Non-Traditional HA and Failover in GCP
14944
Created On 03/18/20 22:22 PM - Last Modified 04/04/20 00:05 AM
Objective
- Configure HA (High-Availability) in GCP as traditional PAN-OS HA is not supported
Environment
- Platform: PAN-OS
- Deployment: VM-Series
Procedure
- One can use Google Cloud services to perform stateless failover using External Load Balancer (LB sandwich)
or
- Google route metric: GCP can use the route metric feature to configure a non-traditional HA. This feature allows you to set multiple routes to the same destination and next hop (two different VM-Series firewall instances) with different priorities. Lets use the terms “primary” and “secondary” for these VM-Series firewalls to distinguish this failover from traditional high availability that uses the terms “active” and “passive.”
- Normally, traffic will flow through the lower-metric, higher priority firewall – called primary here – based on the routing/forwarding rules configured in the VPC network. If GCP detects failure of the primary firewall, it shifts all new traffic to the secondary firewall. This failover typically takes about 30 seconds. During this period, all existing sessions through the primary firewall will terminate, and applications establishing new sessions will do so on the secondary firewall.