XG Azure appliance HA mode?

Not that I have seen.  I've never tried to do it, but maybe with a load balancer in front you can get HA working?  That way the public IP's terminate at the lb?  Maybe I will give that a shot and report back.

From what I have gathered, they are looking to do something similar to the UTM in AWS once the XG supports the API's.  In the meantime, I just have the conversation with clients about the potential impact.  We have cold standby units configured and ready to go, just deprovisioned.

Thanks,

John

Thank you for the input. I didn't think of having a cold unit waiting in the wings. Are you using the same license key on the cold unit?

Just a config backup/restore.

I should preface that it would be more for a regional issue.  We don't qualify for any SLA guarantee with only a single VM in an AS so this is why we discuss the pros/cons and the potential impact with clients.  Having a plan for another region is really what we are doing with the cold spare.  I'm looking forward to us having more options in this area.

I still haven't had a chance to try the option I was thinking.  Who knows, might work, but not supported?  I'll try next week and get back with you.

Thought you might find this useful, just found an HA deployment template up in the Sophos GitHub for XG:

https://github.com/sophos-iaas/xg-azure

Scroll down to the bottom.  Going to test it out and see how it works, but might be just what you are looking for.

I work around the Azure space for work and just a few things here I thought to mention.

First if you only have a single machine you should not deploy it into an availability set. When deployed to an availability set Microsoft will assume you've taken care of HA and that they can reboot the server for maintenance without issues. This can happen anytime, including during business hours. If you deploy it outside of an availability set Microsoft might still reboot it however they'll be mindful that you don't have HA so they'll try to do it out of hours / weekends. So if your only deploying one do not use an availability set.

Availability Set Info

Avoid leaving a single instance virtual machine in an availability set by itself. VMs in this configuration do not qualify for a SLA guarantee and face downtime during Azure planned maintenance events, except when a single VM is using Azure Premium Storage

For a single IaaS VM in Azure you do not get an SLA but only if it's deployed to HDD storage. They changed this and if you deploy to Premium Storage (SSD) you'll get a 99.9% SLA on that server. So while a firewall doesn't really need SSD storage and it would cost you more money to deploy it this way, it's worth considering if having an SLA and more uptime for that firewall is important. I suspect being a firewall that uptime is likely important.

SLA for Virtual Machines

The final thing to mention that the biggest hurdle in Azure for HA is the User Defined Routing (UDR's). These are used to route traffic to your firewall from virtual machines, etc. so for out bound traffic. Limitations in the Azure Load Balancer mean that cannot be used so you have to point to a single VM. Some providers of firewalls in Azure have code to log into Azure to adjust the UDR's and do this to have a HA function.

For firewalls that do not support this we've built a script that basically polls the firewalls every minute and if there's a routing problem detected it will switch the UDR's to the other firewall and vice versa. Obviously a bit more to it and the script has to run across two boxes itself to be HA however the solution has been tested a couple of times and works. I cannot supply the script unfortunately as it's IP of the consultancy that I work for. Just saying this can be solved if HA is critical.

I work around the Azure space for work and just a few things here I thought to mention.

First if you only have a single machine you should not deploy it into an availability set. When deployed to an availability set Microsoft will assume you've taken care of HA and that they can reboot the server for maintenance without issues. This can happen anytime, including during business hours. If you deploy it outside of an availability set Microsoft might still reboot it however they'll be mindful that you don't have HA so they'll try to do it out of hours / weekends. So if your only deploying one do not use an availability set.

Availability Set Info

Avoid leaving a single instance virtual machine in an availability set by itself. VMs in this configuration do not qualify for a SLA guarantee and face downtime during Azure planned maintenance events, except when a single VM is using Azure Premium Storage

For a single IaaS VM in Azure you do not get an SLA but only if it's deployed to HDD storage. They changed this and if you deploy to Premium Storage (SSD) you'll get a 99.9% SLA on that server. So while a firewall doesn't really need SSD storage and it would cost you more money to deploy it this way, it's worth considering if having an SLA and more uptime for that firewall is important. I suspect being a firewall that uptime is likely important.

SLA for Virtual Machines

The final thing to mention that the biggest hurdle in Azure for HA is the User Defined Routing (UDR's). These are used to route traffic to your firewall from virtual machines, etc. so for out bound traffic. Limitations in the Azure Load Balancer mean that cannot be used so you have to point to a single VM. Some providers of firewalls in Azure have code to log into Azure to adjust the UDR's and do this to have a HA function.

For firewalls that do not support this we've built a script that basically polls the firewalls every minute and if there's a routing problem detected it will switch the UDR's to the other firewall and vice versa. Obviously a bit more to it and the script has to run across two boxes itself to be HA however the solution has been tested a couple of times and works. I cannot supply the script unfortunately as it's IP of the consultancy that I work for. Just saying this can be solved if HA is critical.