We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure a High Availability Cluster in AWS using the Web Portal

  • Last updated on

Configure a high availability cluster in AWS to ensure that the services running on the firewall are always available even if one instance is unavailable. To be able to configure an HA cluster, the firewall instances must be deployed in two subnets, each in a different availability zone. Each firewall has a public IP address. For services requiring a single public IP address, AWS classic Elastic Load Balancer (TCP only) or Route 53 (all protocols) can be used to forward incoming connections to the active firewall.

After a failover, all existing sessions time out since AWS does not support floating IP addresses. Clients in the private subnets using the firewall as the default route use the default gateway of the subnet. Depending on the setting in the AWS route table associated with the subnet, the AWS cloud fabric forwards the traffic to the active firewall internally. When a failover occurs, the active firewall rewrites the AWS route table, ensuring that the now-active firewall is used as the new gateway.

Before you begin

  • An Amazon AWS account is required.
  • (BYOL only) Licenses matching the desired instance size are required when using BYOL images.

Step 1. Select the AWS datacenter

  1. Log into the AWS console.
  2. In the upper right, click on the datacenter location, and select the datacenter you want to deploy to from the list.
    aws_deploy_00.png

The selected datacenter location is now displayed in the AWS console.

Step 2. Create an elastic IP for each firewall

  1. Log into the AWS console.
  2. Click Services and select EC2.
  3. In the Network & Security section of the left menu, click on Elastic IPs.
  4. For the primary and secondary firewall:
    1. Click Allocate New Address.
      aws_deploy_01.png
    2. Click Yes, Allocate.

Two unassigned elastic IPs are now added to the list. Copy the Allocation ID for future use.

awsha_eip_01.png


Step 3. Create VPC with the VPC wizard

Use the VPC wizard to create a VPC with two subnets. Each subnet must be created in a different availability zone. Additional subnets for the backend instances are added after the wizard.

  1. Log into the AWS console.
  2. Click Services and select VPC.
  3. Click Start VPC Wizard. The VPC wizard opens.
    aws_deploy_03.png
  4. Select VPC with Public and Private Subnets and click Select.
    aws_deploy_04.png
  5. On the VPC with Public and Private Subnets, change the following settings:
    • IP CIDR block – Enter a /16 CIDR block that does not overlap with any of your other networks.
    • VPC Name – Enter the name. 
    • Public subnet – Enter the /24 subnet used for the primary firewall.
    • Public subnet name – Enter a name for the primary firewall subnet.
    • Availability Zone – Select an availability zone.
    • Private subnet – Enter the /24 subnet used for the secondary firewall.
    • Private subnet name – Enter a name for the secondary firewall subnet.
    • Availability Zone – Select a different subnet for the second subnet as the primary and secondary firewalls must be in different availability zones.  E..g, Select eu-west-1b if the you selected eu-west-1a as the public subnet availability zone.
    • Elastic IP Allocation ID – Enter the Allocation ID for the elastic IP address created in step 1.
    aws_deploy_05.png
  6. (optional) Set Enable DNS hostnames to NO to use only IP addresses to access your VPC. 
  7. Click Create VPC
    aws_deploy_06.png

The VPC is now listed in the Your VPCs list.

awsha_vpc_01.png

Step 4. Add a subnet to the VPC

Add a private subnet for instances that use the firewall.

  1. Log into the AWS console.
  2. Click Services and select VPC.
  3. In the left menu, click Subnets.
  4. Click Create Subnet.
  5. Create a subnet:
    • Name tag – Enter a name for the subnet.
    • VPC – Select the VPN created in step 3.
    • Availability Zone – Select an availability zone from the list.
    • CIDR block – Enter a free subnet in the scope of the network defined for the VPC.
    aws_ha_add_subnet01.png
  6. Click Yes, Create.

You now have three subnets in the VPC:

aws_ha_add_subnet02.png

Step 5. Delete NAT gateway instance

The VPC wizard automatically creates a NAT gateway instance. But since the firewall already includes this functionality, the NAT gateway instance must be deleted.

