10.3.1. Example of firewall / load balancer configuration on web site publication (two-arm)

Operation Confirmed Version:
 Brocade 5600vRouter Version4.2R1S1
Operation Confirmed Version:
 Citrix Netscaler VPX Version11.0 Build67.12 Standard Edition

10.3.1.1. Prerequisites

In order to publish the web server to the outside, we set firewall (FW) and load balancer (LB) according to the following policy.

Firewall

  • We will use two VRRP redundant configurations. We will build VRRP on all segments.

  • The FW rule rejects all basic from the external segment and allows only specific HTTP / HTTPS access. All trusted segments are allowed.

  • From the external segment, let’s access the global IP of FW, not IP of LB’s virtual server, and convert the destination to IP of virtual server by NAT translation.

Load Balancer

  • We will use two VRRP redundant configurations. Configure VRRP on the FW segment.

  • We set up a virtual server for HTTP / HTTPS and distribute communication round robin to two WEB servers. HTTPS performs SSL offloading.

  • ECL 2.0 load balancer (NetScaler VPX) has one VRRP setting (pair of virtual IP address and VRRP group ID) that can be registered for one interface. Therefore, it is not possible to register multiple VRRP groups. As an alternative, it is possible to make multiple VIPs redundant by registering a virtual IP address in a segment different from the virtual IP registered for VRRP and setting it as the sorting target IP address. This configuration uses redundant configuration using this method.

Image of setting concept

function_a_0

10.3.1.2. System diagram

function_a_1

Note

  • “Windows Server 2012R2” is used as OS of Client/Server.

  • “CentOS 7.1.1503” is used as Server OS.

  • “Apache 2.2.32” is used as Web server.

10.3.1.3. Configuration of Firewall

Firewall Interface setting

Although the interface settings are shown to confirm the setting contents, in actuality, you need to set the interface settings on the customer portal.
Please note that if you submit the interface setting command below, an error will be returned.

Note

  • Interface settings can not be set except by customer portal.

  • FW-01
set interfaces dataplane dp0s4 address '1.X.X.253/24'
set interfaces dataplane dp0s5 address '192.168.0.253/24'
set interfaces dataplane dp0s6 address '192.168.10.253/24'
  • FW-02
set interfaces dataplane dp0s4 address '1.X.X.252/24'
set interfaces dataplane dp0s5 address '192.168.0.252/24'
set interfaces dataplane dp0s6 address '192.168.10.252/24'

