Fortinet black logo

HA Deployment Guide

Home FortiADC 7.4.0 HA Deployment Guide
7.4.0
7.4.0
5.4.1
5.4.0
5.2.0
5.1.3

HA modes

HA modes

HA Active-Passive Mode

When the FortiADC devices are configured as HA Active-Passive mode, the active device (also called Primary) handles all the traffic under normal circumstances. If the something wrong happens on the active device, the passive device (also called Secondary) becomes active and handles all the traffic instead.

Above chart is the HA-AP mode deployment. Normally, Secondary doesn’t handle the traffic, all the traffic is handled by the Primary whatever for the client side or server side. However, the Secondary can always sync the data from Primary, such as incremental configuration changes, layer4 session/persistence table, layer7 persistence, health-check status. Once there is something wrong with the current Primary, such as the monitored interfaces are down (in this case the monitored interface connected to ISP directly), or the physical device is failing, the Secondary will become the new Primary, so that handle all the traffic going through FortiADC.

HA-AP mode is the most stable deployment mode, and if can be deployed on any platforms without problem. In this mode, the FortiADC’s interface is applied with virtual mac address, once the HA peer takes over the Primary, new Primary will inherit the virtual mac address on the interfaces. This can reduce the traffic failing time while failover happening. On the other hand, this can provide the benefit if the security device such as firewall in your network need Mac address binding. Please be aware that HA-AP mode on Microsoft Hyper-V platform uses the physical Mac Address due to the platform limitation.

HA Active-Active Mode

In the HA Active-Active mode, both the Primary and Secondary is able to handle the traffic normally. There is one thing should be detailed. Although both Primary and Secondary can handle the traffic, FortiADC can only sync the layer4 virtual-server session to its peers. So for layer4 traffic, if the traffic returned from real server goes to FortiADC devices which is different from the inbound traffic, this FortiADC can still forward the traffic back to client. For the traffic which will be routed by FortiADC, it has the similar issue. This may cause the performance decrease. So ideally, you should have a routing device between FortiADC and real servers, which has the function can send the return traffic to its original FortiADC devices. For layer 7 virtual-server, usually FortiADC establishes the session to real servers by its own interface IP address, so the traffic can be returned to itself natively, unless you enable the “source-address” on it.

If one of the device monitored link is down or if even the entire device is failing, its HA peer can take over all the traffic.

HA VRRP Mode

HA-VRRP mode on the other hand divides the resources into groups, so that we can create multiple VRRP groups, and then assign the public IP resources into the groups. In this way, we can get the another active-active mode. In this mode, every HA node has its own interface IP, but we can define the floating IP on the interface which belongs to one of the VRRP groups.

In general, the connected devices or servers are pointing the gateway to the floating-ip of the VRRP group. The floating-ip is the IP address which can only work on the VRRP group Primary. If the failover happens, the floating-ip will work on the new VRRP Primary. This can assure the floating-ip is always online.

Loot at the chart above, this an example of HA-VRRP mode. Typically, we create 2 VRRP groups, let’s say, one is the VRRP_Group1, the other one is VRRP_Group2. We make FortiADC1 the Primary of VRRP_Group1, the Secondary of VRRP-Group2; while the FortiADC2 will be the Secondary of VRRP_Group1, and Primary of VRRP_Group2. Then we divide the real servers into these 2 groups. The servers in group1 point the default gateway to VRRP_Group1’s floating-ip, while the servers in group2 point the default gateway to VRRP_Group2’s floating-ip. Then normally, FortiADC1 handles the traffic to VRRP_Group1, FortiADC handles the traffic to VRRP_Group2. If one of the monitored link or device is down, the HA peer can take over the traffic.

Choose HA mode

We support 3 kinds of HA deployment mode. They are HA-AP, HA-AA, HA-VRRP mode. If you are willing to have a very stable system, please use the HA-AP mode. Although only one device is processing the data, the backup device can take over the Primary work smoothly, it offers the most reliable environment while needs least deployment conditions.

If you are interested in the all active plan, then the HA-VRRP should be your first choice. Once you’ve arranged the servers in group, all the FortiADC devices can handle the traffic, which increase the throughput and other performance a lot. It requires less deployment conditions over HA-AA mode, and can provide the performance increasing.

Only if you can make sure you can make all the ideal preconditions for the HA-AA, then choose the HA-AA mode. This mode requires the most, but providing the easier configuration logic. It can also offer the good performance in the ideal conditions.