  1. Log into the AWS console.
  2. Click Services and select VPC.
  3. In the Virtual Private Cloud section of the left menu, click on NAT Gateways.
  4. (optional) Enter the VPC ID in the search bar.
  5. Select the NAT gateway created for your VPC and click Delete NAT Gateway. The Delete NAT Gateway pop-over window opens.
    aws_deploy_08.png
  6. Click Delete NAT Gateway.
    aws_deploy_09.png

The elastic IP address associated with the NAT gateway is released automatically and is now free to use for one of the firewall instances.

Step 6. Deploy the primary firewall

The primary firewall is deployed into the first firewall subnet of the VPC. Two image types are available in the AWS Marketplace: BYOL and hourly.

  1. Log into the AWS console.
  2. Click Services and select EC2.
  3. In the Create Instance section, click Launch Instance.
    aws_deploy_10.png
  4. In the left menu, click AWS Marketplace.
  5. Enter Barracuda NextGen in the Search for AWS Marketplace Product search box.
  6. Click Select next to the image type you want to deploy: BYOL or hourly.
    awsha_primary_fw01.png
  7. Select the Instance Type. If you are deploying a BYOL image, verify that the number of CPU cores of the instance matches your license.
    awsha_primary_fw02.png
  8. Click Next: Configure Instance Details.
  9. Configure the Instance Details:
    • Number of instances – Enter 1  
    • Network – Select the VPC created in step 3.
    • Subnet – Select the subnet for the primary firewall. 
    awsha_primary_fw03.png
  10. In the Network Interfaces section, enter the Primary IP address. The IP address must be in the subnet selected above.
    awsha_primary_fw04.png
  11. Click Next:Add Storage.
  12. Click Next: Tag Instance.
  13. Click Next: Configure Security Group.
  14. (optional) Enter a Security group name.
  15. (optional) Remove the preconfigured rules in the security group.
  16. Click Add Rule and open up the security group for all traffic. 
    • Type – Select All Traffic
    • Source – Select Anywhere.
    awsha_primary_fw05.png
  17. Click Review and Launch.
  18. Click Launch. The Select and existing key pair or create a new key pair pop-over window opens.
  19. From the drop-down list, select Choose an existing key pair or Create a new key pair. The certificate is valid only for root SSH logins. For NextGen Admin, the Instance ID is the default password.
  20. Click the checkbox to verify that you have access to the selected key, or click Download Key Pair to download a new key pair.
  21. Click Launch Instances
    aws_deploy_15.png

On the Launch Status page, locate and copy the Instance IDs. This is the default password used to log into the primary firewall via NextGen Admin.

awsha_primary_fw06.png

Step 7. Deploy secondary firewall

The secondary firewall instance is deployed into the secondary firewall subnet of the VPC. The configuration of the primary firewall is used as a starting point.

  1. Log into the AWS console.
  2. Click Services and select EC2.
  3. In the left menu click Instances.
  4. Right-click on the primary firewall instance created in step 6 and click Launch More Like This.
    awsha_secondary_fw01.png
  5. On the top menu bar, click 3. Configure Instance.
    awsha_secondary_fw02.png
  6. Configure the Instance Details:
    • Subnet – Select the subnet for the secondary firewall.
    awsha_secondary_fw03.png
  7. In the Network Interfaces section, enter the Primary IP address. The IP address must be in the subnet selected above.
    awsha_secondary_fw04.png
  8. Click Review and Launch.
  9. Click Launch. The Select and existing key pair or create a new key pair pop-over window opens.
  10. From the drop-down list, select Choose an existing key pair.
  11. Select the key pair used for the first firewall.
  12. Click Launch Instances.
    awsha_secondary_fw05.png

On the Launch Status page, locate and copy the Instance IDs. This is the default password used to log into the secondary firewall via NextGen Admin.

awsha_secondary_fw06.png

Step 8. Disable source/destination check for both firewalls

To allow the firewall to perform NAT operations, you must disable the source/destination check for the firewall network interfaces.

  1. Log into the AWS console.
  2. Click Services and select EC2.
  3. Right-click on the primary firewall created in step 6, click Networking, and select Change Source/Dest. Check.
    awsha_srcdst_01.png
  4. Click Yes, Disable
    awsha_srcdst_02.png
  5. Right-click on the secondary firewall created in step 7, click Networking, and select Change Source/Dest. Check.
  6. Click Yes, Disable.

