This article explains how to configure a site in the Amazon Web Services (AWS) cloud with two vSockets to provide high availability (HA).
To provide redundancy for vSockets within an AWS site, deploy two vSockets in a single VPC, and set them to work in a high availability (HA) configuration. The vSockets operate in active/passive mode and the LAN links are used to send keep-alive messages between the vSockets.
You can deploy the vSockets within a single Availability Zone (AZ) or in different AZs within the same VPC. Make sure that you associate both LAN subnets to the same route table.
The high availability solution requires that both vSockets have IAM permissions to use API calls to modify the route tables.
For more about installing a vSocket in AWS, see Deploying a vSocket Site from the AWS Marketplace. The vSocket image is publicly available in the AWS Marketplace.
-
High availability in AWS is supported for vSockets that are using Socket version 9.1 or higher
-
The AWS vSockets must have access to a public DNS server, make sure that the VPC isn't configured to only use a private DNS server.
-
The DNS server must be able to resolve internal AWS domains.
-
-
Each EC2 instance for a vSocket must have:
-
IAM permissions that allow the vSocket to modify the route table
-
Separate subnets for each LAN interface
-
Active MGMT interface that makes the API calls to change the routing table during failover
-
-
AWS security rules must allow traffic on UDP port 20480 in both directions between the LAN interfaces for the vSockets
Note
Notes:
-
Alt. WAN links are not supported for AWS HA deployments. You must remove any existing Alt. WAN links before you implement the HA solution.
-
BGP isn't supported for AWS vSocket HA (only supported for single AWS vSockets).
-
If you downgrade a vSocket to a version earlier than version 9.1, HA is disabled for the site. The secondary vSocket is removed from the site.
We recommend that you remove the HA settings from the site before you downgrade a vSocket to an unsupported earlier version.
This is the failover workflow when the primary active vSocket fails over to the secondary standby one in an AWS site.
-
The primary (active) vSocket goes down, and the HA link state for the LAN ENIs is changed to down.
-
The secondary (standby) vSocket sends an announcement that it is the new active (master) vSocket.
-
The secondary vSocket issues an API call to the AWS API gateway to modify the LAN route table and assign the secondary vSocket LAN ENI as the next hop for the 0.0.0.0/0 route.
Note: The MGMT interface must be enabled and active to make the API calls to change the routing table during failover.
-
The Gateway IP (next hop) for the Routed ranges (Sites > Networks) is automatically updated to the Gateway IP address for the Secondary Socket Native Range.
-
The secondary vSocket is now the active vSocket and passes traffic for the site.
-
When the primary vSocket recovers, it resumes the active role, and the secondary vSocket returns to standby status.
For more about HA and failover behavior, see What is Socket High Availability (HA).
This section describes the steps that you need to complete to prepare the AWS environment for vSocket HA.
Note
Note: The screenshots and examples in this article are based on the new AWS EC2 Experience for EC2 instances.
The secondary vSocket requires a separate subnet for its LAN interface (ENI) to send the keep-alive packets to the primary vSocket. This requirement is the same for single AZ and dual AZ HA deployments.
In the AWS VPC, create a subnet for the secondary vSocket LAN interface, and associate it to the VPC private route table. Make sure that the new subnet is associated with the same route table as the subnet for the Primary vSocket LAN interface.
Note
Notes:
-
You must associate all the LAN subnets to the same private route table.
-
If you create the LAN subnet for the secondary vSocket in a different Availability Zone, you must also create separate WAN and MGMT subnets in that Availability Zone.
The Identity and Access Management (IAM) role lets the vSocket make AWS API calls to change entries in the route table. Create an IAM role that gives the instance the correct permissions. Later you will attach this role to each vSocket.
Use a JSON file to create a new policy for the IAM role that includes AWS read-write permissions for these actions:
-
"ec2:CreateRoute"
-
"ec2:DescribeRouteTables"
-
"ec2:ReplaceRoute"
JSON File for the vSocket HA Policy
This is the JSON file for the IAM policy that assigns the necessary permissions for the vSockets to operate in an HA configuration. You can copy and paste the file in the Create policy window.
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "ec2:CreateRoute", "ec2:DescribeRouteTables", "ec2:ReplaceRoute" ], "Resource": "*" } }
To create the IAM policy:
-
From the AWS Management Console, in Find Services search for IAM.
