• EN
Question

Understanding Firewall / DNS policies when failing over to Dr Site?

J
Userlevel 1

I have found a ton of articles on how to fail over corporate servers and resources to a DR site.  The process seems very straight forward and as long as your internal users can work and are able to access local resources / servers all is well.

However we have the need to fail over several servers that provide external hosting of services like www hosting,  VoIP PBX servers,  mail servers etc.

All of these servers at our production site have complex firewall policies and WAN static routes configured and ultimately top level registrar DNS pointing traffic to our various static WAN IPS and in turn routing to local server targets based on ports and traffic type.

 

We have setup a VPN site to site with no issue and are easily able to replace VMS to the Dr site.

The Datacenter site is 192.168.15.x and the DR site is 192.168.30.x

We can easily fail over a replaca and re ip them to 192.168.30.x IPS and have tested this.   The problem is the VM is useless as there are no firewall routes to them once published in the DR site.   You can ping them at 192.168.30.x but otherwise their hosted roles are all down.

 

What is the proper way to accomplish fail over to a DR Site and have your vms are RE-IP then route hosting servers and dns properly?

 

Thanks

11 comments

Chris.Childerhose
Userlevel 7
Badge +20

Is your firewall physical or virtual?  If virtual you could fail that over and make the changes. If physical then additional changes need to be made as those cannot be part of a failover plan.  However if DNS points to the correct IPs then things "technically" should work after failover but tweaking may be needed.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
J
Userlevel 1

We have Fortigate 200F physical firewalls at both sites.

In a fail over do we route all traffic from the replicas over the VPN to the Datacenter and use its Firewall or are the replicas expecting to route in and out of the DR side firewall with its own policies?

 

Chris.Childerhose
Userlevel 7
Badge +20

We have Fortigate 200F physical firewalls at both sites.

In a fail over do we route all traffic from the replicas over the VPN to the Datacenter and use its Firewall or are the replicas expecting to route in and out of the DR side firewall with its own policies?

 

That is subjective and how you want the traffic to be routed.  To me I would replicate the FW policies on the DR side so in the event of a failover requirement you have everything ready to go.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
JMeixner
Userlevel 7
Badge +17

I have found a ton of articles on how to fail over corporate servers and resources to a DR site.  The process seems very straight forward and as long as your internal users can work and are able to access local resources / servers all is well.

However we have the need to fail over several servers that provide external hosting of services like www hosting,  VoIP PBX servers,  mail servers etc.

All of these servers at our production site have complex firewall policies and WAN static routes configured and ultimately top level registrar DNS pointing traffic to our various static WAN IPS and in turn routing to local server targets based on ports and traffic type.

 

We have setup a VPN site to site with no issue and are easily able to replace VMS to the Dr site.

The Datacenter site is 192.168.15.x and the DR site is 192.168.30.x

We can easily fail over a replaca and re ip them to 192.168.30.x IPS and have tested this.   The problem is the VM is useless as there are no firewall routes to them once published in the DR site.   You can ping them at 192.168.30.x but otherwise their hosted roles are all down.

 

What is the proper way to accomplish fail over to a DR Site and have your vms are RE-IP then route hosting servers and dns properly?

 

Thanks

I would replicate the firewall rules at both sites. So you can activate the correct rules at the appropriate site after failover of one machine or the whole site.

Jochen (Joe) Meixner | Veeam Vanguard 2024 | Veeam Legend 2021 - 2023 | Veeam Certified Architect (VMCA) 2022 | Twitter: @JoMeix | BlueSky: @jmeixner.bsky.social
MicoolPaul
Userlevel 7
Badge +20

Hi,

 

There are many ways to achieve this with pro’s and con’s and designs for different scenarios. For example:

Instead of Re-IP you could stretch your subnet between sites, as you’ve got a VPN instead of direct fibre between sites I wouldn’t do this, but you could instead also have the same subnet available at the DR site, with conditional routing decisions based on the availability of other devices, such as whether the primary datacentre’s firewall is available.

