Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Multinode High Availability in Azure Cloud

Read this document to understand how to configure Multinode High Availability on vSRX instances deployed on Azure cloud.

Overview

You can configure Multinode High Availability on vSRX Virtual Firewalls deployed in the Microsoft Azure Cloud. Microsoft Azure is Microsoft's application platform for the public cloud. It is an open, flexible, enterprise-grade cloud computing platform for building, deploying, and managing applications and services through a global network of Microsoft-managed data centers.

You can configure a pair of vSRX virtual firewalls on Azure to operate as in an active/backup Multinode high availability configuration. Participating nodes run both active control and data planes at the same time. The nodes backup each other to ensure a fast synchronized failover in case of a system or hardware failure. The interchassis link (ICL) connection between the two devices synchronizes and maintains the state information and handles device failover scenarios.

You can configure Multinode High Availability on vSRX Virtual Firewall VMs by customizing firewall deployment settings in Microsoft Azure Cloud.

IPsec VPN Support

Starting in Junos OS Release 24.4R1, we support IPsec VPN for active/backup Multinode High Availability in Azure Cloud deployments.

Limitation

Multinode High Availability doesn’t support multiple SRG configurations (active/active) in public cloud deployments. Active/backup mode supports SRG0 or SRG1. IPsec VPN tunnel anchors at the SRG1, which works in a stateful active/backup mode. All VPN tunnels terminate on the device where the SRG1 is active.

Architecture

Figure 1 shows two vSRX Virtual Firewall instances form a Multinode high availability pair in the in the Azure cloud. One vSRX Virtual Firewall instance acts as the active node and the other instance acts as the backup node. Both nodes connect to each other using an ICL to synchronize and maintain state information and to handle device failover scenarios.

Figure 1: vSRX in Multinode High Availability Deployments in Azure Cloud vSRX in Multinode High Availability Deployments in Azure Cloud

vSRX Virtual Firewall requires two public IP addresses and one or more private IP address for each individual instance group. The public subnets consist of one for the management interface (fxp0) and one for a revenue (data) interface. You can use any four revenue interfaces for the subnet configuration. The private interface is connected to the protected resources. It ensures that all traffic between applications on the private subnet and the Internet must pass through the vSRX Virtual Firewall instance.

For Multinode High Availability on Azure, you must deploy both the firewalls within the same Azure Resource Group. An Azure Resource Group is a logical container that holds related resources for an Azure solution. It can include all the resources for the solution, or only those resources that you want to manage as a group.

You must allocate a node-specific primary address to each node and a common secondary or floating IP address to both the nodes. The secondary IP address, which acts as a floating IP address, is always attached to the active node. In case of failure on the current active node, the secondary IP address transitions from the failed active node to the current active node. The new active node ensures the continue flow of traffic.

Initially both the nodes are launched with predefined tags stating which one is the owner of the secondary IP address during boot up. That particular node starts operating as the active node and other one starts as a backup node.

Split-Brain Protection

The split-brain scenario refers to a situation where both nodes of the Multinode High Availability system become stuck in the same state, either active or backup, when the inter-chassis link (ICL) between the nodes is down. To prevent this state, both nodes attempt to probe the primary IP address of the trust or the untrust interface, based on the configuration.

When an Interchassis Link (ICL) experiences a failure along with a probe failure, the node that does not receive a reply from its peer will take on the active role. However, if the probe succeeds and confirms that the peer node is still operational, the node will maintain its current state. This probing process persists until the ICL is restored.

Example: Configure Multinode High Availability in Azure Cloud Deployment

You can configure Multinode High Availability on vSRX Virtual Firewalls deployed in the Microsoft Azure Cloud. Microsoft Azure is Microsoft's application platform for the public cloud. It is an open, flexible, enterprise-grade cloud computing platform for building, deploying, and managing applications and services through a global network of Microsoft-managed data centers.

You can configure a pair of vSRX virtual firewalls on Azure to operate as in an active/backup Multinode high availability configuration. Participating nodes run both active control and data planes at the same time. The nodes backup each other to ensure a fast synchronized failover in case of a system or hardware failure. The interchassis link (ICL) connection between the two devices synchronizes and maintains the state information and handles device failover scenarios.

Tip:
Table 1: Readability Score and Time Estimates

Reading Time

1 hour

Configuration Time

2 hour

Example Prerequisites

Read this topic to understand how to configure the Multinode High Availability solution on SRX Series Firewalls.

