Configure HA
After you have deployed two Secure SD-WAN Engines, configure high availability (HA).
Before you begin
- To use HA, the Secure SD-WAN Engine must be able to resolve host names. Configure a DNS server in the Management Client component of the SMC.
- In the Management Client, add a rule to the Engine Policy to allow HTTP connections from the Secure SD-WAN Engine to the AWS API, and from the AWS API to the Secure SD-WAN Engine.
For detailed instructions, see the Forcepoint FlexEdge Secure SD-WAN Product Guide .
HA requires Forcepoint FlexEdge Secure SD-WAN version 6.4.4 or higher.
In an HA configuration, one FlexEdge Secure SD-WAN instance acts as the default gateway for outbound traffic in one VPC. If the active FlexEdge Secure SD-WAN instance becomes unavailable, the other FlexEdge Secure SD-WAN instance becomes the default gateway.
The HA configuration consists of the following files:
- run-at-boot script — The HA script that runs on each FlexEdge Secure SD-WAN instance. The script uses AWS API calls to enumerate the Route Tables of one or more subnets of a VPC and to change the FlexEdge Secure SD-WAN instance that acts as the default gateway in case of a failover.
- policy.json — Example rules that you can copy and paste into the identity and access management (IAM) policy that allows the FlexEdge Secure SD-WAN instance to access the AWS API.
Steps
- Obtain the run-at-boot script and the policy.json file from https://github.com/Forcepoint/fp-NGFW-AWS-ha.
-
Create an IAM policy to allow the FlexEdge Secure SD-WAN instance to access the AWS API.
- Open the AWS console, then select IAM from the Services drop-down list at the top of the page.
- From the menu on the left, select Policies.
- Click Create Policy.
- Copy the contents of the policy.json file and paste them into the web editor on the JSON tab.
- Click Review Policy.
- Enter a name and description for the policy.
- Click Create Policy.
-
Create an IAM role that uses the IAM policy that you created.
- In the AWS console, select IAM from the Services drop-down list at the top of the page.
- From the menu on the left, select Roles.
- Click Create role.
- In the service that will use this role options, select EC2, then click Next.
- Attach the IAM policy that you created, then click Next.
- Click Review.
- Enter a name and description for the role, then click Create role.
-
Attach the IAM role to the FlexEdge Secure SD-WAN instances in AWS.
- In the AWS console, select EC2 from the Services drop-down list at the top of the page.
- From the menu on the left, open the Instances page.
- Right-click the FlexEdge Secure SD-WAN instances on which you want to enable HA, then select .
- From the drop-down list, select the role that you created, then click Apply.
-
Perform these steps on each FlexEdge Secure SD-WAN instance: