It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure a Multi-AZ High Availability Cluster in AWS Using the AWS Console

  • Last updated on

To ensure that at least one firewall is always active, deploy two firewalls into an active-passive high availability cluster. Each firewall is deployed into a different Availability Zone. The active firewall is used as the default gateway in the route table associated with the private networks. When the firewall service fails over from the primary to the secondary firewall, the AWS route table is rewritten to use the now-active secondary firewall as the default gateway.

The most effective High Availability method for AWS that supports TCP, UDP, and ICMP traffic types is to shift the Elastic IPs between the Active and Passive members of the cluster. 

Although network load balancers or Route 53 can be used to deliver specific traffic to the active firewall, this may take longer in case of a failover.

Before You Begin

Step 1. Select the AWS Datacenter

  1. Log into the AWS console.
  2. In the upper right, click on the datacenter location, and select the datacenter you want to deploy to from the list.
    aws_deploy_00.png

The selected datacenter location is now displayed in the AWS console.

Step 2. Create an Elastic IP for the Two Firewalls to Share

When enabling the Auto-assign Public IP Address feature for the network, the firewall that does not have the Elastic IP address assigned will be given a dynamic IP from AWS. For this reason, you need to create only one elastic IP to be shared. 

  1. Log into the AWS console.
  2. Click Services and select EC2.
  3. In the Network & Security section of the left menu, click on Elastic IPs.
  4. Click Allocate New Address.
    aws_deploy_01.png
  5. Click Yes, Allocate.

The unassigned elastic IP is now added to the list. Copy the Allocation ID for future use.

Step 3. Create a VPC with the VPC Wizard

Use the VPC wizard to create a VPC with two subnets. Each subnet must be created in a different availability zone. Additional subnets for the backend instances are added after the wizard.

  1. Log into the AWS console.
  2. Click Services and select VPC.
  3. Click Start VPC Wizard. The VPC wizard opens.
    aws_deploy_03.png
  4. Select VPC with Public and Private Subnets and click Select.
    aws_deploy_04.png
  5. Configure the following settings:
    • IP CIDR block – Enter a /16 CIDR block that does not overlap with any of your other networks.
    • VPC Name – Enter the name. 
    • Public subnet – Enter the /24 subnet used for the primary firewall.
    • Public subnet name – Enter a name for the primary firewall subnet.
    • Availability Zone – Select an availability zone.
    • Private subnet – Enter the /24 subnet used for the secondary firewall.
    • Private subnet name – Enter a name for the secondary firewall subnet.
    • Availability Zone – Select a different subnet for the second subnet because the primary and secondary firewalls must be in different Availability Zones. E.g, Select eu-west-1b if the you selected eu-west-1a as the public subnet Availability Zone.
    • Elastic IP Allocation ID – Enter the Allocation ID for the elastic IP address created in step 1.
    aws_deploy_05.png
    • Enable DNS hostnames (optional) Set to NO to use only IP addresses to access your VPC. 
  6. Click Create VPC
    aws_deploy_06.png

The VPC is now listed in the Your VPCs list.

awsha_vpc_01.png

Step 4. Add a Subnet to the VPC

Add a private subnet for instances that use the firewall.

  1. Log into the AWS console.
  2. Click Services and select VPC.
  3. Click Subnets in the left menu.
  4. Click Create Subnet.
  5. Create a subnet:
    • Name tag – Enter a name for the subnet.
    • VPC – Select the VPN created in Step 3.
    • Availability Zone – Select an availability zone from the list.
    • CIDR block – Enter a free subnet in the scope of the network defined for the VPC.
    aws_ha_add_subnet01.png
  6. Click Yes, Create.

You now have three subnets in the VPC:

aws_ha_add_subnet02.png

Step 5. Delete the NAT Gateway Instance

The VPC wizard automatically creates a NAT gateway instance. But since the firewall already includes this functionality, the NAT gateway instance must be deleted.

  1. Log into the AWS console.
  2. Click Services and select VPC.
  3. In the Virtual Private Cloud section of the left menu, click on NAT Gateways.
  4. (optional) Enter the VPC ID in the search bar.
  5. Select the NAT gateway created for your VPC and click Delete NAT Gateway. The Delete NAT Gateway window opens.
    aws_deploy_08.png
  6. Click Delete NAT Gateway.
    aws_deploy_09.png

The elastic IP address associated with the NAT gateway is released automatically and is now free to use for one of the firewall instances.

Step 6. Deploy the Primary Firewall

The primary firewall is deployed into the first firewall subnet of the VPC. Two image types are available in the AWS Marketplace: BYOL and hourly.