If you did re-IP you could utilise load balancers for some services and create a priority order for services to be targeted at their primary or DR IP addresses, then your load balancer looks at the health of the servers based on their IP address availability and routes wherever it needs to go.

Do you own your own public IP addresses? If so for the public facing IP address elements of failover you could leverage BGP and avoid public IP failovers and updates that have to be done when your IP address is ISP/internet circuit specific.

 

Some services you could just give a priority order to such as PBX and Mail servers where you just set a priority but have primary and DR IP address or DNS records for. For example with email you’d have 2x MX records in your public DNS, and set one to your primary site’s IP address for email delivery and a second, lesser priority to a DR entry. Traffic can only be delivered when a server is answering on that service anyway so that handles failover gracefully then. Same with a PBX you could instruct your SIP provider that if they can’t reach you on a production IP address that they can reach you on the DR Public IP address.

 

You can even consume services such as Azure Traffic Manager to utilise specific health metrics to determine if DNS should aim at production or DR sites.

 

There ultimately isn’t that much that Veeam needs to do in a DR with regards to networking but we’re happy to help with considerations for your design 🙂

Michael Paul - #VeeamLegend | #VeeamVanguard | Veeam Certified Architect | VMware vExpert | https://micoolpaul.com | Twitter: @MicoolPaul | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.bsky.social
J
Userlevel 1

Thanks so much for the guidance so far.

Should we use SD WAN or IPSEC VPN between the sites?  I know this is all more on the networking side not so much Veeam but wondering what Veeam best practices are if any on this?

 

Chris.Childerhose
Userlevel 7
Badge +20

Thanks so much for the guidance so far.

Should we use SD WAN or IPSEC VPN between the sites?  I know this is all more on the networking side not so much Veeam but wondering what Veeam best practices are if any on this?

 

That is subjective and based on what your requirements are.  Either will work with Veeam.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
MicoolPaul
Userlevel 7
Badge +20

Hi @J55marshall, I’m gonna make an assumption that your SD-WAN is ISP provided and you don’t have a VPN tunnel providing the connectivity underneath but something more “wire speed”, in that scenario I would recommend SD-WAN everyday. Purely because when you start copying a lot of data between sites, especially if you’ve got a lot of bandwidth, you will stress the firewall/VPN appliance’s CPU. I was working with some BEEFY Fortinets a year or two ago and by the time I was approaching 1Gbps I was hurting them badly! There was packet inspection too which you’ll also ideally want to avoid doing on the traffic.

Michael Paul - #VeeamLegend | #VeeamVanguard | Veeam Certified Architect | VMware vExpert | https://micoolpaul.com | Twitter: @MicoolPaul | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.bsky.social
J
Userlevel 1

Thanks @MicoolPaul 

At the data center we have 1.5G / 1.5G WAN 

At the DR site we have the same 1.5G / 1.5G

I plan to replicate about 30vms daily over to the DR SITE.  Most of the VMS are small around 150G some are 500Gig each.  

We have Fortinet 200Fs at both sides as well.

I am leaning toward SD-WAN between them rather than a VPN tunnel.

MicoolPaul
Userlevel 7
Badge +20

Hi @J55marshall I think that’s a good idea. Looking at the specifications of the Fortigate 200F it should be fine at those speeds, but that is still a lot of extra strain to put on your firewall. I also recall having an issue where because it was only a few TCP streams at high throughput that the sessions were getting pinned to specific firewall CPU cores and choking the overall throughput.

 

Let us know how it goes, I’m interested in this one 🙂

Michael Paul - #VeeamLegend | #VeeamVanguard | Veeam Certified Architect | VMware vExpert | https://micoolpaul.com | Twitter: @MicoolPaul | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.bsky.social
coolsport00
Userlevel 7
Badge +17

Hi @J55marshall -

I just wanted to follow up on your post and see if any of the comments provided here helped answer your DR-side failover question? If so, we ask you select one of the comments as ‘Best Answer’ to benefit others who may come across your post with a similar query. If you still have questions, please don’t hesitate to ask and we can try to assist as best we can.

Thank you.

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00

Comment


Terms & Conditions