VRRP Setting

Before setting up VRRP, you must implement VRRP communication permission setting on the customer portal.
(See VRRP communication setting registration , and register the VRRP communication settings.)
  • FW-01
dp0s4
set interfaces dataplane dp0s4 vrrp vrrp-group 10 advertise-interval '20'
set interfaces dataplane dp0s4 vrrp vrrp-group 10 preempt 'true'
set interfaces dataplane dp0s4 vrrp vrrp-group 10 priority '150'
set interfaces dataplane dp0s4 vrrp vrrp-group 10 'rfc-compatibility'
set interfaces dataplane dp0s4 vrrp vrrp-group 10 sync-group 'test'
set interfaces dataplane dp0s4 vrrp vrrp-group 10 virtual-address '1.X.X.254'
dp0s5
set interfaces dataplane dp0s5 vrrp vrrp-group 20 advertise-interval '20'
set interfaces dataplane dp0s5 vrrp vrrp-group 20 preempt 'true'
set interfaces dataplane dp0s5 vrrp vrrp-group 20 priority '150'
set interfaces dataplane dp0s5 vrrp vrrp-group 20 'rfc-compatibility'
set interfaces dataplane dp0s5 vrrp vrrp-group 20 sync-group 'test'
set interfaces dataplane dp0s5 vrrp vrrp-group 20 virtual-address '192.168.0.254'
dp0s6
set interfaces dataplane dp0s6 vrrp vrrp-group 30 advertise-interval '20'
set interfaces dataplane dp0s6 vrrp vrrp-group 30 preempt 'true'
set interfaces dataplane dp0s6 vrrp vrrp-group 30 priority '150'
set interfaces dataplane dp0s6 vrrp vrrp-group 30 'rfc-compatibility'
set interfaces dataplane dp0s6 vrrp vrrp-group 30 sync-group 'test'
set interfaces dataplane dp0s6 vrrp vrrp-group 30 virtual-address '192.168.10.254'
  • FW-02
dp0s4
set interfaces dataplane dp0s4 vrrp vrrp-group 10 advertise-interval '20'
set interfaces dataplane dp0s4 vrrp vrrp-group 10 preempt 'true'
set interfaces dataplane dp0s4 vrrp vrrp-group 10 priority '20'
set interfaces dataplane dp0s4 vrrp vrrp-group 10 'rfc-compatibility'
set interfaces dataplane dp0s4 vrrp vrrp-group 10 sync-group 'test'
set interfaces dataplane dp0s4 vrrp vrrp-group 10 virtual-address '1.X.X.254'
dp0s5
set interfaces dataplane dp0s5 vrrp vrrp-group 20 advertise-interval '20'
set interfaces dataplane dp0s5 vrrp vrrp-group 20 preempt 'true'
set interfaces dataplane dp0s5 vrrp vrrp-group 20 priority '20'
set interfaces dataplane dp0s5 vrrp vrrp-group 20 'rfc-compatibility'
set interfaces dataplane dp0s5 vrrp vrrp-group 20 sync-group 'test'
set interfaces dataplane dp0s5 vrrp vrrp-group 20 virtual-address '192.168.0.254'
dp0s6
set interfaces dataplane dp0s6 vrrp vrrp-group 30 advertise-interval '20'
set interfaces dataplane dp0s6 vrrp vrrp-group 30 preempt 'true'
set interfaces dataplane dp0s6 vrrp vrrp-group 30 priority '20'
set interfaces dataplane dp0s6 vrrp vrrp-group 30 'rfc-compatibility'
set interfaces dataplane dp0s6 vrrp vrrp-group 30 sync-group 'test'
set interfaces dataplane dp0s6 vrrp vrrp-group 30 virtual-address '192.168.10.254'

Note

  • Asymmetric communication is not supported in this configuration. When using VRRP with multiple interfaces, synchronize the switching of VRRP by sync-group setting.

  • About the value of advertise-interval. It has been confirmed that VRRP communication rarely becomes unstable on the base side in the initial setting (1 sec). For that reason we recommend 20 seconds or more for the set value (detection is total 20 sec × 3 times).

Resource group setting

Create a port group to use for the allowed ports of FW rules.
  • FW-01/02 Common

set resources group port-group HTTP-HTTPS port '80'
set resources group port-group HTTP-HTTPS port '443'

FW rule settings

Enable Stateful Firewall
  • FW-01/02 Common

set security firewall global-state-policy 'icmp'
set security firewall global-state-policy 'tcp'
set security firewall global-state-policy 'udp'
Create a rule to control access for communication coming from the external segment side.
-Essentially all denied
-Communication from FW-02 is permitted (to perform management communication such as VRRP)
-Allow only HTTP (80), HTTPS (443) communication
  • FW-01
set security firewall name Untrust-to-HTTP default-action 'drop'
set security firewall name Untrust-to-HTTP rule 1 action 'accept'
set security firewall name Untrust-to-HTTP rule 1 source address '1.X.X.252'
set security firewall name Untrust-to-HTTP rule 10 action 'accept'
set security firewall name Untrust-to-HTTP rule 10 destination address '1.X.X.254'
set security firewall name Untrust-to-HTTP rule 10 destination port 'HTTP-HTTPS'
set security firewall name Untrust-to-HTTP rule 10 protocol 'tcp'
set security firewall name all_accept default-action 'accept'
  • FW-02
set security firewall name Untrust-to-HTTP default-action 'drop'
set security firewall name Untrust-to-HTTP rule 1 action 'accept'
set security firewall name Untrust-to-HTTP rule 1 source address '1.X.X.253'
set security firewall name Untrust-to-HTTP rule 10 action 'accept'
set security firewall name Untrust-to-HTTP rule 10 destination address '1.X.X.254'
set security firewall name Untrust-to-HTTP rule 10 destination port 'HTTP-HTTPS'
set security firewall name Untrust-to-HTTP rule 10 protocol 'tcp'
set security firewall name all_accept default-action 'accept'
Apply the created FW rule to the interface.
  • FW-01/02 Common