  1. Log into the AWS console.
  2. Click Services and select EC2.
  3. Click Launch Instance in the Create Instance section. The VPC wizard starts.
    aws_deploy_10.png
  4. In the left menu, click AWS Marketplace.
  5. Enter Barracuda NextGen in the search box.
  6. Select the image type you want to deploy: BYOL or hourly.
    awsha_primary_fw01.png
  7. Select the Instance Type. If you are deploying a BYOL image, verify that the number of CPU cores of the instance matches your license.
    awsha_primary_fw02.png
  8. Click Next: Configure Instance Details.
  9. Configure the Instance Details:
    • Number of instances – Enter 1  
    • Network – Select the VPC created in Step 3.
    • Subnet – Select the subnet for the primary firewall.
    • Auto-assign Public IP – Select Disable.
    • IAM role – Select the IAM role created for the firewall instance. Verify that all required IAM policies for the route-shifting high availability cluster are attached.
    aws_ha_primary_fw03.png
  10. In Network Interfaces, enter the Primary IP address. The IP address must be in the subnet selected above.
    awsha_primary_fw04.png
  11. Click Next: Add Storage.
  12. Click Next: Tag Instance.
  13. Click Next: Configure Security Group.
  14. (optional) Enter a Security group name.
  15. (optional) Remove the preconfigured rules in the security group.
  16. Click Add Rule and open up the security group for all traffic. 
    • Type – Select All Traffic
    • Source – Select Anywhere.
    awsha_primary_fw05.png
  17. Click Review and Launch.
  18. Click Launch. The Select an existing key pair or create a new key pair pop-over window opens.
  19. From the drop-down list, select your desired option. The certificate is valid only for root SSH logins. For Barracuda Firewall Admin, the Instance ID is the default password.
  20. Select the check box to verify that you have access to the selected key, or, to download a new key pair, click Download Key Pair.
  21. Click Launch Instances. The Launch Status page opens.
    aws_deploy_15.png

Locate and copy the Instance IDs. This is the default password used to log into the primary firewall via Barracuda Firewall Admin.

awsha_primary_fw06.png

Step 7. Deploy the Secondary Firewall

The secondary firewall instance is deployed into the secondary firewall subnet of the VPC. The configuration of the primary firewall is used as a starting point.

  1. Log into the AWS console.
  2. Click Services and select EC2.
  3. Right-click on the primary firewall instance created in Step 6 and click Launch More Like This.
    awsha_secondary_fw01.png
  4. On the top menu bar, click 3. Configure Instance.
    awsha_secondary_fw02.png
  5. Change the subnet in the Instance Details section:
    • Subnet – Select the subnet for the secondary firewall.
    awsha_secondary_fw03.png
  6. Enter the Primary IP address in the Network Interfaces section. The IP address must be in the subnet selected above.
    awsha_secondary_fw04.png
  7. Click Review and Launch.
  8. Click Launch. The Select an existing key pair or create a new key pair window opens.
  9. Select Choose an existing key pair from the drop-down list.
  10. Select the key pair used for the first firewall.
  11. Click Launch Instances. The Launch Status page opens.
    awsha_secondary_fw05.png

Locate and copy the Instance IDs. This is the default password used to log into the secondary firewall via Barracuda Firewall Admin.

awsha_secondary_fw06.png

Step 8. Disable the Source/Destination Check for Both Firewalls

To allow the firewall to perform NAT operations, you must disable the source/destination check for the firewall network interfaces.

  1. Log into the AWS console.
  2. Click Services and select EC2.
  3. Right-click on the primary firewall created in step 6, click Networking, and select Change Source/Dest. Check.
    awsha_srcdst_01.png
  4. Click Yes, Disable
    awsha_srcdst_02.png
  5. Right-click on the secondary firewall created in Step 7, click Networking, and select Change Source/Dest. Check.
  6. Click Yes, Disable.

Step 9. Configure an AWS Route Table for Private Subnets

Configure the default route of the main routing table to use the primary firewall instance as the default gateway. Since this is the main route table, it is automatically applied to any subnets not specifically assigned to another route table.

  1. Log into the AWS console.
  2. Click Services and select VPC.
  3. In the left menu, click Route Tables.
  4. Click on the main route table for your VPC.
    awsha_main_route_table_01.png
  5. On the bottom, click on the Routes tab. 
  6. Click Edit.
    awsha_main_route_table_02.png
  7. In the Target column of the default route (0.0.0.0/0), enter the instance ID of the primary firewall.
  8. Click Save
    awsha_main_route_table_03.png

The default route now shows an Active state in the Status column:

awsha_main_route_table_05.png

Step 10. Configure an AWS Route Table for the Firewall Subnets

The route table for the firewall subnet routes incoming and outgoing connections through the Internet gateway created by the VPC wizard in Step 3.

