How to Configure a High Availability Cluster in Azure via Web Portal and ASM



Similar documents
Title: Setting Up A Site to Site VPN Between Microsoft Azure and the Corporate Network

SHAREPOINT 2013 IN INFRASTRUCTURE AS A SERVICE

Lab 1: Windows Azure Virtual Machines

VPNC Interoperability Profile

Quick Start Guide: Utilizing Nessus to Secure Microsoft Azure

Virtual Appliance Setup Guide

Application Notes for Configuring Yealink T-22 SIP Phones to interoperate with Avaya IP Office - Issue 1.0

TechNote. Configuring SonicOS for MS Windows Azure

Deployment Guide: Transparent Mode

ICONICS Using the Azure Cloud Connector

Enterprise Azure Quick Start Guide. v8.1.1

Hands on Lab: Building a Virtual Machine and Uploading VM Images to the Cloud using Windows Azure Infrastructure Services

Configuration Procedure

Networking Guide Redwood Manager 3.0 August 2013

Network Load Balancing

Example - Barracuda Network Access Client Configuration

Installing and Configuring vcloud Connector

If you prefer to use your own SSH client, configure NG Admin with the path to the executable:

How To Deploy Sangoma Sbc Vm At Amazon Cloud Service (Awes) On A Vpc (Virtual Private Cloud) On An Ec2 Instance (Virtual Cloud)

Steps for Basic Configuration

Installing and Configuring vcloud Connector

Configuration Guide. BES12 Cloud

NEFSIS DEDICATED SERVER

An Introduction to Using Python with Microsoft Azure

Web Sites, Virtual Machines, Service Management Portal and Service Management API Beta Installation Guide

Virtual Data Centre. User Guide

BaseManager & BACnet Manager VM Server Configuration Guide

VMware vcloud Air Networking Guide

Deploy the client as an Azure RemoteApp program

Flexible Identity Federation

Load Balancing Clearswift Secure Web Gateway

How To Establish IPSec VPN between Cyberoam and Microsoft Azure

Configuring SonicOS for Microsoft Azure

Remote Desktop Services Overview. Prerequisites. Additional References

System Administration Training Guide. S100 Installation and Site Management

DreamFactory on Microsoft SQL Azure

MacroLan Azure cloud tutorial.

SharePoint 2013 on Windows Azure Infrastructure David Aiken & Dan Wesley Version 1.0

Installation Guide Avi Networks Cloud Application Delivery Platform Integration with Cisco Application Policy Infrastructure

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

QUANTIFY INSTALLATION GUIDE

Avaya IP Office SIP Trunk Configuration Guide

CommandCenter Secure Gateway

How to Restore a Windows System to Bare Metal

MATLAB Distributed Computing Server with HPC Cluster in Microsoft Azure

Configuring Network Load Balancing with Cerberus FTP Server

AppLoader 7.7. Load Testing On Windows Azure

Building a Scale-Out SQL Server 2008 Reporting Services Farm

Rally Installation Guide

Allworx OfficeSafe Operations Guide Release 6.0

vcloud Director User's Guide

NMS300 Network Management System

Deploy XenApp 7.5 and 7.6 and XenDesktop 7.5 and 7.6 with Amazon VPC

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N REV A01 January 14, 2011

SQL Server Mirroring. Introduction. Setting up the databases for Mirroring

Web Application Firewall

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

Configuring the BIG-IP and Check Point VPN-1 /FireWall-1

F-Secure Messaging Security Gateway. Deployment Guide

SonicWALL SRA Virtual Appliance Getting Started Guide

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

Configuring WAN Failover & Load-Balancing

Using Cisco UC320W with Windows Small Business Server

An Oracle White Paper September Oracle WebLogic Server 12c on Microsoft Windows Azure

DSL-G604T Install Guides

Administering Cisco ISE

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Installing SQL Express. For CribMaster 9.2 and Later

AvePoint Meetings for SharePoint On-Premises. Installation and Configuration Guide

LifeSize UVC Multipoint Deployment Guide

Tool for Automated Provisioning System (TAPS) Version 1.2 (1027)