Step 9. Configure AWS route table for private subnets

Configure the default route of the main routing table to use the primary firewall instance as the default gateway. Since this is the main route table, it is automatically applied to any subnets not specifically assigned to another route table.

  1. Log into the AWS console.
  2. Click Services and select VPC.
  3. In the left menu, click Route Tables.
  4. Click on the main route table for your VPC.
    awsha_main_route_table_01.png
  5. On the bottom, click on the Routes tab. 
  6. Click Edit.
    awsha_main_route_table_02.png
  7. In the Target column of the default route (0.0.0.0/0), enter the instance ID of the primary firewall.
  8. Click Save
    awsha_main_route_table_03.png

The default route now shows an Active state in the Status column:

awsha_main_route_table_05.png

Step 10. Configure AWS route table for the firewall subnets

The route table for the firewall subnet routes incoming and outgoing connections through the Internet gateway created by the VPC wizard in step 3.

  1. Log into the AWS console.
  2. Click Services and select VPC.
  3. In the left menu, click Route Tables.
  4. Click on the second route table, which is currently associated with the subnet for the primary firewall.
    awsha_fw_route_table_01.png
  5. On the bottom, click on the Subnet Associations tab.
  6. Click Edit.

    awsha_fw_route_table_02.png

  7. Select both firewall subnets.
  8. Click Save.
    awsha_fw_route_table_03.png

The firewall subnets are now associated with the AWS route table routing connections over the Internet gateway.

awsha_fw_route_table_04.png

Step 11. Associate the elastic IPs

Associate the elastic IPs created in step 2 with the firewall network interfaces.

  1. Log into the AWS console.
  2. Click Services and select EC2.
  3. In the Network & Security section of the left menu, click on Elastic IPs.
  4. Right-click the first EIP created in step 2 and click Associate Address.
    awsha_eip01.png
  5. Enter the Instance ID of the primary firewall and click Associate
    awsha_eip02.png
  6. Right-click the second EIP created in step 2 and click Associate Address.
  7. Enter the Instance ID of the secondary firewall and click Associate.

Traffic to the two EIP is now automatically forwarded to the network interface of the primary and secondary firewalls.

awsha_eip03.png

Step 12. Security groups

Create a security group for the private networks that allow all traffic from the security group assigned to the firewall.

  1. Log into the AWS console.
  2. Click Services and select VPC
  3. In the Security section of the left menu, click on Security Groups.
  4. Use the VPC ID to filter the security groups, and copy the Group ID of the security group assigned to the firewall instances.
    awsha_private_security_group01.png
  5. Click Create Security Group.
    • Group name – Enter a name for the security group.
    • Description – Enter a description for the security group. 
    • VPC Select the VPC you created in step 3.
  6. In the lower half of the page, click on the Inbound tab.
  7. Create a rule to allow traffic from the firewall security group:
    • Type – Select All Traffic
    • Protocol – Select ALL
    • Source – Enter the group ID of the security group assigned to your firewalls.
  8. Click Add Rule.
    awsha_private_security_group02.png
  9. Click Create.

Assign this security group to all instances in one of the private networks that are routed through the firewall.

Step 13. (optional) Network ACLs

The Network ACLs created by the VPC wizard are configured by default to allow traffic through. If required, go Network ACLs to edit the network ACL assigned to your VPC.

Step 14. Change the primary firewall network configuration from dynamic to static

On the primary firewall instance, change the network configuration from the dhcp to a static network interface. Use the static private IP address you assigned during deployment. Always use the first IP address of the subnet as the default gateway.