Previous
Next

HA modes

HA Active-Passive Mode

When the FortiADC devices are configured as HA Active-Passive mode, the active device (also called Primary) handles all the traffic under normal circumstances. If the something wrong happens on the active device, the passive device (also called Secondary) becomes active and handles all the traffic instead.

Above chart is the HA-AP mode deployment. Normally, Secondary doesn’t handle the traffic, all the traffic is handled by the Primary whatever for the client side or server side. However, the Secondary can always sync the data from Primary, such as incremental configuration changes, layer4 session/persistence table, layer7 persistence, health-check status. Once there is something wrong with the current Primary, such as the monitored interfaces are down (in this case the monitored interface connected to ISP directly), or the physical device is failing, the Secondary will become the new Primary, so that handle all the traffic going through FortiADC.

HA-AP mode is the most stable deployment mode, and if can be deployed on any platforms without problem. In this mode, the FortiADC’s interface is applied with virtual mac address, once the HA peer takes over the Primary, new Primary will inherit the virtual mac address on the interfaces. This can reduce the traffic failing time while failover happening. On the other hand, this can provide the benefit if the security device such as firewall in your network need Mac address binding. Please be aware that HA-AP mode on Microsoft Hyper-V platform uses the physical Mac Address due to the platform limitation.

HA Active-Active Mode

In the HA Active-Active mode, both the Primary and Secondary is able to handle the traffic normally. There is one thing should be detailed. Although both Primary and Secondary can handle the traffic, FortiADC can only sync the layer4 virtual-server session to its peers. So for layer4 traffic, if the traffic returned from real server goes to FortiADC devices which is different from the inbound traffic, this FortiADC can still forward the traffic back to client. For the traffic which will be routed by FortiADC, it has the similar issue. This may cause the performance decrease. So ideally, you should have a routing device between FortiADC and real servers, which has the function can send the return traffic to its original FortiADC devices. For layer 7 virtual-server, usually FortiADC establishes the session to real servers by its own interface IP address, so the traffic can be returned to itself natively, unless you enable the “source-address” on it.

If one of the device monitored link is down or if even the entire device is failing, its HA peer can take over all the traffic.

HA VRRP Mode

HA-VRRP mode on the other hand divides the resources into groups, so that we can create multiple VRRP groups, and then assign the public IP resources into the groups. In this way, we can get the another active-active mode. In this mode, every HA node has its own interface IP, but we can define the floating IP on the interface which belongs to one of the VRRP groups.

In general, the connected devices or servers are pointing the gateway to the floating-ip of the VRRP group. The floating-ip is the IP address which can only work on the VRRP group Primary. If the failover happens, the floating-ip will work on the new VRRP Primary. This can assure the floating-ip is always online.

Loot at the chart above, this an example of HA-VRRP mode. Typically, we create 2 VRRP groups, let’s say, one is the VRRP_Group1, the other one is VRRP_Group2. We make FortiADC1 the Primary of VRRP_Group1, the Secondary of VRRP-Group2; while the FortiADC2 will be the Secondary of VRRP_Group1, and Primary of VRRP_Group2. Then we divide the real servers into these 2 groups. The servers in group1 point the default gateway to VRRP_Group1’s floating-ip, while the servers in group2 point the default gateway to VRRP_Group2’s floating-ip. Then normally, FortiADC1 handles the traffic to VRRP_Group1, FortiADC handles the traffic to VRRP_Group2. If one of the monitored link or device is down, the HA peer can take over the traffic.

Choose HA mode

We support 3 kinds of HA deployment mode. They are HA-AP, HA-AA, HA-VRRP mode. If you are willing to have a very stable system, please use the HA-AP mode. Although only one device is processing the data, the backup device can take over the Primary work smoothly, it offers the most reliable environment while needs least deployment conditions.

If you are interested in the all active plan, then the HA-VRRP should be your first choice. Once you’ve arranged the servers in group, all the FortiADC devices can handle the traffic, which increase the throughput and other performance a lot. It requires less deployment conditions over HA-AA mode, and can provide the performance increasing.

Only if you can make sure you can make all the ideal preconditions for the HA-AA, then choose the HA-AA mode. This mode requires the most, but providing the easier configuration logic. It can also offer the good performance in the ideal conditions.

Previous
Next