Closed FrozenDragoon closed 1 year ago
Hi,
Currently, during the ha failover, can't exempt a specific route not to failover from the FGT side as it will fail over any routes that have target to the FGT's eni.
Will file an internal ticket to have that address.
Cheers
Using Ingress Routing (Edge Associations) breaks this config due to the HAMgmt interface no longer being able to reach AWS.
I'm working on getting this set up using the DualAZ config. Everything worked well, until we wanted to expose a back-end server to the Internet. I then configured an ingress route table, with an Edge Association (as detailed here https://aws.amazon.com/blogs/aws/new-vpc-ingress-routing-simplifying-integration-of-third-party-appliances/).
This works extremely well, except for the fact that it breaks access to the Standby Cluster Member, and it breaks failover. The issue lies with the fact that the automatic update (SDN Connector?) is changing a route that must remain static.
In this route table:
/20s
are the private subnets, those should both be pointing to the same interface (ending in793
) - the Public (interface 1) of the currently active FW.10.19.226.0/24
is FGT1's HAMgmt subnet - target of FGT2's HAMgmt Interface <- This is the issue10.19.242.0/24
is FGT2's HAMgmt subnet - target of FGT2's HAMgmt Interface (ending in3df
)TLDR
The
/24
routes need to remain static, pointing to their individual gateway. But due to the automatic update, they are both pointing to the currently active member. On failover the newly active member cannot access AWS on the HAMgmt interface and the Elastic IP is never moved to the newly active FGT.Is there maybe a way to exempt a specific route? Or something in AWS itself that I'm missing?