  1. Log into the primary firewall via NextGen Admin:
    • IP Address /Name –  Enter the EIP of the primary firewall.
    • Username – Enter root.
    • Password – Enter the instance ID of the primary firewall. 
    awsha_static_NIC_01.png
  2. Go to CONFIGURATION > Configuration Tree > Box > Network.
  3. In the left menu, click on xDSL/DHCP/ISDN.
  4. Click Lock.
  5. Delete the DHCP01 entry in the DHCP  Links list.
  6. Select No from the DHCP  Enabled drop-down list.
  7. In the left menu, click on IP Configuration.
  8. In the Management IP and Network section, reconfigure the management IP:
    • Interface Name – Select Other and enter eth0
    • Management IP – Enter the private IP address of the primary firewall. Go to CONTROL> Network. The private IP address is assigned to the dhcp interface.
    • (optional) Netmask – Change the netmask to match the subnet of the primary firewall subnet.
    awsha_static_NIC_02.png
  9. In the left menu, click on Routing.
  10. Click in the Routes table and configure the following settings:
    • Target Network Address – Enter 0.0.0.0/0
    • Route Type – Select gateway
    • Gateway – Enter the first IP address of the primary firewall subnet. E.g., If the firewall IP address is 10.100.0.10 in a /24 subnet the gateway IP address is  10.100.0.1.
    • Trust Level – Select Unclassified.
  11. Click OK.
  12. Click Send Changes and Activate.
  13. Activate the changes to the network configuration:
    1. Go to CONTROL > Box.
    2. In the Network section of the left menu, click on Activate new network configuration.
    3. Click Activate Now. 

Open the CONTROL > Network page. Your interface and IP address are now static.

Step 15. (PAYG only) Import PAYG licenses from the secondary firewall

Step 15.1 Export the PAYG license from the secondary firewall
  1. Log into the secondary firewall.
  2. Go to CONFIGURATION > Configuration Tree > Box > Licenses.
  3. Click Lock.
  4. Select the license file, click the export icon, and select Export to File.
  5. Click Unlock
Step 15.2 Import the PAYG license on the primary firewall
  1. Log into the primary firewall.
  2. Go to CONFIGURATION > Configuration Tree > Box > Licenses.
  3. Click Lock.
  4. Click + and select Import from File.
  5. Select the license file exported from the secondary firewall.

The primary firewall now has both PAYG licenses listed in the Licenses list. 

Step 16. Create a stand-alone HA cluster

Create a stand-alone high availability cluster between the primary and secondary firewall. The management IP address of the secondary firewall (HA network) must be configured as a static IP address using the private IP address of the secondary firewall. Verify that the default route uses the first IP address in the second firewall subnet. E:.g, Ff the secondary firewall uses 10.100.10.10 in a /24 subnet the gateway is 10.100.10.1.

For more information, see How to Set Up a High Availability Cluster.

Step 17. Configure services to listen on loopback interface

Because AWS does not support floating IP addresses, you must configure all services on the virtual server to listen on a loopback address (127.0.0.X). Use Application Redirect access rules to redirect incoming traffic from the eth0 interface to the services. Use the private IP addresses of both firewalls as the destination of the rule to ensure that it matches without regard to which firewall VM the virtual server is currently running on.

Step 18. (BYOL only) Activate and license the HA cluster

Activate the secondary firewall first, then the primary firewall. This ensures that the primary firewall can download the licenses of the secondary firewall.

For more information, see How to Activate and License a NextGen F-Series High Availability Cluster.

Step 19. (optional) Configure the Amazon Load Balancer or Amazon Route 53

Amazon Classic Elastic Load Balancer

The Elastic Load Balancer receives public TCP traffic and forwards it to the active firewall. Protocols other than TCP are not supported. For each TCP port you want to load balance, you must add a load balancer rule that maps the external port and protocol to the internal protocol and port. Configure the health checks to check a service on the virtual server, such as TCP 691 for the VPN service. In this way, only the firewall running the virtual server is regarded as healthy by the load balancer, and traffic is forwarded only to the active firewall.

DNS load balancing using Route 53

For services not using TCP connections, Amazon Route 53 can be used to configure a DNS-based load balancer. Route 53 is also the preferred load balancing service for geographically distributed cloud resources.

Step 20. Configure HA route table rewriting on the F-Series Firewall VMs

Configure both the primary and secondary firewalls to update the route table of the VPC. In case of a failover, the route table is updated so that all backend VMs using the HA cluster as a gateway use the active firewall.

For more information, see How to Configure AWS Route Table Rewriting.

Last updated on