The Identity and Access Management (IAM) dashboard opens.
-
From the navigation menu, select Access management > Policies.
-
Click Create policy.
-
In the Create policy window, click the JSON tab.
-
Paste the contents of the JSON file to configure the permissions for the IAM role.
-
Click Review policy.
-
Enter the Name for the policy.
-
Click Create policy. The policy is created and added to the IAM policies.
Create an IAM role that you attach to the EC2 instances for the vSocket HA.
To create a new IAM role:
-
From the navigation menu, select Access management > Roles.
-
Click Create role.
-
In the Create role > Select type of trusted entity window, select AWS service and click EC2.
-
Click Next: Permissions. The Attach permissions policies window opens.
-
In the Search bar, enter the name of the IAM policy you created in the previous section.
-
Click Next: Tags. The Add tags window opens.
-
(Optional) Add tags to the IAM role. Click Next: Review. The Review window opens.
-
Enter the Role name for the IAM vSocket HA role.
-
Click Create role. The IAM vSocket HA role is created.
Locate and copy the private Route table ID for the VPC. You need this ID when you add the secondary vSocket to the AWS HA site in the Cato Management Application. The vSockets issue API calls to modify this route table as part of the failover process.
To locate the Route table ID:
-
From the Virtual Private Cloud navigation menu, select Route Tables.
-
Select the route table used for the LAN segment, and copy the Route Table ID.
Deploy the vSockets on the EC2 instances as the primary and secondary vSockets for the site.
-
For new sites, create a new site in the Cato Management Application and deploy the primary vSocket. (For existing sites, skip this step.)
-
Attach the IAM role to the EC2 instance for the primary vSocket.
-
Add the secondary vSocket to the site in the Cato Management Application.
-
Deploy the secondary vSocket to the AWS VPC.
-
Attach the IAM role to the EC2 instance for the secondary vSocket.
Note
Note: When you configure the IP settings for the site, make sure that you don't use IP addresses that are reserved by AWS. You can't use the first four IP addresses and the last IP address in a subnet CIDR block.
For more about AWS reserved IP addresses, see AWS documentation.
Complete these steps to deploy the primary vSocket on the EC2 instance. For a new AWS site, deploy the primary vSocket and attach the IAM role to the instance.
For existing AWS sites, upgrade the primary vSocket to version 9.1 or higher. Then attach the IAM role to the EC2 instance (the primary vSocket) and continue below with Attaching the IAM Role to a vSocket.
To deploy the primary vSocket for a new site:
-
Add a new AWS site to the Cato Management Application.
-
Install the primary vSocket on the EC2 instance.
For more about installing a vSocket in AWS, see Deploying a vSocket Site from the AWS Marketplace.
-
Attach the IAM role that you created above to the vSocket.
The screenshot above shows the AWS site after the primary vSocket is installed and upgraded to version 9.1 or higher.
Note
Note: For existing AWS sites, the Add Secondary Socket button is only shown after you upgrade the vSocket to version 9.1 or higher.
Attach the IAM role that you created above to the vSocket EC2 instance. The IAM role gives permissions to the vSocket to make API calls to modify the routing table for HA functionality.
After the Cato Management Application detects that the primary vSocket is connected to the Cato Cloud, the Add Secondary Socket option is shown in the Network > Sites > Site Configuration > Socket page.
When you add the secondary vSocket to the site, a pop-up window opens where you enter the following settings:
-
LAN ENI IP Address
-
LAN ENI Subnet
-
Route-Table ID
The Cato Management Application uses the LAN ENI IP Address as the management IP address for the secondary vSocket. This LAN ENI is also used to send HA keep-alive packets to the primary vSocket LAN interface.
The secondary vSocket settings in the Cato Management Application must be the same settings used in AWS.
After you add the secondary vSocket to the site, the Cato Management Application does the following:
-
Generates the vSocket serial number for the new vSocket (this serial number is used when you install the vSocket on the EC2 instance)
-
Enables the High Availability Configurations section for that site
-
Modifies the Site Configuration > Networks page with the new Native Ranges:
-
The LAN ENI IP address is shown as the Local IP of the network range
-
The LAN ENI subnet is shown as the subnet of the network range
-
For more about network segments in the HA site, see below Overview of AWS High Availability Network Segments in the Cato Management Application.
