It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

Active-Active Performance Setup with Symmetric Load Balancing

  • Last updated on

The following example explains Azure active-active deployment with symmetric load balancing and User Defined Routing (UDR). With this setup, all traffic coming from the virtual networks hits the load balancer and will be distributed to the firewall units according to the rules configured in the template. Traffic from the firewalls, in turn, back to the networks does not require any translation and is processed by the firewall rules and therefore sent back to the correct recipient.

az_vmss_sym_architecture-01.png

Azure active-active performance deployment with symmetric load balancing provides the following advantages:

  • Integrates well with network infrastructures using UDR and Azure Express Route
  • Does not require NAT
  • Extremely straightforward (add VMs to the backend pool, no other modifications required)

The CloudGen Firewall configuration in Microsoft Azure supports repositories, conf templates, and the distributed firewall. For more information, see RepositoriesDistributed Firewall and How to Work with Configuration Templates on Different Levels in the Configuration Tree.

Before You Begin

Before proceeding with deploying the Barracuda CloudGen Firewall HA template, make sure that your network infrastructure meets the service requirements listed in CloudGen Firewall Active-Active Performance in Microsoft Azure.

Otherwise, do the following:

  • Create a resource group
  • Create a storage account
  • Create VNET and subnet
  • Get a CGF image

For more information, see How to Create a Resource Network in Azure.

Step 1. Deploy a Barracuda Virtual Machine Scale Set

  1. Log into your Azure Portal.
  2. Go to the resource group. (See the "Before You Begin" section for more information.)
  3. Click + to create a new resource.
  4. Search for VMSS in the Marketplace.
  5. Choose Virtual machine scale set.
    vmss.png
  6. Click Create.
  7. On the next page, configure the following settings:
    • Virtual machine scale set name – Enter a name.
    • Region – Select your region.
    • Availability zone – Select your preferred availability zone.
      vmss_basics.png
    • Image – Select image cgf/cgf-byol/latest.
    • VM Architecture – Select x64.
    • Size – Select the VM size.
    • Username – Enter a username.
    • Password – Enter a password.
  8. On the next page, configure Spot settings according to your requirements.
    vmss_spot.png
  9. On the next page, set up Disks according to your requirements.
    vmss_disk.png
  10. On the next page, configure following settings:
    • Virtual network – Select the virtual network created in the "Before You Begin" section.
    • Edit NIC – Select the subnet you want to deploy the scale set to.
    • Load balancing options – Select None. An internal load balancer will be added later.
      vmss_net.png
  11. On the next page, choose your scaling settings:
    • Initial Instance count – Enter 2
    • Scaling Policy – Select Manual.
      vmss_scale.png
  12. On the next page, choose the storage account or create a new one.
    vmss_store.png
  13. Click Next to continue on the Health page.
  14. Click Next to continue on the Advanced page.
    • Optional: Add a user data script to get retrieve par file configuration in case the instance is relaunched.
  15. Click Next to continue on the Tags page.
  16. Verify the settings on the Review and Create page.
  17. Click Create to create the scale set.

Step 2. Virtual Machine Scale Set – Post-Deployment Steps

Go to the resource group the scale set has been deployed to.

  1. Select the Network Security Group created along with VMSS.
    • Configure inbound security rules – Allow port 443, 807, 801, 22
    • Configure outbound security rules according to your specification.
  2. Go back to the resource group.
  3. For each VMSS instance, select the corresponding network interface.
  4. In IP configuration, make sure that Enable IP forwarding is selected. 