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1

Configuring Avaya 1120E, 1140E, 1220 and 1230 IP Deskphones with Avaya IP Office Release 6.1 Issue 1.0

Tunnels and Redirectors

Deploying Virtual Cyberoam Appliance in the Amazon Cloud Version 10

Configuring Secure Socket Layer (SSL) for use with BPM 7.5.x

Configuring the BIG-IP system for FirePass controllers

Configuring IPsec VPN between a FortiGate and Microsoft Azure

How to add your Weebly website to a TotalCloud hosted Server

Virtualizing your Datacenter

GE Measurement & Control. Remote Comms System. Installation and User Reference Guide

This How To guide will take you through configuring Network Load Balancing and deploying MOSS 2007 in SharePoint Farm.

Deploying Windows Streaming Media Servers NLB Cluster and metasan

Immotec Systems, Inc. SQL Server 2005 Installation Document

Changing Your Cameleon Server IP

Installing and Using the vnios Trial

WhatsUp Gold v16.3 Installation and Configuration Guide

Install SQL Server 2014 Express Edition

Load Balancing. Outlook Web Access. Web Mail Using Equalizer

Plesk 11 Manual. Fasthosts Customer Support

How to Perform a Manual High Availability Failover

About the VM-Series Firewall

Barracuda Link Balancer

Virtual Appliance Setup Guide

Avaya IP Office SIP Configuration Guide

Firewall Load Balancing

MICROSOFT BITLOCKER ADMINISTRATION AND MONITORING (MBAM)

Barracuda Backup Vx. Virtual Appliance Deployment. White Paper

HDA Integration Guide. Help Desk Authority 9.0

Transcription:

How to Configure a High Availability Cluster in Azure via Web Portal and ASM To safeguard against hardware and software failures in the Azure cloud, use a high availability (HA) setup. The Barracuda NextGen Firewall F-Series units are deployed in an Azure availability set in a cloud service in order to guarantee that both virtual machines are running in different fault domains in the Azure datacenter. Both systems are connected to the same Azure virtual network and use static internal IP addresses (DIPs). An Azure load-balanced endpoint (level 4 load balancer) can be used to offer TCP- and UDP-based services on the VIP. For the backend servers to use the F-Series Firewall as the default gateway, Azure User Defined Routing must be configured. When a failover occurs the F-Series Firewall changes the default route of the backend subnets to use the F-Series Firewall the virtual server is running on. This removes the requirement for the Azure Connectivity Agent. Azure (Load-balanced) Endpoints can only be used for TCP/UDP-based services. All other IP protocols (ICMP, ESP,...) are blocked. Connecting to Services and Managing the HA cluster in the Azure cloud: Accessing Services in Azure/ on the F-Series Firewall Create a Load-balanced Endpoint for each service accessed on or behind the F-Series Firewall in Azure. Management Access If you are not using a Barracuda NextGen Control Center to manage your F- Series Firewall use the following solution to be able to access both VMs with NG Admin: Create an Endpoint on port TCP/807 to manage the primary F-Series Firewall. Configure a Client-to-Site VPN. You can now reach the static internal IP address of the secondary F- Series Firewall through the Client-to-Site VPN. In this article: Before you Begin Install Windows PowerShell for Azure version 0.9.7 or later. (http://azure.microsoft.com/enus/downloads/ [1] ) How to Configure a High Availability Cluster in Azure via Web Portal and ASM 1 / 15

Step Create an Azure Wide Virtual Network Public Instance Level IPs (PIPs) require a wide Virtual Network (widevnet). WideVNETs use the Location tag instead of the AffinityGroup and cannot be created using the web interface. Log into your Microsoft Azure Management Portal (https://manage.windowsazure.com [2] ). In the left menu, click on NETWORKS. Click EXPORT in the bottom pane to download the current network configuration as an XML file. You are prompted to save the NetworkConfig.xml file. Edit the network configuration XML file and add a definition for the wide Virtual Network. Alternatively, you can also modify an existing Virtual Network. [...] <VirtualNetworkSite name="widevnet" Location="West Europe"> <Subnets> <Subnet name="frontend"> <AddressPrefix>10.0.20.0/24</AddressPrefix> </Subnet> <Subnet name="backend"> <AddressPrefix>10.0.30.0/24</AddressPrefix> </Subnet> </Subnets> <AddressSpace> <AddressPrefix>10.0.0.0/16</AddressPrefix> </AddressSpace> </VirtualNetworkSite> [...] In the lower left-hand corner, click + NEW > NETWORK SERVICES > VIRTUAL NETWORK > IMPORT CONFIGURATION. The IMPORT NETWORK CONFIGURATION FILE window opens. How to Configure a High Availability Cluster in Azure via Web Portal and ASM 2 / 15

