Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
460
Views
3
Helpful
6
Replies

S2S VPN to HA FTDv in Azure

leighharrison
Level 7
Level 7

‎04-30-2024 08:49 AM - edited ‎04-30-2024 08:50 AM

Hello all,

I've got a customer that had an FTDv in Azure and they're moving it to an HA setup with load balancers on the front and back ends.  They currently have a few site to site VPN's that terminate on the FTDv, is there anything to be aware of when moving to the HA setup, or would it simply be a 2nd VPN to the HA FTDv?

Best, Leigh

1 person had this problem
Labels:
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎04-30-2024 09:00 AM

HA - Active standby or Active / Active ?

if this is Active / Standby you can just configure basic config and join to Active ASA - no configuration required.

if you looking Load Balancer check some guide lines :

https://blogs.cisco.com/security/cisco-secure-firewall-to-support-microsoft-azure-gateway-load-balancer

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World
VIP
VIP

‎04-30-2024 09:03 AM

Can yoh more elaborate 

Thanks 

MHM

0 Helpful

leighharrison
Level 7
Level 7
In response to MHM Cisco World

‎04-30-2024 09:19 AM

Running through this guide:- https://community.cisco.com/t5/security-knowledge-base/high-availability-and-scalability-design-and-deployment-of-cisco/ta-p/4109439

We need to move the single FTDv behind a load balancer in Azure, see this diagram:-

leighharrison_0-1714493758513.png

The FTDv's won't be in HA, as such, as you can't HA in Azure, but you can push traffic through both FTDv's via a load balancer with some NATing to make sure the traffic comes back to the right firewall.

My question is how would you build a S2S VPN in such a setup? I'm presuming, as it's not a failover, it's a VPN to both FTDv firewalls.

Best, Leigh

 

0 Helpful

abrockmiller24
Level 1
Level 1

‎05-30-2024 01:07 PM

Hey Leigh, our company is currently implementing the same solution in Azure. Two active FTDv firewalls in a network hub sandwiched between an external and internal load balancer. Did you determine which device to build the S2S VPN tunnel on? Im trying to plan this out and realized I'll probably run into the same issue. Doesn't all inbound network traffic from the internet hit the External LB in this set up?

Is an express route gateway required?

0 Helpful

leighharrison
Level 7
Level 7
In response to abrockmiller24

‎05-31-2024 04:08 AM

Hi there,

We're actually implementing and testing next week, so I'll let you know how we get on.  In our design, I've put 2 outside interfaces on the firewalls, one that will take load balanced inbound traffic via the External LB and one dedicated just to the firewall so if we need to terminate VPN's on it specifically, we can.

The plan is that all inbound traffic will hit the External LB, but there's not a lot of inbound traffic as we're not hosting services out of that bit of the infrastructure, so we may end up removing the External LB to save on costs.

We've got an ExpressRoute internally that links the site(s) up into Azure, before they egress to the Internet over the new LB setup.

Best, Leigh

kmayani
Level 1
Level 1
In response to leighharrison

‎06-06-2024 01:31 PM

HI there,

I am trying to achive the same scenario where i need to create tunnel with both the azure FTDV behind the external and internal LB. By any chance can you let me know if you are able to get it sorted. 

Thanks,

0 Helpful
Customers Also Viewed These Support Documents