_NAME -Location YOUR_LOCATION
Step 2. Create a Public IP Address for the Load Balancer
The public IP address that is associated with the load balancer can either be allocated dynamically, or configured to be static. You can also add a DNS label and reverse domain lookup.
- Open Azure PowerShell.
Create a static Azure Public IP. The domain name label is optional.
$PublicLoadBalancerIP = New-AzureRmPublicIpAddress -ResourceGroupName RESOURCE_GROUP_NAME -Location LOCATION -Name PUBLIC_IP_NAME -DomainNameLabel DOMAIN_NAME -AllocationMethod Static
Step 3. Create the Load Balancer Configuration
Create the configuration for the load balancer backend and frontend.
- Open Azure PowerShell.
Create frontend and backend address pool configurations:
$LBfrontend = New-AzureRmLoadBalancerFrontendIpConfig -Name LB_FRONTEND_NAME -PublicIpAddress $PublicLoadBalancerIP $LBbackend = New-AzureRmLoadBalancerBackendAddressPoolConfig -Name LB_BACKEND_NAME
Step 4. Create the Load Balancer Rules
For each service, create a rule for the load balancer. Select one service and create the health monitor probe. When the probe fails, the VM is removed from the load balancer backend pool.
- Open Azure PowerShell.
Create the health probes used to decide whether a service is healthy:
$LBprobe1 = New-AzureRmLoadBalancerProbeConfig -Name #LB-Probe# -Protocol Tcp -Port 691 -IntervalInSeconds 5 -ProbeCount 2 $LBprobe2 = New-AzureRmLoadBalancerProbeConfig -Name #SSLVPN-LB-Probe# -Protocol Tcp -Port 443 -IntervalInSeconds 5 -ProbeCount 2
For each service, create a load balancer rule and, optionally, a load balancer probe:
$LBrule1 = New-AzureRmLoadBalancerRuleConfig -Name #TINA-TCP# -FrontendIpConfiguration $LBfrontend -BackendAddressPool $LBbackend -Protocol Tcp -FrontendPort 691 -BackendPort 691 -Probe $LBprobe1 $LBrule2 = New-AzureRmLoadBalancerRuleConfig -Name #SSL-VPN# -FrontendIpConfiguration $LBfrontend -BackendAddressPool $LBbackend -Protocol Tcp -FrontendPort 443 -BackendPort 443 -Probe $LBprobe2
Step 5. Create the Azure Load Balancer
Use the configuration and the rules from steps 3 and 4 to create the load balancer.
- Open Azure PowerShell.
Create the load balancer with the frontend and backend configuration as well as the comma-separated lists for the Loadbalancer rules created in steps 3 and 4:
$LB = New-AzureRmLoadBalancer -ResourceGroupName $LBResourceGroupName -Name $LBName -Location $location -FrontendIpConfiguration $LBfrontend -LoadBalancingRule $LBrule1,$LBrule2 -BackendAddressPool $LBbackend -Probe $LBprobe1,$LBprobe2
Step 6. Add the NICs to the Load Balancer Backend Pool
- Open Azure PowerShell.
Store both NICs you want to add to variables:
$nic1 = Get-AzureRmNetworkInterface -ResourceGroupName NGF_RESOURCE_GROUP -Name NIC1_NAME $nic2 = Get-AzureRmNetworkInterface -ResourceGroupName NGF_RESOURCE_GROUP -Name NIC2_NAME
Add the NICs to the backend pool and update the NIC configuration:
$nic1.IpConfigurations[0].LoadBalancerBackendAddressPools.Add($LB.BackendAddressPools[0]); $nic2.IpConfigurations[0].LoadBalancerBackendAddressPools.Add($LB.BackendAddressPools[0]); $nic1 | Set-AzureRmNetworkInterface $nic2 | Set-AzureRmNetworkInterface