In this example, we'll show you how to configure Multinode High Availability on two vSRX Virtual Firewall instances deployed in the Azure Cloud.

VMs requirements

Two vSRX Virtual Firewalls deployed on Azure Cloud

Software requirements

Junos OS Release 23.4R1 or later releases

Licensing requirements

Use vSRX Virtual Firewall license or request an evaluation license. Licenses can be procured from the Juniper Networks License Management System (LMS).

Before You Begin

Benefits

Increases the availability of vSRX Series firewalls deployed in Azure that results in improved reliability and reduced downtime.

Know more

vSRX Virtual Firewall with Microsoft Azure Cloud

Learn more

Deploying Juniper Security in AWS and Azure

Functional Overview

Technologies used

  • Interfaces and zones
  • Multinode high availability
  • Monitoring options
  • Routing policy, protocols, and routing options

Primary verification tasks

  • High Availability information about both nodes
  • Multinode High Availability status on Azure Cloud

Topology Overview

Figure 2 shows the topology used in this example.

Figure 2: Multinode High Availability Configuration on vSRX VMs Deployed in Azure Multinode High Availability Configuration on vSRX VMs Deployed in Azure

As shown in the topology, two vSRX Virtual Firewall instances (vSRX Node 0 and vSRX Node 1) are deployed in the Azure Cloud. The untrust side connects to a public network while the trust side connects to the protected resources.

Two vSRX Virtual Firewall instances are placed in the public subnet as public subnets have access to the Internet gateway.

In a Multinode High-Availability setup, a floating IP address moves between two SRX Series Firewalls, if a link or firewall fails. Since the primary interface's IP address on the Azure firewall cannot be moved, you assign a secondary IP address as a floating IP. When the active node fails, the floating IP address shifts to the backup node, allowing it to seamlessly handle traffic as the new active peer.

In addition, you must set up an interchassis link (ICL) for data synchronization and maintaining state information. The nodes communicate with each other using a routable IP address that is assigned to ICL.

The following table provides interface and IP address details used in this example.

Table 2: Interfaces and IP Addresses
Interface Function Primary Node (vSRX Node 0) Backup Node (vSRX Node 1)
ge-0/0/0

ICL to connect to peer node

10.0.1.10/24

10.0.1.11/24

ge-0/0/1

Untrust interface

  • 10.0.2.110/24 (primary)
  • 10.0.2.11/24
  • 10.0.2.20/24 (primary)
ge-0/0/2

Trust interface

  • 10.0.3.10/24 (primary)
  • 10.0.3.12/24
  • 10.0.3.20/24 (primary)

You need to select the vSRX Virtual Firewall image from Azure Marketplace and customize the vSRX Virtual Firewall VM deployment settings and dependencies based on your network requirements in Microsoft Azure Cloud. This deployment approach might be required for configuring Multinode High Availability on vSRX VMs. Note that this deployment scenario is outside of the use cases offered in the vSRX Virtual Firewall VM solution templates available from Juniper Networks.

Let’s dive into the details of each step for deploying the vSRX Virtual Firewall on Microsoft Azure.

Configuration in Azure Portal

In this example, you deploy two virtual machines (VMs) for vSRX Firewall instance-vsrx3.0-node0 and vsrx3.0-node1. You must configure Resource Group, Virtual Networks, Public IP address, Network Security Groups for the VMs. Following tables provide the details of the resources used in this example.
Table 3: Resources Details in Azure for vSRX VMs
Name Type
azure-vsrx3.0 Resource Group
azure-vsrx3.0-vnet Virtual network
vsrx3.0-node0 Virtual machine for Node 0
vsrx3.0-node1 Virtual machine for Node 1
vsrx3.0-node0-ip Public IP address for Node 0
vsrx3.0-node1-ip Public IP address for Node 1
vsrx3.0-node0-nsg Network security group for Node 0
vsrx3.0-node1-nsg Network security group for Node 1
vsrx3.0-node172 Network Interface for Node 0
vsrx3.0-node719 Network Interface for Node 1
Table 4: Network Interface Details for vSRX VMs
Name Primary Private IP
L3HA-ge-0 10.0.1.10
L3HALink-node1 10.0.1.11
node0-ge-1 10.0.2.110
node0-ge-2 10.0.3.10
node1-ge-1 10.0.2.20
node1-ge-2 10.0.3.20

Create a Resource Group

A resource group is a logical container for resources deployed in Azure. It helps you manage and organize related resources. The vSRX VM is a resource within an Azure resource group. All components related to the vSRX (such as virtual network, storage account, public IP, etc.) are part of the same resource group.
  1. Sign into the Azure portal.
  2. Click on Create a resource.
  3. Search for Resource group and create a new one.
  4. Choose a name, enter subscription, and select region for the resource group.
  5. Click Review + create and then Create. The following image shows a sample of Resource Group.