set interfaces dataplane dp0s4 firewall in 'Untrust-to-HTTP'
set interfaces dataplane dp0s6 firewall out 'all_accept'
Configure NAT to change HTTP and HTTPS access to FW from the external segment to the address of the virtual server set for the load balancer.
  • FW-01/02 Common

set service nat destination rule 10 destination address '1.X.X.254'
set service nat destination rule 10 destination port '80'
set service nat destination rule 10 inbound-interface 'dp0s4'
set service nat destination rule 10 protocol 'tcp'
set service nat destination rule 10 translation address '172.16.100.100'
set service nat destination rule 11 destination address '1.X.X.254'
set service nat destination rule 11 destination port '443'
set service nat destination rule 11 inbound-interface 'dp0s4'
set service nat destination rule 11 protocol 'tcp'
set service nat destination rule 11 translation address '172.16.100.200'
set service nat destination rule 11 translation port '443'
Configure NAT to change HTTP and HTTPS access to FW from the external segment to the address of the virtual server set for the load balancer.
set protocols static route 172.16.100.0/24 next-hop '192.168.10.251'

Confirmation of setting contents

If the above setting has been thrown correctly, you can check the output below.
  • FW-01
user-admin@FW-01# show interfaces
interfaces {
       dataplane dp0s4 {
               address 1.X.X.253/24
               firewall {
                       in Untrust-to-HTTP
               }
               vrrp {
                       vrrp-group 10 {
                               advertise-interval 20
                               preempt true
                               priority 150
                               rfc-compatibility
                               sync-group test
                               virtual-address 1.X.X.254
                       }
               }
       }
       dataplane dp0s5 {
               address 192.168.0.253/24
               vrrp {
                       vrrp-group 20 {
                               advertise-interval 20
                               preempt true
                               priority 150
                               rfc-compatibility
                               sync-group test
                               virtual-address 192.168.0.254
                       }
               }
       }
       dataplane dp0s6 {
               address 192.168.10.253/24
               firewall {
                       out all_accept
               }
               vrrp {
                       vrrp-group 30 {
                               advertise-interval 20
                               preempt true
                               priority 150
                               rfc-compatibility
                               sync-group test
                               virtual-address 192.168.10.254
                       }
               }
       }
       loopback lo
}

user-admin@FW-01# show resources
resources {
       group {
               port-group HTTP-HTTPS {
                       port 80
                       port 443
               }
       }
}

user-admin@FW-01# show security firewall
firewall {
       global-state-policy {
               icmp
               tcp
               udp
       }
       name Untrust-to-HTTP {
               default-action drop
               rule 1 {
                       action accept
                       source {
                               address 1.X.X.252
                       }
               }
               rule 10 {
                       action accept
                       destination {
                               address 1.X.X.254
                               port HTTP-HTTPS
                       }
                       protocol tcp
               }
       }
       name all_accept {
               default-action accept
       }
}

user-admin@FW-01# show  service nat destination
destination {
       rule 10 {
               destination {
                       address 1.X.X.254
                       port 80
               }
               inbound-interface dp0s4
               protocol tcp
               translation {
                       address 172.16.100.100
               }
       }
       rule 11 {
               destination {
                       address 1.X.X.254
                       port 443
               }
               inbound-interface dp0s4
               protocol tcp
               translation {
                       address 172.16.100.200
                       port 443
               }
       }
}

