Is your firewall physical or virtual? If virtual you could fail that over and make the changes. If physical then additional changes need to be made as those cannot be part of a failover plan. However if DNS points to the correct IPs then things "technically" should work after failover but tweaking may be needed.
We have Fortigate 200F physical firewalls at both sites.
In a fail over do we route all traffic from the replicas over the VPN to the Datacenter and use its Firewall or are the replicas expecting to route in and out of the DR side firewall with its own policies?
We have Fortigate 200F physical firewalls at both sites.
In a fail over do we route all traffic from the replicas over the VPN to the Datacenter and use its Firewall or are the replicas expecting to route in and out of the DR side firewall with its own policies?
That is subjective and how you want the traffic to be routed. To me I would replicate the FW policies on the DR side so in the event of a failover requirement you have everything ready to go.
I have found a ton of articles on how to fail over corporate servers and resources to a DR site. The process seems very straight forward and as long as your internal users can work and are able to access local resources / servers all is well.
However we have the need to fail over several servers that provide external hosting of services like www hosting, VoIP PBX servers, mail servers etc.
All of these servers at our production site have complex firewall policies and WAN static routes configured and ultimately top level registrar DNS pointing traffic to our various static WAN IPS and in turn routing to local server targets based on ports and traffic type.
We have setup a VPN site to site with no issue and are easily able to replace VMS to the Dr site.
The Datacenter site is 192.168.15.x and the DR site is 192.168.30.x
We can easily fail over a replaca and re ip them to 192.168.30.x IPS and have tested this. The problem is the VM is useless as there are no firewall routes to them once published in the DR site. You can ping them at 192.168.30.x but otherwise their hosted roles are all down.
What is the proper way to accomplish fail over to a DR Site and have your vms are RE-IP then route hosting servers and dns properly?
Thanks
I would replicate the firewall rules at both sites. So you can activate the correct rules at the appropriate site after failover of one machine or the whole site.
Hi,
There are many ways to achieve this with pro’s and con’s and designs for different scenarios. For example:
Instead of Re-IP you could stretch your subnet between sites, as you’ve got a VPN instead of direct fibre between sites I wouldn’t do this, but you could instead also have the same subnet available at the DR site, with conditional routing decisions based on the availability of other devices, such as whether the primary datacentre’s firewall is available.
If you did re-IP you could utilise load balancers for some services and create a priority order for services to be targeted at their primary or DR IP addresses, then your load balancer looks at the health of the servers based on their IP address availability and routes wherever it needs to go.
Do you own your own public IP addresses? If so for the public facing IP address elements of failover you could leverage BGP and avoid public IP failovers and updates that have to be done when your IP address is ISP/internet circuit specific.
Some services you could just give a priority order to such as PBX and Mail servers where you just set a priority but have primary and DR IP address or DNS records for. For example with email you’d have 2x MX records in your public DNS, and set one to your primary site’s IP address for email delivery and a second, lesser priority to a DR entry. Traffic can only be delivered when a server is answering on that service anyway so that handles failover gracefully then. Same with a PBX you could instruct your SIP provider that if they can’t reach you on a production IP address that they can reach you on the DR Public IP address.
You can even consume services such as Azure Traffic Manager to utilise specific health metrics to determine if DNS should aim at production or DR sites.
There ultimately isn’t that much that Veeam needs to do in a DR with regards to networking but we’re happy to help with considerations for your design
Thanks so much for the guidance so far.
Should we use SD WAN or IPSEC VPN between the sites? I know this is all more on the networking side not so much Veeam but wondering what Veeam best practices are if any on this?
Thanks so much for the guidance so far.
Should we use SD WAN or IPSEC VPN between the sites? I know this is all more on the networking side not so much Veeam but wondering what Veeam best practices are if any on this?
That is subjective and based on what your requirements are. Either will work with Veeam.
Hi @J55marshall, I’m gonna make an assumption that your SD-WAN is ISP provided and you don’t have a VPN tunnel providing the connectivity underneath but something more “wire speed”, in that scenario I would recommend SD-WAN everyday. Purely because when you start copying a lot of data between sites, especially if you’ve got a lot of bandwidth, you will stress the firewall/VPN appliance’s CPU. I was working with some BEEFY Fortinets a year or two ago and by the time I was approaching 1Gbps I was hurting them badly! There was packet inspection too which you’ll also ideally want to avoid doing on the traffic.
Thanks @MicoolPaul
At the data center we have 1.5G / 1.5G WAN
At the DR site we have the same 1.5G / 1.5G
I plan to replicate about 30vms daily over to the DR SITE. Most of the VMS are small around 150G some are 500Gig each.
We have Fortinet 200Fs at both sides as well.
I am leaning toward SD-WAN between them rather than a VPN tunnel.
Hi @J55marshall I think that’s a good idea. Looking at the specifications of the Fortigate 200F it should be fine at those speeds, but that is still a lot of extra strain to put on your firewall. I also recall having an issue where because it was only a few TCP streams at high throughput that the sessions were getting pinned to specific firewall CPU cores and choking the overall throughput.
Let us know how it goes, I’m interested in this one
Hi @J55marshall -
I just wanted to follow up on your post and see if any of the comments provided here helped answer your DR-side failover question? If so, we ask you select one of the comments as ‘Best Answer’ to benefit others who may come across your post with a similar query. If you still have questions, please don’t hesitate to ask and we can try to assist as best we can.
Thank you.