    See Create a Resource Group for details.

Assign IAM (Identity and Access Management) Role

IAM roles control access to Azure resources. Assigning roles ensures that only authorized users can manage specific resources. You must grant the "service principal" role to the user or user groups to manage IAM.

  1. Navigate to your resource group.
  2. Click on Access control (IAM).
  3. Add a new role assignment.
  4. Select the desired role (Example: Service Principal Contributor, Owner, and so on).
  5. Choose the user or user group to assign the role to.
  6. Click Save.

Create a Storage Account

A storage account provides a unique name space to store and access data objects in Azure.
  1. In your resource group, click on Create (+).
  2. Search for "Storage account” and create a new one.
  3. Specify the name, deployment model, performance, and other settings.
  4. Click Review + create and then Create. See Create a Storage Account for details.

Create a Virtual Network

A virtual network (VNet) is the foundation for your Azure infrastructure. It allows you to securely connect Azure resources.

  1. In your resource group, click on Create (+).
  2. Search for Virtual network and create a new one.
  3. Define the name, address space, and subnet configuration.
  4. Click Review + create and then Create.
  5. Click Settings > Subnets. The subnets are used to connect the two vSRX Virtual Firewall nodes using a logical connection (like the physical cable connecting ports).

    Following table shows a sample configuration used in this example.

    Table 5: Subnet Configuration in Azure Portal
    Function CIDR Role
    Management Subnet 10.0.3.0/24 Management traffic
    ICL subnet 10.0.1.0/24 RTO, synchronization, and probes- related traffic
    Untrust Subnet 10.0.2.0/24 External traffic
    Trust Subnet 10.0.3.0/24 Internal traffic
    See Create a Virtual Network for details.

Assign IAM Role

  1. Enable permissions to use Azure API by navigating Home > Managed Identities.
  2. Select your Resource Group and select Azure role assignments and click the role that you want to assign permissions.

    You need to enable the following permissions:

    • Microsoft.Authorization/*/read
    • Microsoft.Compute/virtualMachines/read
    • Microsoft.Network/networkSecurityGroups/join/action
    • Microsoft.Network/networkInterfaces/*
    • Microsoft.Network/virtualNetworks/join/action
    • Microsoft.Network/publicIPAddresses/read
    • Microsoft.Network/publicIPAddresses/write
    • Microsoft.Network/publicIPAddresses/join/action
    • Microsoft.Authorization/*/read
    • Microsoft.Compute/virtualMachines/read
    • Microsoft.Network/routeTables/*
    • Microsoft.Network/networkInterfaces/*

Now you are ready to deploy vSRX VMs.

Deploy vSRX VMs

Use the following steps to deploy two vSRX VM instances. You’ll use these two instances to setup Multinode High Availability. For details, see Deploy the vSRX Virtual Firewall Image from Azure Marketplace.

  1. Sign into the Azure portal using your Microsoft account credentials.
  2. Search for vSRX in the Azure Marketplace by clicking on Create a resource and search for vSRX Virtual Firewall.
  3. Select the vSRX VM image from the Azure Marketplace.

  4. Configure deployment settings by providing the following details:
    1. Name for your vSRX VM.
    2. Resource Group. (You can create a new one or use an existing group). In this example, use the azure-vsrx3.0 which you created in previously.
      Note:

      Deploy both vSRX Virtual Firewall instances in the same resource group. The resource group will hold all the resources associated with the vSRX Virtual Firewalls for this deployment.

    3. Subscription
    4. VM Disk Type
    5. Region where you want to deploy the VM.
    6. Authentication Type
    7. Username and password for VM access.
  5. Configure the storage, networking, and monitoring settings for the vSRX Virtual Firewall VM. This includes specifying the storage account, virtual network, subnet, public IP address, network security group, VM extensions, availability set, and monitoring options.
  6. Review your settings and click Create.

Azure will start provisioning the vSRX VM based on your configuration. After the vSRX Virtual Firewall VMs are created, the Azure portal dashboard lists the new vSRX Virtual Firewall VMs under Resource Groups.

