05-11-2024 05:06 AM
Hello Team,
We are implementing Traffic Inspection in AWS using the Inspection VPC , TGW and GWLB architecture. We would need to ensure upon device failure/reboot inflight sessions are not terminated. We use VM Series 11.
The official documentation has a section "Enable Session Resiliency on VM-Series for AWS" to achieve this which leverages Redis.
On the other side all we want to achieve is HA. In case one device fails the other can take over existing sessions.
The other architectures for inspection either use 1-1 device in each AZs or leverage ASG with multiple devices between them, but as I understand session data will only be synchronized automatically in an HA setup between the devices.
If all we want to achieve is traffic inspection (in inspection VPC) and an HA that in case the device fails all sessions remain intact i.e. would not break, cannot we deploy an HA pair of devices (in one AZ) with the network interface move option and set the 'moving' ENI as target IP for the GWLB in the inspection VPC? (If multi-AZ is required then set up a similar in a different AZ as well.)
With this in case the primary device fails session data is available to the standby one and the ENI is migrated to the second device and the GWLB would still continue to route to the same IP (The HA moving one).
I have not seen such design anywhere so I wonder if that is supported or whether in the case of centralized inspection setup losing session data during a potential PAN device failure is not causing disruption to inflight sessions.
Thank you for your help in advance
Regards
Imre
05-14-2024 11:59 PM
Hi All,
We understand the above is not documented/mentioned anywhere so we are working on implementing the solution that utilizes Redis as mentioned in "Enable Session Resiliency on VM-Series for AWS" section of the documentation. This seems to be so recent addition that I have not found walkthrough or sample code repo for it as all sample codes use up till ASG setup but not Redis but we try to implement this then.
Thank you
Regards
Imre
05-11-2024 05:18 AM
Just to illustrate my question - is it supported / necessary that in a design like below:
We deploy and HA pair in place of each of the VM-Series shown above to have session data maintained to protect against device failure
Getting a setup where GWLB routes to HA endpoints (interfaces) not to the eth0 of each device
05-14-2024 11:59 PM
Hi All,
We understand the above is not documented/mentioned anywhere so we are working on implementing the solution that utilizes Redis as mentioned in "Enable Session Resiliency on VM-Series for AWS" section of the documentation. This seems to be so recent addition that I have not found walkthrough or sample code repo for it as all sample codes use up till ASG setup but not Redis but we try to implement this then.
Thank you
Regards
Imre
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