Step 3. Create an Internal Load Balancer

  1. From the resource group, click + to create a new resource.
  2. Type in Load Balancer and select the resource from the list. The Load Balancer page opens.
    vmss_lb.png
  3. Click Create to create a new load balancer.
  4. On the next page, choose your settings:
    • SKU – Select the desired SKU (default: Standard).
    • Type – Select Internal.
    • Tier – Select Regional.
      lb_basics.png
  5. On the next page, set your Frontend IP configuration.
  6. Click Add a frontend IP.
  7. The Frontend IP window opens. Configure the following settings:
    • Name – Enter a descriptive name.
    • Virtual Network – Select the virtual network where the VMSS resides.
    • Subnet – Select the virtual network where the VMSS resides.
    • Assignment – Select Static.
    • IP Address – Enter the IP address.
    • Availibility Zone – Select Zone-redundant.
      lb_ip.png
    • Click Save.
  8. Proceed with the Backend pool:
    1. Provide a Name.
    2. Click + to add a backend pool.
    3. Select the related NICs from VM scale set.
    4. Click Add and Save.
      lb_bp.png
  9. Click Next to continue with Inbound rules:
  10. Click + Add a load balancing rule, and specify the following settings:
    • Name – Enter a name.
    • IP Version – Select IPv4.
    • Frontend IP address – Select the IP address.
    • Backend Pool – Select the backend pool.
    • High availability ports – Select the check box.
    • Health Probe – Create a new entry.
      • Name – Enter a name.
      • Protocol – TCP
      • Port – Enter 65000
      • Interval seconds – Enter 5
    • Idle timeout – Select 4 (default)
    • Enable TCP Reset – Leave unchecked.
    • Floating IP – Leave unchecked.
      lb_add_rule.png
  11. Click Save.
  12. Click Next to proceed to Outbound rules.
  13. Click Next to proceed to Tags.
  14. On the Review and create page, verify your settings.
  15. Click Create.

Step 4 Create a User Defined Route Table

  1. From the resource group, click + to create a new resource.
  2. Type in Route Table and select the resource from the list.

    vmss_rt.png 
  3. Click Create. The Route table > Basics page opens.
  4. Configure the following settings:
    • Subscription – Select your subscription.
    • Resource group – Select your resource group.
    • Region – Select your region.
    • Name – Provide a name.
      rt_settings.png
  5. Click Next to continue with Tags.
  6. Click Next to see the summary.
  7. Click Create to create the resource.
  8. Go to the route table resource and select it.
  9. On the left plane, select Routes and click + to add a route.
  10. Configure the following settings: 
    • Route name – Enter a descriptive route name.
    • Destination type – Select IP Addresses.
    • Destination IP addresses/CIDR ranges – Add your route in CDIR notation.
    • Next hope type – Select Virtual appliance.
    • Next hop address – Enter the front IP address of the load balancer.
      vss_add_rt.png
    • Click Add.
  11. On the left plane, select Subnets and click + to associate the subnets.
  12. Associate all appropriate subnets with the route table.
    vss_as_net.png

Step 5. Add the Firewall Instances to the Control Center

Add the CloudGen Firewall instances created with the Firewall VM scale set to the Control Center. For more information on managed firewalls, please refer to How to Import an Existing CloudGen Firewall into a Control Center.

Create a cluster- / range-level repository for the linked configuration management. For more information, see Repositories.

Licenses that are already installed on PAYG firewall instances are pushed to the Control Center before retrieving the PAR file. Firewalls using the BYOL images use the licenses configured on the Control Center.

Step 6. Set Up Rules and Repositories, and Link Them to Your Firewall Scale Set

Verify that the predefined cloud access rules are enabled and using a dynamic objects or a loopback address.

  1. On the Control Center, go to Configuration Tree > your Range > your Cluster > your Box > Assigned Services > Firewall.
  2. Right-click Forwarding Rules and select Copy to Cluster repository.
  3. Provide a Name and copy the node.
  4. Open the created repository.
  5. Click Lock.
  6. Add an App Redirect Rule rule for load balancing heath check.
    • Source – Select Any.
    • Services – Add 65000 TCP
    • Destination – Select DHCP1 Local IP.
    • Redirection – Enter 127.0.0.1:450
      lb_redir.png
  7. Add a Dst NAT rule to access the back-end server:
    • Source – Select Any.
    • Services – Add the ports for required services.
    • Destination – Select DHCP1 Local IP.
    • Redirection – Enter the IP address of your back-end server.
    • Connection Method – select Original Source IP.
      bs_dnat.png
  8. Click OK.
  9. Click Send Changes.
  10. Close the repository window.
  11. Right-click on the firewall repository and select Multiple Object Action.
  12. Select all firewall instances for the corresponding scale set.
    link_objects.png
  13. Select Link To repository > Go.
  14. Click OK.
  15. Click Activate.

Step 7. Verify the Setup

Your Barracuda CloudGen Firewall instances are now fully integrated in the Azure cloud and communicate with the load balancer that processes traffic from and to your subnets. To verify that your CloudGen Firewalls are up and running, go to Firewall > Live. The traffic details for your CloudGen Firewalls should be listed with the configured rules.

  • All instances from subnets associated with the route table should be able to reach the ILB Front IP.
  • All instances from subnets associated with the route table should be able to reach the back-end services.

Next Steps

You can now configure your routing rules on the CloudGen Firewalls according to individual requirements.