Traffic inspection in AWS using GWLB and HA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Traffic inspection in AWS using GWLB and HA

L1 Bithead

Hello Team,

 

We are implementing Traffic Inspection in AWS using the Inspection VPC , TGW and  GWLB architecture. We would need to ensure upon device failure/reboot inflight sessions are not terminated.  We use VM Series 11.

 

The official documentation has a section "Enable Session Resiliency on VM-Series for AWS" to achieve this which leverages Redis.

 

On the other side all we want to achieve is HA. In case one device fails the other can take over existing sessions.

The other architectures for inspection either use 1-1 device in each AZs or leverage ASG with multiple devices between them, but as I understand session data will only be synchronized automatically in an HA setup between the devices.

 

If all we want to achieve is traffic inspection (in inspection VPC) and an HA that in case the device fails all sessions remain intact i.e. would not break,  cannot we deploy an HA pair of devices (in one AZ) with the network interface move option and set the 'moving' ENI as target IP for the GWLB in the inspection VPC?  (If multi-AZ is required then set up a similar in a different AZ as well.)

 

With this in case the primary device fails session data is available to the standby one and the ENI is migrated to the second device and the GWLB would still continue to route to the same IP (The HA moving one).

 

I have not seen such design anywhere so I wonder if that is supported or whether in the case of centralized inspection setup losing session data during a potential PAN device failure is not causing disruption to inflight sessions.

 

Thank you for your help in advance

Regards

Imre

1 accepted solution

Accepted Solutions

L1 Bithead

Hi All,

 

We understand the above is not documented/mentioned anywhere so we are working on implementing the solution that utilizes Redis as mentioned in "Enable Session Resiliency on VM-Series for AWS" section of the documentation. This seems to be so recent addition that I have not found walkthrough or sample code repo for it as all sample codes use up till ASG setup but not Redis but we try to implement this then.

 

Thank you

Regards

Imre

View solution in original post

2 REPLIES 2

L1 Bithead

Just to illustrate my question - is it supported / necessary that in a design like below:

szaboi_0-1715429718953.png

 

We deploy and HA pair in place of each of the VM-Series shown above to have session data maintained to protect against device failure

szaboi_1-1715429786155.png

Getting a setup where GWLB routes to HA endpoints (interfaces) not to the eth0 of each device

L1 Bithead

Hi All,

 

We understand the above is not documented/mentioned anywhere so we are working on implementing the solution that utilizes Redis as mentioned in "Enable Session Resiliency on VM-Series for AWS" section of the documentation. This seems to be so recent addition that I have not found walkthrough or sample code repo for it as all sample codes use up till ASG setup but not Redis but we try to implement this then.

 

Thank you

Regards

Imre

  • 1 accepted solution
  • 2344 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!