Note:

Remember to customize these steps based on your specific requirements and network design.

Complete the following configurations for the vSRX Virtual Firewall instances you just deployed in Azure portal:

Create Tags

On your vSRX VM page, select Tags from left-navigation bar.

Create tags in Azure for both VMs to identify the trust and untrust interfaces on two vSRX Virtual Firewall instances. The following tables shows sample tags used in this example.

Table 6: Interface Tags

Tag Name

Value

local_trust_interface

node0-ge-002

local_untrust_interface

node0-ge-001

peer_trust_interface

node1-ge-002

peer_untrust_interface

node1-ge-001

Note that the tag names mentioned in the table is for default configuration. We recommend to use the same tag names in the configuration.

Create a Public IP Address

In the Azure portal, go to the Create a resource section. Locate and select Networking and then go to Public IP address.

  1. Click on Create to start setting up a new public IP address.
  2. Configure IP address settings with following details:
    • Name: Enter a unique name for the public IP resource.
    • SKU: Choose between Basic and Standard offerings.
    • IP Version: Select IPv4 or IPv6 based on your requirements.
    • IP address assignment: Choose Static or Dynamic.
    • Select or create a resource group where this IP will reside.
    • Location: Choose the Azure region closest to your users.
  3. Once configured, review the settings and then click Create to allocate the public IP address.

Create a Network Interface

Plan the network interface configuration on the vSRX Series firewalls on Azure.

  1. Navigate to Network interfaces in the Azure portal under the Networking section.
  2. Click on Create network interface.
  3. Enter the following details for the new network interface:
    • Name: Provide a unique name for your NIC.
    • Region: Select the same region as your VNet, VMs, and IP addresses.
    • Virtual network: Choose the virtual network that you want your NIC to be associated with.
    • Subnet: Select the appropriate subnet.
  4. Attach the public IP address you created earlier, if required.
  5. Choose to create a new network security group or associate with an existing one.
  6. Review the settings and click Create to provision the new NIC.

Create a Network Security Group (NSG)

  1. Select Network security groups in the Networking category on the Azure portal.
  2. Select Create network security group.
  3. Set up your NSG with the following details:
    • Name: Create a name for your NSG.
    • Subscription: Verify you're working within the right subscription.
    • Resource group: Select an existing one or create a new one.
    • Location: Match it to the location of the resources you're protecting.
  4. Add rules: After creation, define inbound and outbound security rules to control traffic to and from your NIC and VMs.
  5. Go back to your NIC or subnet and associate it with the new NSG.
  6. Check the configurations and then create the NSG.

Remember to define appropriate security rules for your NSG to manage the traffic flow as per your requirements.

Once you have created a network interface, a public IP address, and a network security group, you can proceed to attach the NIC to a virtual machine and the NSG to the NIC or a subnet. This complets the setup required for network connectivity and security for your Azure environment.

Set up Interfaces and IP Addresses

  1. Navigate to your deployed vSRX VM and click Settings > Networking.
  2. Locate the attached network interface.
  3. Click the network interface name to open its details. In the IP configurations section, you’ll find the assigned IP address (if any) and you can also configure IP address. For this example, use IP address configuration as mentioned in the following table:
Table 7: Configuration of Interfaces and IP Addresses on vSRX VMs

VMs

vSRX VM Node 0 (vsrx3.0-node0) (Active Node)

vSRX VM Node 1 (vsrx3.0-node1) (Backup Node)

Untrust Interface

Trust Interface

ICL

Untrust Interface

Trust Interface

ICL

Interfaces ge-0/0/1 ge-0/0/2

ge-0/0/0

ge-0/0/1 ge-0/0/2

ge-0/0/0

Primary IP Address

10.0.2.110

10.0.3.10

10.0.1.10/24

10.0.2.20

10.0.3.20

10.0.1.11/24
Secondary IP address (static IP address from subnet)

10.0.2.11

10.0.3.12

-

The node acting as backup node receives the same IP address when it transitions into active role.- The node acting as backup node receives the same IP address when it transitions into active role.-

-

Associate public IP address to secondary to reach Internet

172.16.0.0

(Not Applicable in this example)

-

Note: The node acting as backup node receives the same IP address when it transitions into active role.

(Not Applicable in this example)

-

Ensure you enable IP forwarding on control link interface and configure default routes on both trust and untrust sides.