  1. Log into the AWS console.
  2. Click Services and select VPC.
  3. In the left menu, click Route Tables.
  4. Click on the second route table, which is currently associated with the subnet for the primary firewall.
    awsha_fw_route_table_01.png
  5. On the bottom, click on the Subnet Associations tab.
  6. Click Edit.

    awsha_fw_route_table_02.png

  7. Select both firewall subnets.
  8. Click Save.
    awsha_fw_route_table_03.png

The firewall subnets are now associated with the AWS route table routing connections over the Internet gateway.

awsha_fw_route_table_04.png

Step 11. Associate the Elastic IPs

Associate the elastic IPs created in Step 2 with the firewall network interfaces.

  1. Log into the AWS console.
  2. Click Services and select EC2.
  3. In the Network & Security section of the left menu, click on Elastic IPs.
  4. Right-click the first Elastic IP created in Step 2 and click Associate Address.
    awsha_eip01.png
  5. Enter the Instance ID of the primary firewall and click Associate
    awsha_eip02.png
  6. Right-click the second Elastic IP created in Step 2 and click Associate Address.
  7. Enter the Instance ID of the secondary firewall and click Associate.

Traffic to the two Elastic IPs is now automatically forwarded to the network interface of the primary and secondary firewalls.

awsha_eip03.png

Step 12. Security Groups

Create a security group for the private networks that allow all traffic from the security group assigned to the firewall.

  1. Log into the AWS console.
  2. Click Services and select VPC
  3. In the Security section of the left menu, click on Security Groups.
  4. Use the VPC ID to filter the security groups, and copy the Group ID of the security group assigned to the firewall instances.
    awsha_private_security_group01.png
  5. Click Create Security Group.
    • Group name – Enter a name for the security group.
    • Description – Enter a description for the security group. 
    • VPC Select the VPC you created in Step 3.
  6. In the lower half of the page, click on the Inbound tab.
  7. Create a rule to allow traffic from the firewall security group:
    • Type – Select All Traffic
    • Protocol – Select ALL
    • Source – Enter the group ID of the security group assigned to your firewalls.
  8. Click Add Rule.
    awsha_private_security_group02.png
  9. Click Create.

Assign this security group to all instances in one of the private networks that are routed through the firewall.

Step 13. (Optional) Create Network ACLs

The Network ACLs created by the VPC wizard are configured by default to allow traffic through. If required, go Network ACLs to edit the network ACL assigned to your VPC.

Step 14. Change the Primary Firewall Network Configuration from Dynamic to Static

On the primary firewall instance, change the network configuration from the DHCP to a static network interface. Use the static private IP address you assigned during deployment. Always use the first IP address of the subnet as the default gateway.

  1. Log into the primary firewall via Barracuda Firewall Admin:
    • IP Address /Name –  Enter the Elastic IP of the primary firewall.
    • Username – Enter root.
    • Password – Enter the instance ID of the primary firewall. 
    awsha_static_NIC_01.png
  2. Go to CONFIGURATION > Configuration Tree > Box > Network.
  3. In the left menu, click on xDSL/DHCP/ISDN.
  4. Click Lock.
  5. Delete the DHCP01 entry in the DHCP  Links list.
  6. Set DHCP Enabled to No.
  7. In the left menu, click on IP Configuration.
  8. In the Management IP and Network section, reconfigure the management IP:
    • Interface Name – Select Other and enter eth0
    • Management IP – Enter the private IP address of the primary firewall. Go to CONTROL> Network. The private IP address is assigned to the DHCP interface.
    • (optional) Netmask – Change the netmask to match the subnet of the primary firewall subnet.
    awsha_static_NIC_02.png
  9. In the left menu, click on Routing.
  10. Click in the Routes table and configure the following settings:
    • Target Network Address – Enter 0.0.0.0/0
    • Route Type – Select gateway
    • Gateway – Enter the first IP address of the primary firewall subnet. E.g., 10.100.0.1 if the IP address of the firewall is 10.100.0.10.
    • Trust Level – Select Unclassified.
  11. Click OK.
  12. Click Send Changes and Activate.
  13. Activate the changes to the network configuration:
    1. Go to CONTROL > Box.
    2. In the Network section of the left menu, click on Activate new network configuration.
    3. Click Activate Now. 