6. 7. Select the modified network configuration XML file and click Next. Verify the changes to your Virtual Networks and click OK. 8. Click OK. Your VNET is now listed in the NETWORKS section. Step Create an Azure Cloud Service Create a cloud service. The Barracuda NextGen Firewalls will be deployed in the same cloud service so you can later assign both virtual machines the same Availability Set. Log into your Microsoft Azure Management Portal (https://manage.windowsazure.com [3] ). In the left pane, click on CLOUD SERVICES. How to Configure a High Availability Cluster in Azure via Web Portal and ASM 3 / 15

In the lower left-hand corner click + NEW > COMPUTE > CLOUD SERVICE > CUSTOM CREATE. Enter the URL for the cloud service. E.g., BarracudaNGCloudService Select a REGION OR AFFINITY GROUP for the cloud service. E.g., West Europe 6. Click OK. You now have a cloud service located in the Azure datacenter of your choice. Step Deploy Two Barracuda NextGen Firewalls Deploy two Firewall Virtual Machines in the Microsoft Azure cloud, using: The cloud service created in Step The VNET and Frontend Subnet created in Step Optional: Depending on the deployment method, you may also assign static internal IP addresses to the NextGen Firewalls. For more information, see Microsoft Azure Deployments using Azure Service Manager (ASM). How to Configure a High Availability Cluster in Azure via Web Portal and ASM 4 / 15

Step Assign Static Internal IP Addresses to the Firewall VMs The Azure virtual machine will automatically reboot after assigning the static IP address. You must use a static internal IP address to be able to create a high availability cluster. Choose free IP addresses in the Frontend subnet of the Virtual Network for both F-Series Firewalls. Open a Windows Azure PowerShell. Check if the chosen IP address is available by entering: Test-AzureStaticVNetIP -VNetName <your Azure virtual network name> -IPAddress <your chosen static internal IP address> Save the virtual machine to a local variable. $staticvm = Get-AzureVM -ServiceName <Cloud Service name of your NG> -Name <virtual machine name> Change the internal IP address of the virtual machine from dynamic to static. Set-AzureStaticVNetIP -VM $staticvm -IPAddress <your chosen static internal IP address> Update-AzureVM The F-Series Firewall automatically reboots. Repeat the procedure for the secondary unit, using a different IP address from the same subnet. Both Firewall VMs are now assigned static internal IP addresses: How to Configure a High Availability Cluster in Azure via Web Portal and ASM 5 / 15

Step 6. Change the Network Configuration to Use the Static Internal IP Addresses Change the network configuration of the primary and secondary firewall to use a static network interface. Step 6.1 Reconfigure the Network Interface Change the network interface type from dynamic to static. 6. Log into the primary firewall via the assigned PIP. Go to CONFIGURATION > Configuration Tree > Box > Network. In the left menu, click on xdsl/dhcp/isdn. Click Lock. Delete the DHCP01 entry in the DHCP Links list. Select No from the DHCP Enabled dropdown list 7. Click Send Changes. 8. In the left menu, click on IP Configuration. 9. In the Management IP and Network section in the Interface Name line, untick the Other checkbox. 10. Select eth0 from the Interface Name list. 1 Enter the static internal IP address from Step 1 as the Management IP (MIP). E.g., 10.0.20.6 How to Configure a High Availability Cluster in Azure via Web Portal and ASM 6 / 15

Step 6.3 Create the Default Route Add the default route. In the left menu, click on Routing. Click + in the Routes table and configure the following settings: Target Network Address Enter 0.0.0.0/0 Route Type Select gateway. Gateway Enter the first IP address of the subnet the F-Series Firewalls reside in. E.g., 10.0.20.1 if the IP addresses of the units are 10.0.20.6 and 10.0.20.7 Trust Level Select Unclassified. Click OK. Click Send Changes and Activate. Step 6.4 Activate the Network Changes Activate the changes to the network configuration. Go to CONTROL > Box. In the Network section of the left menu, click on Activate new network configuration. Click Activate Now or Force. Do not use a Failsafe network activation when changing the management IP address. How to Configure a High Availability Cluster in Azure via Web Portal and ASM 7 / 15

Step 6.5 Reconfigure the Secondary Unit Complete Steps 6.1-6.4 for the secondary unit. Both F-Series Firewall systems are now using the static 'eth0' network interfaces (CONTROL > Network). Step 7. Create a DHA Cluster Configuration Create a DHA cluster configuration. For more information on DHA, see High Availability NEW 6. 7. 8. 9. Log into the primary F-Series Firewall. Go to CONFIGURATION > Configuration Tree. Right-click on Box and select Create DHA Box. Go to CONFIGURATION > Configuration Tree > HA Box > HA Network. Select eth0 from the Interface Name list. Enter the static IP address of the secondary F-Series Firewall as the Management IP (MIP). E.g., 10.0.20.7 In the left menu, select Routing. Verify the default route is present. (0.0.0.0/0 gateway XX.XX.XX.1). Click Send Changes and Activate. Step 8. Deploy the HA PAR file to the Secondary Unit Step 8.1 Create the PAR file for the HA Unit. Log into the primary F-Series Firewall unit. Go to CONFIGURATION > Configuration Tree. Right-click on Box and select CREATE PAR FILE for HA box. You are prompted to save the boxha.par file. Step 8.2 Deploy the PAR file on the Secondary Unit Log into the secondary F-Series Firewall unit. Go to CONFIGURATION > Configuration Tree. Right-click on Box and select Restore from PAR file. Choose the boxha.par file created in Step Click Activate. How to Configure a High Availability Cluster in Azure via Web Portal and ASM 8 / 15

6. 7. 8. 9. Go to CONTROL > Box. In the left menu in the Network section, click on Activate new network configuration. Click Failsafe. In the left menu in the Operating System section, click Firmware Restart. The F-Series Firewall systems are now in a high availability cluster. Step 8.3 Set the Active and Backup Unit for the Virtual Server Standalone F-Series Firewalls Log into the primary unit. Go to your cluster in the NextGen Control Center > Virtual Servers > your virtual server > Server Properties. Click Lock. In the Virtual Server Definition section, define the primary unit and secondary unit. Active Box Select This-Box. Backup Box Select Other-Box. Click Send Changes and Activate. Managed F-Series Firewalls Log in to your Control Center. Go to your cluster in the NextGen Control Center > Virtual Servers > your virtual server > Server Properties. Click Lock. In the Virtual Server Definition section, define the primary unit and secondary unit. Primary Box The active system. Secondary Box The HA partner. How to Configure a High Availability Cluster in Azure via Web Portal and ASM 9 / 15

Click Send Changes and Activate. Step 9. Add Both Firewall Virtual Machines to the same Availability Set The Azure virtual machine will automatically reboot after assigning a new availability set. To avoid hardware failures, and to take advantage of the Microsoft Azure SLA for the compute cloud, both virtual machines must be in the same availability set.if you already placed the two F-Series Firewalls in a Availability Set during deployment continue with Step 10. Log into your Microsoft Azure Management Portal (https://manage.windowsazure.com [4] ). In the left pane, click on Virtual Machines. Click on the primary firewall VM. The DASHBOARD opens. In the top menu, click on CONFIGURE. Select Create an availability set. 6. Enter the name for the AVAILABILITY SET. E.g., HA_SET 7. In the bottom pane, click SAVE. Wait for the changes to be applied. The virtual machine will reboot. 8. Click on the secondary F-Series Firewall. The DASHBOARD opens. 9. In the top menu, click on CONFIGURE. 10. From the AVAILABILITY SET list, select the availability set created for the primary F-Series Firewall. E.g., HA_SET. 1 In the bottom pane, click SAVE. Wait for the changes to be applied. The virtual machine will reboot. Both firewall VMs are now in the same availability set. Go to virtual machines > your primary or secondary virtual machine > CONFIGURE. Both virtual machines are now listed below the AVAILABILITY SET list. Step 10. Configure a Load Balanced Endpoint Create a load-balanced endpoint for each Internet facing service you want to offer. E.g., a load-balanced endpoint for port UDP/691 if you are connecting via TINA to the VPN service on the HA cluster. Log into your Microsoft Azure Management Portal (https://manage.windowsazure.com [5] ). In the left menu, click on VIRTUAL MACHINES. Click on the primary firewall VM. The DASHBOARD opens. In the top menu, click on ENDPOINTS. Select ADD A STAND-ALONE ENDPOINT. How to Configure a High Availability Cluster in Azure via Web Portal and ASM 10 / 15

6. 7. 8. 9. 10. 1 1 1 1 1 16. 17. Click OK. In the ADD ENDPOINT window, enter: Name Enter a name for the endpoint. PROTOCOL Select TCP or UDP depending on your TINA configuration. PUBLIC PORT Enter the external port: E.g.,691 PRIVATE PORT Enter the internal port. E.g., 691 CREATE A LOAD-BALANCED SET Select the checkbox to enable load balancing for these ports. Click NEXT. Configure the load-balanced set: LOAD-BALANCED SET NAME Enter a name for the load balanced endpoint. PROBE PROTOCOL Select TCP. PROBE PORT Enter the port the service is listening on internally. E.g., 691 PROBE INTERVAL Enter how many seconds should be between probes. Default: 5sec NUMBER OF PROBES Enter how many probes should be sent before the service is switched to the other unit. Default: 2 Click OK. The load-balanced endpoint is created. Click on the secondary firewall VM. The DASHBOARD opens. In the top menu, click on ENDPOINTS. Select ADD AN ENDPOINT TO AN EXISTING LOAD BALANCED SET. Select the load balanced endpoint created for the primary unit. Click NEXT. Enter a NAME. Click OK. Step 1 Remove the SETUP-MGMT-ACCESS Access Rule This redirect access rule is no longer needed and can be deleted. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > S1 > Firewall > Forwarding Rules. Click Lock. Right-click on SETUP-MGMT-ACCESS firewall rule and click Delete. Click Send Changes and Activate. Step 1 Configure Azure User Defined Routing Azure User Defined Routing allows you to use the F-Series Firewall HA cluster in the frontend subnet as the default gateway for all your VMs running in the backend networks. You must enable IP forwarding for the F- Series Firewall VMs and create and apply an Azure routing table to the backend networks. Using a management Certificate and the Azure subscriber ID the F-Series Firewall VMs can change the Azure Routing Table on the fly when the virtual server fails over from one VM to the other. Step 11 Configure User Defined Routes for your VNET Create a User Defined routing table and enable IP Forwarding for the two F-Series Firewall VMs. Assign this user defined routing table to all subnets that use the F-Series Firewall HA cluster as the default gateway. For more information, see How to Configure Azure Route Tables (UDR) in Azure using PowerShell and ASM. How to Configure a High Availability Cluster in Azure via Web Portal and ASM 11 / 15

Step 12 Create the Azure Management Certificate For the F-Series Firewall to be able to connect to the Azure backend, you must create and upload a Management certificate. Log in to the firewall via ssh. Create the certificate: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mycert.pem -out mycert.pem openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mycert.pem -out mycert.pem Answer the questions at the prompt. The Common Name is used to identify this certificate in the Azure web interface. Convert the certificate to CER, as required by Azure: openssl x509 -inform pem -in mycert.pem -outform der -out mycert.cer openssl x509 -inform pem -in mycert.pem -outform der -out mycert.cer If you are using an OpenSSL version that generates PKCS#8 keys you must extract the RSA key separately: openssl rsa -in mycert.pem -out mycert.key.pem In this case upload mycert.pem as the Azure Management Certificate and mycert.key.pem as the Management Key on the F-Series Firewall. You now have two certificates mycert.pem and mycert.cer. Step 13 Upload the Azure Management Certificate Log into the Microsoft Azure Management Portal (https://manage.windowsazure.com [6] ). On the bottom of the left menu, click on SETTINGS. In the top navigation, click on MANAGEMENT CERTIFICATES. On the bottom Click UPLOAD. Select the mycert.cer certificate created in Step 1 and click OK. The management certificate is now listed with the Common Name of the certificate used as the Name. Step 1 Configure User Defined Routing on both F-Series Firewalls You must enter your Azure SubscriptionId, VNET name and the management certificate to allow the F-Series Firewall to change the Azure User Defined Routing Table. Login to the primary firewall. Go to CONFIGURATION > Configuration Tree > Box > Network. Click Lock. In the left menu, expand the Configuration Mode section and click on Switch to Advanced View. In the left menu, click Azure Networking. 6. Enter your Azure Subscription ID. Use Get-AzureSubscription in Azure PowerShell to display your SubscriptionId. 7. Enter the Virtual Network Name. E.g., widevnet 8. Next to Management Certificate click Ex/Import and select Import from PEM File. The File How to Configure a High Availability Cluster in Azure via Web Portal and ASM 12 / 15

9. browser window opens. Select the mycert.pem certificate created in step 12 and click Open. 10. Next to Management Key click Ex/Import and select Import from File. The File browser window opens. Select the mycert.pem certificate created in step 12 and click Open. If you are using an OpenSSL version that generates PKCS#8 keys import the mycert.key.pem file as the Management Key on the F- Series Firewall. 1 Click Send Changes and Activate. 1 Go to CONFIGURATION > Configuration Tree > Box > HA Box > Network. 1 Click Lock. 1 In the left menu, expand the Configuration Mode section and click on Switch to Advanced View. 1 In the left menu, click Azure Networking. 16. Enter your Azure Subscription ID. Use Get-AzureSubscription in Azure PowerShell to display your SubscriptionId. 17. Enter the Virtual Network Name. E.g., widevnet 18. Next to Management Certificate click Ex/Import and select Import from PEM File. The File browser window opens. 19. Select the mycert.pem certificate created in step 12 and click Open. 20. Next to Management Key click Ex/Import and select Import from File. The File browser window opens. Select the mycert.pem certificate created in step 12 and click Open. If you are using an OpenSSL version that generates PKCS#8 keys import the mycert.key.pem file as the Management Key on the F- Series Firewall. 2 Click Send Changes and Activate. How to Configure a High Availability Cluster in Azure via Web Portal and ASM 13 / 15

Step 1 Do a Soft Network Activation on both Firewalls 6. 7. 8. Login to the primary firewall. Go to CONTROL > Box. In the left menu, expand the Network section and click Activate new network configuration. Click Soft. Login to the secondary firewall. Go to CONTROL > Box. In the left menu, expand the Network section and click Activate new network configuration. Click Soft. The Azure Routing table is now updated every time the virtual server fails over. Step 1 (Optional) Assign Public Instance Level IP Addresses to the Firewall Virtual Machines To access both firewall virtual machines directly and individually, a Public Instance Level IP Address (PIP) must be assigned to each VM. PIPs can only be assigned and managed via Azure PowerShell and are currently not visible in the Microsoft Azure web interface. Once assigned to a VM, PIPs are used as the default source IP address for outgoing connections initiated by the F-Series Firewall. For more information, see Reserved, Static and Public IP Addresses in the Azure Cloud using ASM. How to Configure a High Availability Cluster in Azure via Web Portal and ASM 14 / 15

Links http://azure.microsoft.com/en-us/downloads/ https://manage.windowsazure.com/ https://manage.windowsazure.com/ https://manage.windowsazure.com/ https://manage.windowsazure.com/ 6. https://manage.windowsazure.com/ How to Configure a High Availability Cluster in Azure via Web Portal and ASM 15 / 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information