Click Settings > Networking to display interfaces, subnet, and IP configurations of your VM.

After vSRX Virtual Firewall deployment is completed, the vSRX Virtual Firewall VM is automatically powered on and launched. At this point you can use an SSH client to log in to the vSRX Virtual Firewall VM.

Now that all configurations required on Azure portal are complete, let’s start configuration on vSRX Virtual Firewall using CLI.

Note:

Ensure you use the latest version of vSRX software image (23.4R1 or later). You can directly upgrade the Junos OS for vSRX Virtual Firewall software using the CLI. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network. You download the desired Junos OS Release for vSRX Virtual Firewall.tgz file from the Juniper Networks website. See Migration, Upgrade, and Downgrade Instructions.

Configure vSRX Virtual Firewalls

Note:

For complete sample configurations on the DUT, see:

Junos IKE package is recommended on your SRX Series Firewalls for Multinode High Availability configuration. This package is available as a default package or as an optional package on SRX Series Firewalls. See Support for Junos IKE Package for details.

If the package is not installed by default on your SRX Series firewall, use the following command to install it. You require this step for ICL encryption.

  1. Configure interfaces for ICL, internal and external traffic.
    • Node 0
    • Node 1
  2. Configure security zones, assign interfaces to the zones, and specify the allowed system services for the security zones.
    • Node 0
    • Node 1
  3. Configure local node and peer node details.
    • Node 0
    • Node 1
  4. Associate the interface to the peer node for interface monitoring, and configure the liveness detection details.
    • Node 0
    • Node 1
  5. Configure SRG1 with deployment type as cloud, assign an ID, and set preemption and activeness priority.
    • Node 0
    • Node 1
  6. Configure Azure deployment-related options.
    • Node 0
    • Node 1
  7. Configure the security policy.

    Node 0 and Node 1

    Note:

    The security policy shown in this example is only for demonstration. You should configure security policies as per your network needs. Ensure that your security policies allow only the applications, users, and devices that you trust.

  8. Configure routing instance.
    • Node 0
    • Node 1
  9. Configure policy options.
    • Node 0
    • Node 1

    For encrypting the ICL, use the following sample configuration:

    See Example: Configure Multinode High Availability in a Layer 3 Network for details.

Verification

Use the show commands to confirm that the configuration is working properly.

Table 8: Show Commands for Verification
Command Verification Task

show chassis high-availability information

Display details of the Multinode High Availability status on your security device including health status of the peer node.

show security cloud high- availability information

Display status about Multinode High Availability deployment on public cloud (AWS or Azure).

Check Multinode High Availability Details

Purpose

View and verify the details of the Multinode High Availability setup configured on your vSRX Virtual Firewall instance.

Action

From operational mode, run the following command on both the devices.

On Node 0 (Active Node)

On Node 1 (Backup Node)

Meaning

Verify these details from the command output:

  • Local node and peer node details such as IP address and ID.
  • The field Deployment Type: CLOUD indicates that configuration is for the cloud deployment.
  • The field Services Redundancy Group:1 indicates the status of the SRG1 (ACTIVE or BACKUP) on that node.

Check Multinode High Availability Information on Azure

Purpose

Check the status of Multinode High Availability deployment in Azure Cloud.

Action

From operational mode, run the following command:

Meaning

Verify these details from the command output:

  • The field Cloud Type: Azure indicates the deployment is for Azure.
  • The field Cloud Service Type: Secondary IP indicates that the Azure deployment uses the secondary IP to control traffic.
  • The field Cloud Service Status: Bind to Peer Node indicates the binding of the secondary IP address to the peer node meaning the current node is backup node.

Basic Troubleshooting Checklist

  1. Check secondary IP for untrust interface and trust interface are on the same vsrx3.0 VM instance.
  2. Check the four tag values to match the interface names.
  3. Check inbound rule is correct to permit the traffic.
  4. Check IP forwarding is enabled in Azure portal.
  5. Check Azure portal route and vSRX CLI route are synced.
  6. Check untrust interface of the active node to see if the floating IP addresses attached to it in Azure portal.

Set Commands on all Devices

vSRX Virtual Firewall (Node 0)

vSRX Virtual Firewall (Node 1)

Show Configuration Output

From configuration mode, confirm your configuration by entering the show high availability, show security zones, and show interfaces commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

vSRX Virtual Firewall (Node 0)

vSRX Virtual Firewall (Node 1)