To configure an AWS site for high availability:
-
From the navigation menu, click Network > Sites, and select the AWS site.
-
From the navigation menu, select Site Configuration > Socket.
-
Click Add Secondary Socket. The Add Secondary vSocket (High Availability) window opens.
-
Configure the settings exactly as the LAN subnet for the vSocket EC2 instance:
-
Enter the LAN Interface IP. This value is used as the Local IP.
-
Enter the LAN ENI Subnet with the CIDR. This value is used as the Secondary Socket Native Range.
-
Enter the Route-Table ID of the private route table used for LAN ranges.
-
-
Click OK. The settings for the primary and secondary vSockets are configured and copied to the Site Configuration > Networks and High Availability Configurations sections.
-
Copy and save the vSocket serial number for the vSocket configuration script:
-
From the Sites list, select the new vSocket site.
-
From the navigation menu, click Site Configuration > Socket. Copy the serial number (S/N) and save it.
-
Use this serial number when you install the secondary vSocket on the EC2 instance.
Create and deploy the secondary vSocket in the AWS VPC with the IAM role that you created earlier.
-
Create the network interfaces
-
Attach the IAM role that you create above to the vSocket (see above Attaching the IAM Role to a vSocket)
-
Enter the serial number of the secondary vSocket site that was generated in the Cato Management Application
-
Configure the EC2 instance for the vSocket
Create the MGMT, WAN, and LAN interfaces for the vSocket for the EC2 instance. Use the EC2 dashboard to create the interfaces.
Set the Custom IP address for the LAN interface to the same IP address as the Local IP for the Native Range.
You need to disable AWS source/destination checking on the LAN interface to allow the EC2 instance to perform traffic forwarding.
Note
Note: To ensure proper vSocket behavior, make sure that you enable the DHCP options for the VPC are enabled and that they provide the DNS settings.
To create the network interface (ENI):
-
From the EC2 dashboard, in the navigation menu select Network & Security > Network Interfaces.
-
Click Create network interface.
-
In the Create network interface window, select the LAN Subnet.
-
(Optional for the LAN interface) In Private IPv4 address, click Custom and enter the Local IP for the Native Range.
-
In Security groups, select the appropriate security group for the interface.
-
Click Create network interface. AWS creates the interface.
-
Repeat the previous steps for the WAN and MGMT interface.
-
For the LAN interface, disable AWS source/destination tracking:
-
In the Network Interfaces window, right-click the LAN interface and select Change source/dest. check.
-
In the Change source/destination check window, clear Enable.
-
Click Save.
-
After you create all the virtual resources for the vSocket, connect these resources to your EC2 instance using the Cato Networks AMI available in the AWS Marketplace.
The following EC2 instance types are certified for vSockets:
-
c5.xlarge
-
d2.xlarge
-
c3.xlarge
-
t3.large
-
t3.xlarge
-
c4.xlarge
-
c5d.xlarge
-
c5n.xlarge (Suggested for higher performance sites with bandwidth above 2Gbps)
After preparing the environment, you can now configure the Cato Networks AMI.
Configure the AMI:
-
From the AWS Marketplace, search for Cato Networks Virtual Socket.
-
Click Continue to Subscribe.
-
Click Continue to Configuration.
-
Under Fulfillment option, select Amazon Machine Image.
-
Under Region, make sure to select the region in which your vSocket is located.
-
-
Click Continue to Launch.
-
In the Launch this Software page:
-
Under Choose Action, select Launch through EC2.
-
Under EC2 Instance Type, select the EC2 instance.
-
Under VPC Settings, select the VPC to which you are connecting.
-
Under Subnet Settings, select the MGMT network.
-
Under Security Group Settings, select the Security Group that you created for this instance.
-
Expand Advanced network configuration and under Network Interface select the MGMT interface that you created.
Note: If you don't select an existing interface, a new interface is created.
-
Under Key Pair Settings, select the key pair that you created.
-
In the Advanced details section, under User data - optional, enter the serial number you copied from the vSocket site you created in the Cato Management Application.
-
-
Click Launch.
