fortinet/aws-cloudformation-templates

Using Ingress Routing (Edge Associations) breaks DualAZ config

FrozenDragoon opened this issue · 1 comments

FrozenDragoon commented

Using Ingress Routing (Edge Associations) breaks this config due to the HAMgmt interface no longer being able to reach AWS.

I'm working on getting this set up using the DualAZ config. Everything worked well, until we wanted to expose a back-end server to the Internet. I then configured an ingress route table, with an Edge Association (as detailed here https://aws.amazon.com/blogs/aws/new-vpc-ingress-routing-simplifying-integration-of-third-party-appliances/).

This works extremely well, except for the fact that it breaks access to the Standby Cluster Member, and it breaks failover.
The issue lies with the fact that the automatic update (SDN Connector?) is changing a route that must remain static.
2023-05-09 12_34_43-008112

In this route table:

  • The two /20s are the private subnets, those should both be pointing to the same interface (ending in 793) - the Public (interface 1) of the currently active FW.
  • 10.19.226.0/24 is FGT1's HAMgmt subnet - target of FGT2's HAMgmt Interface <- This is the issue
  • 10.19.242.0/24 is FGT2's HAMgmt subnet - target of FGT2's HAMgmt Interface (ending in 3df)
awsd checking ha status for vdom root
awsd checking elastic ip for port1
awsd checking elastic ip for port2
awsd update route table rtb-03XXXXXXXXXXba1, replace route of dst 10.19.226.0/24 to eni-0b2XXXXXXXX3df
awsd update route successfully
awsd reap child pid: 17044
XXXX-AWS-FW2 # diag deb app awsd 0

TLDR

The /24 routes need to remain static, pointing to their individual gateway. But due to the automatic update, they are both pointing to the currently active member. On failover the newly active member cannot access AWS on the HAMgmt interface and the Elastic IP is never moved to the newly active FGT.

Is there maybe a way to exempt a specific route? Or something in AWS itself that I'm missing?

mobilesuitzero commented

Hi,

Currently, during the ha failover, can't exempt a specific route not to failover from the FGT side as it will fail over any routes that have target to the FGT's eni.

Will file an internal ticket to have that address.

Cheers