user-admin@FW-01# show protocols static
static {
       route 172.16.100.0/24 {
               next-hop 192.168.10.251
       }
}
  • FW-02
user-admin@FW-02# show interfaces
interfaces {
       dataplane dp0s4 {
               address 1.X.X.252/24
               firewall {
                       in Untrust-to-HTTP
               }
               vrrp {
                       vrrp-group 10 {
                               advertise-interval 20
                               preempt true
                               priority 20
                               rfc-compatibility
                               sync-group test
                               virtual-address 1.X.X.254
                       }
               }
       }
       dataplane dp0s5 {
               address 192.168.0.252/24
               vrrp {
                       vrrp-group 20 {
                               advertise-interval 20
                               preempt true
                               priority 20
                               rfc-compatibility
                               sync-group test
                               virtual-address 192.168.0.254
                       }
               }
       }
       dataplane dp0s6 {
               address 192.168.10.252/24
               firewall {
                       out all_accept
               }
               vrrp {
                       vrrp-group 30 {
                               advertise-interval 20
                               preempt true
                               priority 20
                               rfc-compatibility
                               sync-group test
                               virtual-address 192.168.10.254
                       }
               }
       }
       loopback lo
}

user-admin@FW-02# show resources
resources {
       group {
               port-group HTTP-HTTPS {
                       port 80
                       port 443
               }
       }
}

user-admin@FW-02# show security firewall
firewall {
       global-state-policy {
               icmp
               tcp
               udp
       }
       name Untrust-to-HTTP {
               default-action drop
               rule 1 {
                       action accept
                       source {
                               address 1.X.X.253
                       }
               }
               rule 10 {
                       action accept
                       destination {
                               address 1.X.X.254
                               port HTTP-HTTPS
                       }
                       protocol tcp
               }
       }
       name all_accept {
               default-action accept
       }
}

user-admin@FW-02# show  service nat destination
destination {
       rule 10 {
               destination {
                       address 1.X.X.254
                       port 80
               }
               inbound-interface dp0s4
               protocol tcp
               translation {
                       address 172.16.100.100
               }
       }
       rule 11 {
               destination {
                       address 1.X.X.254
                       port 443
               }
               inbound-interface dp0s4
               protocol tcp
               translation {
                       address 172.16.100.200
                       port 443
               }
       }
}

user-admin@FW-02# show protocols static
static {
       route 172.16.100.0/24 {
               next-hop 192.168.10.251
       }
}

10.3.1.4. Load Balancer setting

Load balancer interface setting

Although the interface settings are shown to confirm the setting contents, in actuality, you need to set the interface settings on the customer portal.

Note

  • Interface settings can not be set except by customer portal.

Setting Items

Setting Parameter (LB 01)

Setting Parameter (LB 02)

Interface 1/1 192.168.10.250/24 192.168.10.249/24
Interface 1/2 172.16.10.250/24 172.16.10.249/24

Configuration Check

Move to the menu “System” - “Network” - “IPs” and confirm the IP address setting.
  • LB01
Fig1101
  • LB02
Fig1102

VRRP settings(Interface 1/1)

The contents of the VRRP setting of the load balancer as the redundant gateway are described below.
Before setting up VRRP, you must implement VRRP communication permission setting on the customer portal.
For details, please refer to VRRP redundancy setting .

Please set VMAC with the following parameters.

Setting Items

Setting Parameter (LB 01)

Setting Parameter (LB 02)

VRID 40 40

Priority value

200 100
Preemption

Check

Check


Next, we configure Virtual IP and bind it to VMAC we created earlier.

Setting Items

Setting Parameter (LB 01)

Setting Parameter (LB 02)

VirtualIP 192.168.10.251/24 192.168.10.251/24
Netmask 255.255.255.0 255.255.255.0
IP Type Virtual IP Virtual IP
Virtual Router ID 40 40
Traffic Domain 10 10

Configuration Check(Virtual IP)

Move to the menu “System”-“Network”-“IPs”-“IPV 4s” and check the VirtualIP setting.
  • LB01
Fig1105
  • LB02
Fig1106

Configuration Check(VRRP)

Move to the menu “System”-“Network”-“VMAC” and confirm the VRRP setting.
  • LB01
Fig1103
  • LB02
Fig1104

Rooting Settings

Set the default gateway as routing to a network that is not directly connected to the load balancer.
The next hop specifies the VRRP IP address of the firewall’s load balancer side.