After the vSocket instance launches, the MGMT interface is attached to it. Stop the instance and then attach the remaining WAN and LAN interfaces to the instance.
Note
Note: Make sure that the EC2 instance is stopped and that first you attach the WAN interface, and then the LAN interface.
To attach the interfaces to the vSocket instance:
-
From the EC2 dashboard, in the navigation menu select Instances > Instances.
-
Right-click the vSocket instance and select Stop instance.
-
In the confirmation window, click Stop. Refresh the window and confirm that the Instance state is Stopped.
-
In the navigation menu select Network & Security > Network Interfaces.
-
Attach the WAN interfaces to the instance:
-
Right-click the WAN interface, and select Attach interface.
-
In the Attach network interface window, in Instance select the vSocket instance.
-
Click Attach.
-
Repeat the previous three steps for the LAN interface.
-
This section describes how to test and confirm that the vSockets are configured correctly for HA functionality.
The High Availability section in the Cato Management Application for the site shows the HA status for the vSockets. After you deploy the secondary vSocket, it automatically connects to the site.
For more information, see below Showing the High Availability Information and Status.
You can use the Network Tools in the Socket WebUI to test HA functionality for the vSockets. The vSocket performs an API call to the AWS API gateway to verify the HA configuration for these settings:
-
IAM permissions for the vSocket are configured correctly
-
Route table ID is configured correctly
To complete the test, make sure that the vSocket can resolve the AWS RestAPI domain for the relevant region. For more information, see AWS documentation.
If the test isn't successful, we recommend that you compare the settings for the route table ID in AWS and in the Cato Management Application.
To test the HA API calls for an AWS vSocket:
-
From the navigation menu, select Site Configuration > Socket.
-
From the Actions drop-down menu for the Primary vSocket, select Socket WebUI.
The Socket WebUI opens in a new tab.
-
Click the Tools tab.
-
In the Network Tools section, click the API Test Tool tab.
-
Click Run Test. The window shows if the HA API test succeeds or fails.
-
Repeat steps 2-5 for the Secondary vSocket.
For more about using the Socket WebUI, see Using the Socket WebUI.
This section explains how to use the Networks section to manage network segments for the AWS HA site.
When you add the secondary vSocket to the Cato Management Application, the network segments in the Networks section are automatically updated to the following settings:
-
Primary Socket Native Range:
-
The Native Range for the primary vSocket is converted to the Primary Socket Native Range
-
The Local IP of the Native Range represents the LAN interface IP address for the vSocket. This IP address is also used as the management IP address of the vSocket.
-
The Gateway IP address is automatically set as the first IP address of the subnet, which points to the AWS VPC router (based on the AWS reserved IPs)
-
-
Secondary Socket Native Range - These settings are based on the LAN ENI values that you entered when you added the secondary vSocket:
-
The Native Range for the secondary vSocket is the LAN ENI IP Subnet
-
The Local IP of the secondary Native Range is the LAN ENI IP Address. This IP address is also used as the management IP address of the vSocket.
-
The Gateway IP address is automatically set as the first IP address of the subnet, which points to the AWS VPC router (based on the AWS reserved IPs)
-
Note
Notes:
-
Because the Gateway IP address is automatically calculated for a range, you can't change it.
-
If you need to change the Local IP address of the range, you must change the management IP address of the vSocket (see below, Changing the Local IP Address).
You can add Routed ranges to the AWS HA site. When you add a Routed range, the Gateway for the range is automatically selected based on the active vSocket. The Gateway IP of the active vSocket Native Range is automatically used as the Gateway for the Routed range.
For example, when the secondary vSocket is active, then the Gateway IP address for the Secondary Socket Native Range is used for all the Routed ranges in the site. In the example below, the Gateway IP of 10.0.17.1 will be used as the Gateway (next hop) for the 10.0.25.0/24 Routed range.
When the primary vSocket becomes active again, the Gateway IP for the Routed range automatically switches to 10.0.3.1.
To add a Routed range to an AWS HA site:
-
From the navigation menu, click Network > Sites, and select the AWS site.
-
From the navigation menu, click Site Configuration > Networks.
-
Expand the LAN interface.
-
From the LAN interface, click New to add a new network segment for the IP range.
The New Interface IP Range panel opens.
