This topic describes how to migrate a VPC firewall from the default active-active architecture to a specified active-standby architecture. This migration reduces latency caused by traffic crossing between availability zones.
Example scenario
Suppose you create a VPC firewall in the Singapore region and select the Default (Auto-assigned) option for the primary and secondary availability zones.
By default, the VPC firewall uses an active-active architecture for disaster recovery. In this architecture, the Cloud Firewall cluster does not forward traffic based on proximity. Instead, it randomly load-balances traffic between the two availability zones.
To address this, VPC Firewall supports an active-standby architecture. This architecture prioritizes traffic processing in the primary zone and uses the secondary zone only for disaster recovery failover.
If you have a VPC firewall that uses the active-active architecture, follow the steps in this topic to migrate it to the active-standby architecture.
|
Before migration |
After migration |
|
|
|
Precautions
-
To migrate, you must disable, delete, and then recreate the VPC firewalls in the specified region. Your existing access control policies are retained during this process.
-
For CEN (Basic Edition), enabling or disabling traffic redirection for the VPC firewall briefly disrupts routing for several seconds.
For CEN (Enterprise Edition), this process does not cause a routing disruption.
To prevent unidirectional traffic from being blocked during this process, configure a high-priority allow policy for ANY traffic. For more information, refer to Configure an access control policy for a VPC firewall.
-
Before you start, record the VPC and vSwitch CIDR blocks of your existing VPC firewall. You will need this information to recreate the firewall.
-
In an active-standby architecture, dependencies exist between the primary and secondary availability zones. The selectable availability zones are limited to the options available in the console.
Migrating CEN (Basic Edition) to an active-standby architecture
To migrate a VPC firewall for a CEN (Basic Edition) instance from an active-active architecture to an active-standby architecture in a specific region, you must first disable and delete all VPC firewalls associated with the CEN instance in that region, and then recreate them.
Step 1: Disable and delete the VPC firewalls
-
Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall.
-
On the tab, click Batch Disable.
-
In the Batch Disable dialog box, select the CEN Instance and Region, and then click OK.
-
After the firewalls are disabled, find the asset in the specified region and click Delete in the Actions column to delete all VPC firewalls in that region.
Step 2: Create a VPC firewall
-
In the Actions column of the CEN instance in the specified region, click Create.
-
In the Create Firewall panel, click One-click Check.
For a Basic Edition transit router, you can run a diagnostic check to verify that the VPC firewall can be enabled. After the check is complete, you can view the results in the Enable Diagnosis wizard. If you are familiar with the process, you can skip this check and create the firewall directly. If the diagnosis fails, refer to Causes of and solutions for Cloud Firewall enablement failures for more information.
-
Configure parameters such as the firewall VPC CIDR block, primary and secondary availability zones, vSwitch instance and availability zone for the business VPC, and intrusion prevention settings.
Important-
To enable the active-standby architecture, set the Primary and Secondary Availability Zones in the Firewall VPC Configurations section to your business's availability zones. However, if the Availability Zone for the vSwitches for Business VPCs differs from the primary zone, traffic latency may still occur.
If your business is latency-sensitive, set both the primary zone in the Firewall VPC Configurations section and the availability zone for the vSwitches for Business VPCs to your primary business availability zone. This minimizes latency.
-
The intrusion prevention settings apply to all network instances within the same CEN instance.
-
-
Click Start Creation to create the VPC firewall.
-
After the firewall is created, repeat these steps for other business VPCs in the CEN instance, ensuring their vSwitch availability zones match the firewall's primary availability zone.
-
After all VPCs in the region are configured, enable the firewall for all of them in the Firewall column.
Migrating CEN (Enterprise Edition) to an active-standby architecture
To migrate a VPC firewall for a CEN (Enterprise Edition) instance from an active-active architecture to an active-standby architecture, you must first delete the traffic redirection scenario for the region, delete and recreate the VPC firewall, and then restore the original traffic redirection scenario.
Step 1: Disable and delete the traffic redirection scenario
-
Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall.
-
On the tab, find the VPC firewall in the target region and click Details in the Actions column.
-
On the tab, turn off the switch.
-
In the Disable Traffic Redirection Scenario dialog box, select Roll Back Route and click OK.
While the scenario is being disabled, you can monitor the task progress on the Firewall Task tab.
-
After the scenario is disabled, click Delete to remove it. Then, close the VPC Firewall Details panel.
Step 2: Delete the VPC firewall
-
Find the CEN instance for the specified region and click Delete in the Actions column.
-
In the Delete dialog box, click OK to delete the firewall instance.
Step 3: Create firewall and configure traffic redirection
-
Find the CEN instance for the specified region and click Create in the Actions column.
-
In the Create Firewall panel, select Automatic and click Quick Diagnosis.
For an Enterprise Edition transit router, you can run a diagnostic check to verify that the VPC firewall can be enabled. After the check is complete, you can view the results in the Precheck wizard. If you are familiar with the process, click Skip and start creation now.. If the diagnosis fails, refer to Causes of and solutions for Cloud Firewall enablement failures for more information.
-
Configure parameters such as the firewall VPC CIDR block, primary and secondary availability zones, and intrusion prevention settings.
Important-
If your business is latency-sensitive, select your business's actual availability zones as the primary and secondary zones to reduce latency.
-
The intrusion prevention settings apply to all network instances within the same CEN instance.
You must enter a CIDR block of at least /27 for the firewall VPC that does not overlap with your existing network plan. The system uses this CIDR block to allocate the vSwitches required to create the firewall.
-
-
After the VPC firewall is created, click Next to reconfigure the traffic redirection scenario.
-
Click Next to complete the configuration and automatically enable the VPC firewall.