HA firewall with floating ip on AWS

Setup

We’re going to explore high availability and load balancing using Keepalived and conntrackd.

Keepalived is a routing software designed to provide simple and robust facilities for load balancing and high-availability to Linux systems and Linux-based infrastructures.

In order to overcome the problem, we have to deploy conntrackd in FW1 and FW2. The daemon replicates the state of the connection forwarded by the active node so that the backup can takeover the connection in an appropiate way. We can dump the status of the connections forwarded by the active node:

keepalived as cluster software

https://blog.logentries.com/2014/12/keepalived-and-haproxy-in-aws-an-exploratory-guide/

floating ip on aws

map ElasticIP to cluster instances

iptables with conntrack

http://conntrack-tools.netfilter.org/testcase.html http://conntrack-tools.netfilter.org/manual.html

Links

• https://aws.amazon.com/articles/2127188135977316
• http://thejimmahknows.com/the-bigip-f5-alterantive-using-haproxy-and-keepalived-part-1/
• http://codepen.io/tsabat/post/aws-cli-script-to-assign-a-secondary-ip
• https://www.digitalocean.com/community/tutorials/how-to-set-up-highly-available-web-servers-with-keepalived-and-floating-ips-on-ubuntu-14-04

Alternatives

• https://www.digitalocean.com/community/tutorials/how-to-create-a-high-availability-setup-with-corosync-pacemaker-and-floating-ips-on-ubuntu-14-04
• http://www.fwbuilder.org/4.0/docs/users_guide5/clusters.shtml