Setting Items

Setting Parameter (LB 01)

Setting Parameter (LB 02)

Destination

0.0.0.0 0.0.0.0

Subnet mask

0.0.0.0 0.0.0.0

Gateway address

192.168.10.254 192.168.10.254
Traffic Domain 10 10

Note

  • The default gateway setting cannot be set except for the customer portal.

Configuration Check

Move to the menu “System”-“Network”-“Routes” and confirm the routing setting.
  • LB01 LB02 Common Configuration Items

Fig1105

Virtual Web Server Registration

Register the virtual web server to be distributed to the load balancer.
Following parameters are configured.

Setting Items

Setting Parameter (LB 01, LB02 common)

Setting Parameter (LB 01, LB02 common)

Name Web-server-01 Web-server-02
IPAddress 172.16.10.11/24 172.16.10.12/24
Traffic Domain 10 10

Configuration Check

Move to the menu “Traffic Management”-“Load Balancing”-“Servers” and check the virtual web server settings.
  • LB01 LB02 Common Configuration Items

Fig1106

Service group setting

Register the virtual web server to be distributed to the load balancer.
Following parameters are configured.

Setting Items

Setting Parameter (LB 01)

Setting Parameter (LB 02)

Service Name HTTP HTTP
EXisting Server
Web-server-01(172.16.10.11)
Web-server-02(172.16.10.12)
Web-server-01(172.16.10.11)
Web-server-02(172.16.10.12)
Protocol HTTP HTTP
Port 80 80
Monitors http http
Traffic Domain 10 10

Configuration Check

Move to the menu “Traffic Management”-“Load Balancing”-“Service Group” and double-click the registered service group displayed in the right menu and confirm the setting.
  • LB01 LB02 Common Configuration Items

Fig1107
Service Group Members
Click on A in the image above and check the virtual web server settings that will be the sorting destination.
Fig1108
Monitors
Click B in the above image and confirm that Monitor is set.
Fig1109

Note

  • The IP address of the client is SNAT converted to the load balancer IP address when balancing is done. This setting is enabled by default.

  • If you want to notify the web server of the client’s IP address, please use `X-Forwarded-For function. This setting is disabled by default.

Virtual Server setting

We will set up the virtual server that will actually communicate from outside.

Virtual Server setting for HTTP
Configure the virtual server that performs HTTP communication from the outside.
Following parameters are configured.

Setting Items

Setting Parameter (LB 01)

Setting Parameter (LB 02)

Name http-vserver http-vserver
Protocol HTTP HTTP
IP Address Type IP Address IP Address
IP Address 172.16.100.100 172.16.100.100
Port 80 80
Traffic Domain 10 10

Configuration Check

Move to the menu “Traffic Management”-“Load Balancing”-“Service Group” and double-click the registered service group, named “http-vserver”, displayed in the right menu and confirm the setting.
  • LB01 LB02 Common Configuration Items

Fig1110
Load Balancing Virtual Server Service Group Binding
Click on the picture above and check the service group is specified.
Fig1111

Virtual server setting for SSL offload.
Configure the virtual server that performs SSL communication from the outside. In this case, since HTTP offload is used, HTTP communication reaches the destination virtual Web server.
Following parameters are configured.

