Can anyone who is using the HA4 cluster in production, to present the same external NAT IP across 2 data centers give any advice on how they are doing the routing. I saw in the docs that some of the security functions don't work if the traffic is asymmetric. Obviously the easy answer is to push all the traffic to one DC. Is that how people do it, or is there a way to load balance across them?
I am keen to hear about peoples experience with the feature and if they have had any issues with it. Currently I have two separate IP ranges for the two DC's and flip flop between them, but that is a pain.
It's important to note that HA Clustering is not the same thing as Active/Active HA. You are correct in that there is no L7 inspection support for asymmetrical traffic.
My customers using this feature are from a failover / disaster recovery scenario, so not load balancing traffic across two datacenters.
If you are trying to utilize it for horizontal scaling to get the above scenario working we would recommend a load balancer sandwich, which is another way of saying NAT'ing the DCs to be the same public IP and load balancing with HA Clustering is not a supported use case at this time, but with additional devices you could achieve the functionality.
Failover/DR is my primary driver for this feature. I want the same IP to be used at both of the DCs so that it doesn't affect the IP address that our partners have white listed. What I am unsure of is if the address is pinned to one site or floating, how do we make the inside and outside routing line up so things are symetric
You use a load balancer sandwich where the northern/outside LB is floating the IP between the DC connections to the NGFWs. LBs behind the NGFWs to keep flow symmetric (or rerouting when the wire fails).
That is, you need the DC LBs to be connected to the opposing NGFWs as well as their local, and both DC NGFWs to the northern LB.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!