-
Enter the Name for the IP range.
-
From Type, select Routed.
-
Enter the IP Range for the segment.
-
Click Apply.
In vSocket HA configuration, the Local IP address of the Native Range is the same as the vSocket management IP. This IP address is used for the HA keep-alive messages, and also for access to the Socket WebUI. To change the Local IP address of the Native Range, change the management IP address in the High Availability section for the relevant vSocket.
For example, to change the Local IP for the primary vSocket Native Range, change the management IP address of the primary vSocket in the High Availability section.
To change the Local IP address:
-
From the navigation menu, click Network > Sites, and select the AWS site.
-
From the navigation menu, select Site Configuration > Socket.
-
Expand the High Availability Configurations section.
-
Enter the new Primary Management IP or Secondary Management IP.
-
Click Save. The Local IP for the Primary or Secondary Native Range is updated with the new IP address.
If you need to change the Primary or Secondary Native IP Range, change the IP range in the Networks section, and then update the management IP address in the High Availability section.
To change the IP range of a segment:
-
From the navigation menu, click Network > Sites, and select the AWS site.
-
From the navigation menu, click Site Configuration > Networks.
-
For the Primary or Secondary Native IP Range, configure the new IP range:
-
In the Type column, click the network range.
The Edit IP Range panel opens.
-
Configure the Subnet for the IP range.
-
Click Apply and then click Save.
-
-
From the navigation menu, select Site Configuration > Socket.
-
Expand the High Availability Configurations section.
-
Enter the new Management IP address for the Primary or Secondary vSocket.
The management IP must be within the subnet you configured in step 2. You can't use an AWS reserved IP address for the management IP.
-
Click Save.
This section explains how to manage HA for the AWS site:
-
Show the HA status for each vSocket
-
Change the route table ID for the site
-
Disable HA for the site and remove the secondary vSocket
The High Availability section shows the HA status for the primary and secondary vSocket.
Item |
Description |
---|---|
High Availability Status |
The HA status for the site (Ready or Not Ready), only shows ready when each status HA status indicator is OK |
WAN Connectivity (status indicator) |
The status Ok indicates that both vSockets have WAN connectivity to the Cato Cloud |
Keepalive (status indicator) |
The status Ok indicates that one vSocket is the master and one is the standby (If both vSockets are status master, then there is an HA split brain issue) |
Socket Version (status indicator) |
The status Ok indicates that both vSockets are running the same Socket version |
Master |
Shows if the Primary or Secondary vSocket is the active vSocket |
Connection to Cato - Primary |
The connection status for the primary vSocket |
Connection to Cato - Secondary |
The connection status for the secondary vSocket |
You can change the route table ID for the AWS HA site in the Cato Management Application, to match the setting in AWS.
You can remove the secondary vSocket from an AWS site and disable HA for that site. After you remove the secondary vSocket from the Cato Management Application, the deployed vSocket can no longer connect to the Cato Cloud. The settings for the site are restored to the configuration for a single vSocket:
-
The High Availability section is disabled and no longer appears in the page
-
The layout for the Networks section changes to the configuration for a single vSocket
-
For Routed ranged, the next hop is set to the first IP address of the Native Range
Note
Note: You can't undo the Unassign Socket action. The serial number for the secondary vSocket is no longer valid.
If you want to add the secondary vSocket again, you must install a new vSocket on the EC2 instance with the new serial number.
To disable HA for the AWS site:
-
From the navigation menu, click Network > Sites, and select the AWS site.
-
From the navigation menu, select Site Configuration > Socket.
-
From the Actions menu of the Secondary vSocket, click Unassign.
-
In the Warning window, click OK. HA is disabled for the site, and the secondary vSocket is removed from it.
The Events screen shows all the HA Connectivity events for your account.
You can learn more about using the Events screen here. You can use the SaaS Security API Data Protection preset to filter the events.
The Events fields and events are the same for Socket HA and for vSocket HA. These are the HA events:
Field |
Description |
---|---|
Socket role |
Shows if the event was generated by the primary or secondary vSocket |
Event sub type - Socket Fail-Over |
The failover process is initiated for the site |
For more about events that are generated as part of the failover process, see Socket HA Failover Events.
0 comments
Please sign in to leave a comment.