Setting Items

Setting Parameter (LB 01)

Setting Parameter (LB 02)

Name ssl-vserver ssl-vserver
Protocol SSL SSL
IP Address Type IP Address IP Address
IP Address 172.16.100.200 172.16.100.200
Port 443 443
Server Certificate ia_example.jp ia_example.jp
CA Certificate example.jp example.jp
Traffic Domain 10 10

Note

Configuration Check

Move to the menu “Traffic Management”-“Load Balancing”-“Service Group” and double-click the registered service group, named “ssl-vserver”, displayed in the right menu and confirm the setting.
  • LB01 LB02 Common Configuration Items

Fig1112
Fig1113
Load Balancing Virtual Server Service Group Binding
Click A in the image above and confirm that the service group is specified.
Fig1114
SSL Virtual Server Service Certificate Binding
Click B in the above image and confirm that SSL server certificate is set up.
Fig1115
SSL Virtual Server CA Certificate Binding
Click C in the image above and confirm that the CA certificate is set.
Fig1116
The load balancer setting is completed.

10.3.1.5. Flow of traffic

Communication can be performed via FW-01 and LB-01 at normal operation.
Make sure that you can access the web server from external client, trusted client.
function_a_2

Status check at normal state

The status of the firewall during normal communication can be confirmed as follows.
  • VRRP status

FW-01 must be Master.
user-admin@FW-01:~$ show vrrp
                                 RFC        Addr   Last        Sync
Interface         Group  State   Compliant  Owner  Transition  Group
---------         -----  -----   ---------  -----  ----------  -----
dp0s4             10     MASTER  dp0vrrp1   no     1h30m26s    test
dp0s5             20     MASTER  dp0vrrp2   no     1h30m26s    test
dp0s6             30     MASTER  dp0vrrp3   no     1h30m26s    test
FW-02 must be Backup.
user-admin@FW-02:~$ show vrrp
                                 RFC        Addr   Last        Sync
Interface         Group  State   Compliant  Owner  Transition  Group
---------         -----  -----   ---------  -----  ----------  -----
dp0s4             10     BACKUP  dp0vrrp2   no     1h59m15s    test
dp0s5             20     BACKUP  dp0vrrp3   no     1h59m15s    test
dp0s6             30     BACKUP  dp0vrrp1   no     1h59m15s    test
The status of the load balancer in normal state can be confirmed as follows.
  • VRRP status

Move to the menu “System”-“Network”-“VMAC” and confirm the VRRP setting.
LB-01 must be Master.
fun-a_lb01
LB-02 must be Backup.
fun-a_lb02
  • Virtual Server status

Move to the menu “Traffic Management”-“Load Balancing”-“Virtual Servers”-“statistics” and check the virtual web server settings is in UP status.
fun-a_lb03

Client Connection check

HTTP and HTTPS access from client.
  • HTTP / HTTPS access (accessed twice each) [OK]

It can be confirmed that it hits to the virtual server “http-vserver” “ssl-vserver” and is distributed to “web-server 01, 02”.
fun-a_lb04
Client browser screen on external client (HTTP access)
fun-a_untrustnw_http_sv01_02
Client browser screen on external client (HTTPS access)
fun-a_untrustnw_https_sv01_02
HTTP and HTTPS access from trusted Client
  • HTTP / HTTPS access (accessed twice each) [OK]

It can be confirmed that it hits to the virtual server “http-vserver” “ssl-vserver” and is distributed to “web-server 01, 02”.
fun-a_lb04
Client browser screen on trusted client (HTTP access)
fun-a_trustnw_http_sv01_02
Client browser screen on trusted client (HTTPS access)
fun-a_trustnw_http_sv01_02
This completes the confirmation of normal operation.

10.3.1.6. Flow of communication when a firewall failure occurs

The route switches to FW-02 at failure.
function_a_3

Note

As a test method of instance failure, we adopted a method to temporarily invalidate VRRP of FW-01.
Following is stop/resume any vrrp-group by following command.
# Stop
 set interfaces dataplane [INTERFACE NAME] vrrp vrrp-group [GROUP ID] disable
# Resume
 delete interfaces dataplane [INTERFACE NAME] vrrp vrrp-group [GROUP ID] disable

Check Status When a Failure Occurs

The status of the firewall at the time of failure can be confirmed as follows.
  • VRRP status

FW-01 VRRP is stopped.
user-admin@FW-01:~$ show vrrp
                                 RFC        Addr   Last        Sync
Interface         Group  State   Compliant  Owner  Transition  Group
---------         -----  -----   ---------  -----  ----------  -----

Note

  • The status is not displayed since VRRP of FW-01 is stopped.

FW-02 is Master.
user-admin@FW-02:~$ show vrrp
                                 RFC        Addr   Last        Sync
Interface         Group  State   Compliant  Owner  Transition  Group
---------         -----  -----   ---------  -----  ----------  -----
dp0s4             10     MASTER  dp0vrrp2   no     5m4s        test
dp0s5             20     MASTER  dp0vrrp3   no     5m4s        test
dp0s6             30     MASTER  dp0vrrp1   no     4m30s       test

Note

  • The way to check status of loadbalancer is same as normal.

Client Connection check

We have confirmed that even when a firewall failure occurs access is possible without problems.
HTTP and HTTPS access from client.
  • HTTP / HTTPS access (accessed twice each) [OK]

It can be confirmed that it hits to the virtual server “http-vserver” “ssl-vserver” and is distributed to “web-server 01, 02”.
fun-a_lb04
Client browser screen on external client (HTTP access)
fun-a_untrustnw_http_sv01_02
Client browser screen on external client (HTTPS access)
fun-a_untrustnw_https_sv01_02
HTTP and HTTPS access from trusted Client
  • HTTP / HTTPS access (accessed twice each) [OK]

It can be confirmed that it hits to the virtual server “http-vserver” “ssl-vserver” and is distributed to “web-server 01, 02”.
fun-a_lb04
Client browser screen on trusted client (HTTP access)
fun-a_trustnw_http_sv01_02
Client browser screen on trusted client (HTTPS access)
fun-a_trustnw_https_sv01_02

This completes the confirmation at firewall failure.

10.3.1.7. Flow of traffic when a load balancer failure occurs

The route switches to LB-02 at failure.
function_a_4

Note

Unlike firewalls, load balancers can not manually deactivate VRRP as product specifications. For this reason, instance faults are reproduced by changing Priority value this time.
In addition, there are the following as a method for forcibly switching VRRP.
  • Disable all of Virtual IP, and delete VMAC configuration.

  • Restarting the instance (If Preemption is enabled, a revert will occur according to Priority)

By stopping VRRP with VMAC deletion and stopping all IP resources, it is possible to reliably respond at the switching destination....

Check Status When a Failure Occurs

The status of the LB at the time of failure can be confirmed as follows.
※In order to switch VRRP, the Priority value of LB 01 is changed from 200 to 90.
  • VRRP status

Move to the menu “System”-“Network”-“VMAC” and confirm the VRRP setting.
LB-01 must be Backup.
fun-a_lb06
LB-02 must be Master.
fun-a_lb05
  • Virtual Server status

Move to the menu “Traffic Management”-“Load Balancing”-“Virtual Servers”-“statistics” and check the virtual web server settings is in UP status.
fun-a_lb03

Client Connection check

We have confirmed that access is possible without problem even when load balancer failure occurs.
HTTP and HTTPS access from client.
  • HTTP / HTTPS access (accessed twice each) [OK]

It can be confirmed that it hits to the virtual server “http-vserver” “ssl-vserver” and is distributed to “web-server 01, 02”.
fun-a_lb04
Client browser screen on external client (HTTP access)
fun-a_untrustnw_http_sv01_02
Client browser screen on external client (HTTPS access)
fun-a_untrustnw_https_sv01_02
HTTP and HTTPS access from trusted Client
  • HTTP / HTTPS access (accessed twice each) [OK]

It can be confirmed that it hits to the virtual server “http-vserver” “ssl-vserver” and is distributed to “web-server 01, 02”.
fun-a_lb04
Client browser screen on trusted client (HTTP access)
fun-a_trustnw_http_sv01_02
Client browser screen on trusted client (HTTPS access)
fun-a_trustnw_https_sv01_02
This completes the confirmation of status at load balancer failure.