Using Ingress Routing (Edge Associations) breaks DualAZ config
FrozenDragoon opened this issue · 1 comments
Using Ingress Routing (Edge Associations) breaks this config due to the HAMgmt interface no longer being able to reach AWS.
I'm working on getting this set up using the DualAZ config. Everything worked well, until we wanted to expose a back-end server to the Internet. I then configured an ingress route table, with an Edge Association (as detailed here https://aws.amazon.com/blogs/aws/new-vpc-ingress-routing-simplifying-integration-of-third-party-appliances/).
This works extremely well, except for the fact that it breaks access to the Standby Cluster Member, and it breaks failover.
The issue lies with the fact that the automatic update (SDN Connector?) is changing a route that must remain static.
In this route table:
- The two
/20s
are the private subnets, those should both be pointing to the same interface (ending in793
) - the Public (interface 1) of the currently active FW. 10.19.226.0/24
is FGT1's HAMgmt subnet - target of FGT2's HAMgmt Interface <- This is the issue10.19.242.0/24
is FGT2's HAMgmt subnet - target of FGT2's HAMgmt Interface (ending in3df
)
awsd checking ha status for vdom root
awsd checking elastic ip for port1
awsd checking elastic ip for port2
awsd update route table rtb-03XXXXXXXXXXba1, replace route of dst 10.19.226.0/24 to eni-0b2XXXXXXXX3df
awsd update route successfully
awsd reap child pid: 17044
XXXX-AWS-FW2 # diag deb app awsd 0
TLDR
The /24
routes need to remain static, pointing to their individual gateway. But due to the automatic update, they are both pointing to the currently active member. On failover the newly active member cannot access AWS on the HAMgmt interface and the Elastic IP is never moved to the newly active FGT.
Is there maybe a way to exempt a specific route? Or something in AWS itself that I'm missing?
Hi,
Currently, during the ha failover, can't exempt a specific route not to failover from the FGT side as it will fail over any routes that have target to the FGT's eni.
Will file an internal ticket to have that address.
Cheers