VM-series firewalls can be deployed on Alibaba Cloud to protect inbound/outbound traffic to/from an Alibaba Cloud VPC. There are different ways to deploy VM-Series firewalls in order to achieve high availability (HA). Examples include Alicloud_VM_HA and Alicloud_LB_Sandwich.
Recently, Alibaba Cloud introduced a feature called HAVIP that will allow us to deploy VM-Series firewalls in active/standby mode on Alibaba Cloud. HAVIP works by listening to the ARP/GARP messages sent by the VM-Series firewalls to determine which network interfaces belong to the active VM-Series firewall, and it will forward traffic to those interfaces.
The HAVIP feature is currently in public preview. To test this feature, submit a ticket to have it enabled for your account.
The diagram below shows how the VM-Series firewalls are deployed with HAVIP. The two VM-Series firewalls are configured in active/standby HA mode. Two HAVIP are configured. One HAVIP is configured with an attached public IP address (the External HAVIP). The Untrust interface of each VM-Series firewall is bound to this External HAVIP. The other HAVIP (the Internal HAVIP) do not have an attached public IP address. The Trust interface of each VM-Series firewall is bound to this Internal HAVIP.
Note that the HAVIP address must be in the same subnet as the network interfaces that are bound to it. In this example, the External HAVIP must be in the same subnet as the Untrust interfaces, while the Internal HAVIP must be in the same subnet as the Trust interfaces. Subnets in Alibaba Cloud cannot span multiple zones, so this solution will only work if both VM-Series firewalls are in the same Availability Zone.
To create the External HAVIP, from your Alibaba Cloud console, go to VPC → HAVIP and click “Create HAVIP.” Choose the VPC and vSwitch, and provide a private IP address for the HAVIP.
Once the HAVIP has been created, click on it to enter into its configuration. You will see that nothing is bound at this time to the HAVIP.
Create an Elastic IP Address (EIP) if you have not already created one yet. Then click on the “Bind” button beside “Elastic IP Address” to bind the EIP to the HAVIP.
There are two ways to bind resources to the HAVIP. You can either bind an instance or a network interface. When binding with an instance, the primary network interface of the instance is used. For VM-Series firewalls, the primary network interface is the Management interface (since VM-Series firewalls do not support interface swap on Alibaba Cloud). So in this case, we need to bind using network interfaces.
To bind the Untrust interfaces of the VM-Series firewalls to the HAVIP, click on the “Bind” button under “ECS Instances." Choose “ENI” as the resource type, and then choose the Instance and ENI to bind to the HAVIP. Repeat the same procedure for the other Untrust interface.
Once the EIP and both Untrust interfaces are bound to the HAVIP, you should see them in the HAVIP configuration page.
Repeat the same procedure to create the Internal HAVIP. For the Internal HAVIP, there is no need to bind any EIP to it. The configuration for the Internal HAVIP should be similar to this:
Traffic from the servers should be routed to the Internal HAVIP. To achieve this, a static route is configured in the Route Table associated with the server subnet.
To create a Route Table, from your Alicloud console, go to VPC → Route Tables. After creating the route table, add a custom route entry to point the default route to the Internal HAVIP, and associate this route table with the server vSwitch.
The VM-Series firewalls are configured in active/passive HA mode with configuration sync enabled. In this case, the Untrust and Trust interfaces are configured statically. The Untrust interface will be configured with the private IP address of the External HAVIP, while the Trust interface will be configured with the private IP address of the Internal HAVIP. As configuration sync is enabled, when a failover occurs, the newly active VM-Series firewall will use the same set of IP addresses for its Untrust and Trust interfaces.
The route table in the VM-Series firewall will need to include the default route via the Untrust interface, and a route to the server subnet via the Trust interface.
NAT rules need to be configured for Inbound and Outbound traffic.
For Inbound traffic, the NAT rule will have a destination address match on the private IP address of the External HAVIP. This destination address will be translated to the web server address by the NAT rule. Source translation is not required, so the server will see the actual public IP address of the client.
For Outbound traffic, the SNAT rule will match the source addresses of the servers. The source address will then be SNAT to the private IP address of the External HAVIP. The External HAVIP will in turn SNAT the traffic to the public IP address of the External HAVIP.
The web server can be accessed via the public IP address of the External HAVIP. You can see in the following diagrams that the client can successfully access the web server, as well as the public IP address of the client.
Accessing the Internet from the server, the source IP address used is detected to be that of the External HAVIP.
A ping test was started on the server. The active VM-Series firewall is then suspended. The passive VM-Series firewall will then become active. From the ping test, there are about 11 ping drops before the traffic resumes. So the failover time is around 11 seconds.
In conclusion, two VM-Series firewalls can be deployed on Alibaba Cloud in active/passive HA mode with Alibaba Cloud HAVIP to provide high availability. This provides session and configuration sync between the two VM-Series firewalls. However, this only works in a single Availability Zone. If an increase in capacity is required, the VM-Series firewalls need to be scaled-up, e.g. VM300 → VM500.
The VM-Series firewalls used in the testing have four network interfaces: Management, Untrust, Trust and HA2. On most Alibaba Cloud instance types, the 4 vCPU instance types provide three network interfaces. The 8 vCPU instance types and above provide four or more network interfaces.
If 4 vCPU instance types need to be used, the VM-Series firewalls will need to be deployed in one-arm mode as there can only be 3 network interfaces attached to each firewall. Inbound and outbound traffic will traverse the same data interface.