Open the CONTROL > Network page. Your interface and IP address are now static.

Step 15. (PAYG only) Import the PAYG License from the Secondary Firewall

Step 15.1 Export the PAYG License from the Secondary Firewall
  1. Log into the secondary firewall.
  2. Go to CONFIGURATION > Configuration Tree > Box > Licenses.
  3. Click Lock.
  4. Select the license file, click the export icon, and select Export to File.
  5. Click Unlock
Step 15.2 Import the PAYG License on the Primary Firewall
  1. Log into the primary firewall.
  2. Go to CONFIGURATION > Configuration Tree > Box > Licenses.
  3. Click Lock.
  4. Click + and select Import from File.
  5. Select the license file exported from the secondary firewall.

The primary firewall now has both PAYG licenses listed in the Licenses list. 

Step 16. Create a Stand-Alone HA Cluster

Create a stand-alone high availability cluster between the primary and secondary firewall. The management IP address of the secondary firewall (HA network) must be configured as a static IP address using the private IP address of the secondary firewall. Also, the gateway IP address for the default route of the secondary firewall must be changed to match the subnet the second firewall is running in.  You can also assign the secondary management IP in a different subnet. Follow the step below to enter a secondary gateway of the second subnet.

(Optional) Assign a Secondary Gateway IP Address

This step is necessary only if the second management IP address is in a different subnet than the first management IP address.

  1. Log into the primary firewall.
  2. Go to CONFIGURATION > Configuration Tree > Box > Network
  3. Click Lock.
  4. In the left menu, select IP Configuration.
  5. In the Management Network and IPs section, enter the secondary management IP.
    AWS_2ndmgmtip_subnet.png
  6. Click Configuration Mode.
  7. Click Switch to Advanced.
  8. In the left menu, click Advanced Routing.
  9. Double-click on the route entry and enter the gateway IP address of the second subnet as Secondary Gateway.
    AWS_2ndmgmtip_subnet_routing.png
  10. Click OK.
  11. Click Send Changes.
  12. Click Activate.
  13. Go to CONTROL > Box. In the left navigation pane, expand Network and click Activate new network configuration. Select Failsafe as the activation.

For more information, see How to Set Up a High Availability Cluster.

Step 17. Configure Services to Listen on the Loopback Interface

Because AWS does not support floating IP addresses, you must configure all firewall services to listen on a loopback address (127.0.0.X). Use Application Redirect access rules to redirect incoming traffic from the eth0 interface to the services. Use the private IP addresses of both firewalls as the destination of the rule to ensure that it matches without regard to which firewall VM the service is currently running on.

Step 18. Configure Elastic IP Address Transfer

The AWS VPN gateway can only be configured to use one IP address. The same elastic IP address must always be associated with the active firewall in the cluster. Configure the Custom Scripts to execute an AWS CLI command that reassigns the Elastic IP addresses every time the firewall fails over. Write down the Elastic IP addresses associated with the primary and secondary firewalls:

  • Primary Firewall – Elastic IP address for the active firewall.
  • Secondary Firewall – Elastic IP address for the passive firewall. (optional)
  1. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Control.
  2. In the left menu, select Custom Scripts.
  3. Click Lock. 
  4. In the left menu, select Configuration Mode.
  5. Click Switch to Advanced.
  6. Select Custom Scripts.
    cs.png
  7. Copy the following script and paste it in the Start Script  section. This AWS CLI command re-associates the active Elastic IP address when the firewall becomes active.

    /opt/aws/bin/aws ec2 associate-address --<instance-id> $(/usr/bin/curl -s http://169.254.169.254/latest/meta-data/<instance-id>) --allocation-id <ACTIVE_ELASTIC_IP_ID> --allow-reassociation
  8. Copy the following script and paste it in the Stop Script if you do not have automatic IP allocation in the subnet. This AWS CLI command re-associates the passive Elastic IP address when the firewall becomes inactive. 

    /opt/aws/bin/aws ec2 associate-address --<instance-id> $(/usr/bin/curl -s http://169.254.169.254/latest/meta-data/<instance-id>) --allocation-id <PASSIVE_ELASTIC_IP_ID> --allow-reassociation
  9. Click Send Changes and Activate.

Step 19. (BYOL only) Activate and License the HA Cluster

Activate the secondary firewall first, then the primary firewall. This ensures that the primary firewall can download the licenses of the secondary firewall.

For more information, see How to Activate and License a Standalone High Availability Cluster.

Last updated on