04-30-2024 08:49 AM - edited 04-30-2024 08:50 AM
Hello all,
I've got a customer that had an FTDv in Azure and they're moving it to an HA setup with load balancers on the front and back ends. They currently have a few site to site VPN's that terminate on the FTDv, is there anything to be aware of when moving to the HA setup, or would it simply be a 2nd VPN to the HA FTDv?
Best, Leigh
04-30-2024 09:00 AM
HA - Active standby or Active / Active ?
if this is Active / Standby you can just configure basic config and join to Active ASA - no configuration required.
if you looking Load Balancer check some guide lines :
04-30-2024 09:03 AM
Can yoh more elaborate
Thanks
MHM
04-30-2024 09:19 AM
Running through this guide:- https://community.cisco.com/t5/security-knowledge-base/high-availability-and-scalability-design-and-deployment-of-cisco/ta-p/4109439
We need to move the single FTDv behind a load balancer in Azure, see this diagram:-
The FTDv's won't be in HA, as such, as you can't HA in Azure, but you can push traffic through both FTDv's via a load balancer with some NATing to make sure the traffic comes back to the right firewall.
My question is how would you build a S2S VPN in such a setup? I'm presuming, as it's not a failover, it's a VPN to both FTDv firewalls.
Best, Leigh
05-30-2024 01:07 PM
Hey Leigh, our company is currently implementing the same solution in Azure. Two active FTDv firewalls in a network hub sandwiched between an external and internal load balancer. Did you determine which device to build the S2S VPN tunnel on? Im trying to plan this out and realized I'll probably run into the same issue. Doesn't all inbound network traffic from the internet hit the External LB in this set up?
Is an express route gateway required?
05-31-2024 04:08 AM
Hi there,
We're actually implementing and testing next week, so I'll let you know how we get on. In our design, I've put 2 outside interfaces on the firewalls, one that will take load balanced inbound traffic via the External LB and one dedicated just to the firewall so if we need to terminate VPN's on it specifically, we can.
The plan is that all inbound traffic will hit the External LB, but there's not a lot of inbound traffic as we're not hosting services out of that bit of the infrastructure, so we may end up removing the External LB to save on costs.
We've got an ExpressRoute internally that links the site(s) up into Azure, before they egress to the Internet over the new LB setup.
Best, Leigh
06-06-2024 01:31 PM
HI there,
I am trying to achive the same scenario where i need to create tunnel with both the azure FTDV behind the external and internal LB. By any chance can you let me know if you are able to get it sorted.
Thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide