Configure HA

After you have deployed two Secure SD-WAN Engines, configure high availability (HA).

Before you begin

  • To use HA, the Secure SD-WAN Engine must be able to resolve host names. Configure a DNS server in the Management Client component of the SMC.
  • In the Management Client, add a rule to the Engine Policy to allow HTTP connections from the Secure SD-WAN Engine to the AWS API, and from the AWS API to the Secure SD-WAN Engine.

For detailed instructions, see the Forcepoint FlexEdge Secure SD-WAN Product Guide .

HA requires Forcepoint FlexEdge Secure SD-WAN version 6.4.4 or higher.

In an HA configuration, one FlexEdge Secure SD-WAN instance acts as the default gateway for outbound traffic in one VPC. If the active FlexEdge Secure SD-WAN instance becomes unavailable, the other FlexEdge Secure SD-WAN instance becomes the default gateway.

The HA configuration consists of the following files:

  • run-at-boot script — The HA script that runs on each FlexEdge Secure SD-WAN instance. The script uses AWS API calls to enumerate the Route Tables of one or more subnets of a VPC and to change the FlexEdge Secure SD-WAN instance that acts as the default gateway in case of a failover.
  • policy.json — Example rules that you can copy and paste into the identity and access management (IAM) policy that allows the FlexEdge Secure SD-WAN instance to access the AWS API.

Steps

  1. Obtain the run-at-boot script and the policy.json file from https://github.com/Forcepoint/fp-NGFW-AWS-ha.
  2. Create an IAM policy to allow the FlexEdge Secure SD-WAN instance to access the AWS API.
    1. Open the AWS console, then select IAM from the Services drop-down list at the top of the page.
    2. From the menu on the left, select Policies.
    3. Click Create Policy.
    4. Copy the contents of the policy.json file and paste them into the web editor on the JSON tab.
    5. Click Review Policy.
    6. Enter a name and description for the policy.
    7. Click Create Policy.
  3. Create an IAM role that uses the IAM policy that you created.
    1. In the AWS console, select IAM from the Services drop-down list at the top of the page.
    2. From the menu on the left, select Roles.
    3. Click Create role.
    4. In the service that will use this role options, select EC2, then click Next.
    5. Attach the IAM policy that you created, then click Next.
    6. Click Review.
    7. Enter a name and description for the role, then click Create role.
  4. Attach the IAM role to the FlexEdge Secure SD-WAN instances in AWS.
    1. In the AWS console, select EC2 from the Services drop-down list at the top of the page.
    2. From the menu on the left, open the Instances page.
    3. Right-click the FlexEdge Secure SD-WAN instances on which you want to enable HA, then select Instance Settings > Attach/Replace IAM Role.
    4. From the drop-down list, select the role that you created, then click Apply.
  5. Perform these steps on each FlexEdge Secure SD-WAN instance:
    1. On your computer, open a terminal program, then enter the following command to open an SSH connection to the command line of the Secure SD-WAN Engine using the aws user account: 
      ssh -i <your ssh private key>.pem aws@<aws instance public ip address>
    2. Create a /data/route-tables file and populate it with the “rtb-*” entries from the Route Tables to be configured with HA.
      Select the route tables of the subnets that use the HA Secure SD-WAN Engines as a default route. Enter each route table entry on a separate line.
      Example /data/route-tables file:
      rtb-0123456789
rtb-0123456788
rtb-0123456787
rtb-0123456786
    3. Copy the run-at-boot script to the instance.
    4. If the FlexEdge Secure SD-WAN instance only has one interface, edit the run-at-boot script and change 1 to 0 in the following line: 
      if interface['Attachment']['DeviceIndex'] == 1
    5. To move the run-at-boot script to the /data directory, enter the following command: 
      mv run-at-boot /data
    6. To make the run-at-boot file executable, enter the following command: 
      chmod +x /data/run-at-boot
    7. Edit the /data/run-at-boot file and change the region on the following line to the region that your instance is operating in: 
      ec2 = boto3.resource('ec2', region_name='<region>',api_version='2016-09-15')
    8. To make sure that there are no errors, enter the following command to run the run-at-boot script manually: 
      python /data/run-at-boot
    9. Reboot the Secure SD-WAN Engine.