vCloud Networking and Security – High Availability Primer

With vShield 5.1, we have seen that High Availability of vSM Service Virtual Machine has been introduced.

Today I am going to talk about how HA in Edge device works and shortly what it takes to configure it.

HA feature in Edge deploys 2 Edge Appliances per cluster, which runs in Active-Standby mode. Now, you may ask how about the configuration synchronization? Does it automatically do or need manual intervention?

vCenter Networking and Security Manager manages the life cycle of both peer’s and will push user configurations to both Edges simultaneously. The Active Edge device will push run-time state information to the Standby as well.

Edge HA peers talk to each other using an Internal IP Address and cannot be used for any other purpose except purely for HA purpose. This IP address gets allocated on one of the internal interfaces of the Edge.


Below is a sample screen shot of how it looks when you deploy an Edge device in HA mode.


Also Edges must be allowed to communicate without L2 restrictions, that means there should be a Auto Firewall Rule generator which should allow the communication in between then. Yes, it is indeed there. Auto Rule generation automatically generates service rules to allow flow of control traffic in between peers.


Now you may ask what are the types of traffic it carry out in between, it does exchange two types of Network traffic. They are Heartbeat and Data Sync.


So, when you deploy an Edge appliance in HA mode what it does in vSphere Level. It creates a anti affinity rule in the DRS cluster and places then separately in two different hosts within that cluster. A sample output is as below.


Now, you may wonder what or how should it behave when it does experience a failure. That means how should the Passive Edge behave when the active Edge fails over.

1. It should failover to the Passive Edge statefully for the firewall connections.
2. Load Balancer should synced to the passive and then fail over to the Passive node.
3. SSL VPN Client should reconnect automatically when it does a failover.
4. IPSec VPN tunnel should reconnect automatically when it does a failover.
5. After the failover Edge retains the DHCP allocation table state.


About Prasenjit Sarkar

Prasenjit Sarkar is a Product Manager at Oracle for their Public Cloud with primary focus on Cloud Strategy, Cloud Native Applications and API Platform. His primary focus is driving Oracle’s Cloud Computing business with commercial and public sector customers; helping to shape and deliver on a strategy to build broad use of Oracle’s Infrastructure as a Service (IaaS) offerings such as Compute, Storage, Network & Database as a Service. He is also responsible for developing public/private cloud integration strategies, customer’s Cloud Computing architecture vision, future state architectures, and implementable architecture roadmaps in the context of the public, private, and hybrid cloud computing solutions Oracle can offer.

Leave a Reply