fortinet / aws-cloudformation-templates

Cloud Formation Templates for getting you started in AWS with Fortinet.
MIT License
34 stars 68 forks source link

Using Ingress Routing (Edge Associations) breaks DualAZ config #26

Closed FrozenDragoon closed 1 year ago

FrozenDragoon commented 1 year ago

Using Ingress Routing (Edge Associations) breaks this config due to the HAMgmt interface no longer being able to reach AWS.

I'm working on getting this set up using the DualAZ config. Everything worked well, until we wanted to expose a back-end server to the Internet. I then configured an ingress route table, with an Edge Association (as detailed here https://aws.amazon.com/blogs/aws/new-vpc-ingress-routing-simplifying-integration-of-third-party-appliances/).

This works extremely well, except for the fact that it breaks access to the Standby Cluster Member, and it breaks failover. The issue lies with the fact that the automatic update (SDN Connector?) is changing a route that must remain static. 2023-05-09 12_34_43-008112

In this route table:

awsd checking ha status for vdom root
awsd checking elastic ip for port1
awsd checking elastic ip for port2
awsd update route table rtb-03XXXXXXXXXXba1, replace route of dst 10.19.226.0/24 to eni-0b2XXXXXXXX3df
awsd update route successfully
awsd reap child pid: 17044
XXXX-AWS-FW2 # diag deb app awsd 0

TLDR

The /24 routes need to remain static, pointing to their individual gateway. But due to the automatic update, they are both pointing to the currently active member. On failover the newly active member cannot access AWS on the HAMgmt interface and the Elastic IP is never moved to the newly active FGT.


Is there maybe a way to exempt a specific route? Or something in AWS itself that I'm missing?

mobilesuitzero commented 1 year ago

Hi,

Currently, during the ha failover, can't exempt a specific route not to failover from the FGT side as it will fail over any routes that have target to the FGT's eni.

Will file an internal ticket to have that address.

Cheers