vCloud Networking and Security – High Availability Primer

With vShield 5.1, we have seen that High Availability of vSM Service Virtual Machine has been introduced.

Today I am going to talk about how HA in Edge device works and shortly what it takes to configure it.

HA feature in Edge deploys 2 Edge Appliances per cluster, which runs in Active-Standby mode. Now, you may ask how about the configuration synchronization? Does it automatically do or need manual intervention?

vCenter Networking and Security Manager manages the life cycle of both peer’s and will push user configurations to both Edges simultaneously. The Active Edge device will push run-time state information to the Standby as well.

Edge HA peers talk to each other using an Internal IP Address and cannot be used for any other purpose except purely for HA purpose. This IP address gets allocated on one of the internal interfaces of the Edge.

InternalNW

Below is a sample screen shot of how it looks when you deploy an Edge device in HA mode.

Edge-VMs

Also Edges must be allowed to communicate without L2 restrictions, that means there should be a Auto Firewall Rule generator which should allow the communication in between then. Yes, it is indeed there. Auto Rule generation automatically generates service rules to allow flow of control traffic in between peers.

FWRules

Now you may ask what are the types of traffic it carry out in between, it does exchange two types of Network traffic. They are Heartbeat and Data Sync.

HASync

So, when you deploy an Edge appliance in HA mode what it does in vSphere Level. It creates a anti affinity rule in the DRS cluster and places then separately in two different hosts within that cluster. A sample output is as below.

DRS-Rule

Now, you may wonder what or how should it behave when it does experience a failure. That means how should the Passive Edge behave when the active Edge fails over.

1. It should failover to the Passive Edge statefully for the firewall connections.
2. Load Balancer should synced to the passive and then fail over to the Passive node.
3. SSL VPN Client should reconnect automatically when it does a failover.
4. IPSec VPN tunnel should reconnect automatically when it does a failover.
5. After the failover Edge retains the DHCP allocation table state.