Skip to content

High Availability

The CyberEdge HA (High Availability) configuration utilizes an active/passive firewall setup where two CyberEdge devices are deployed in a cluster using VRRP (Virtual Router Redundancy Protocol) to ensure seamless failover. In this configuration, the primary active node handles all network traffic under normal conditions, while the secondary passive node remains on standby. The primary active node replicates its configuration to the secondary node through a network connection in the management zone, ensuring that both are synchronized. In the event of a failure on the primary node, traffic is automatically redirected to the secondary node, maintaining continuous network operations with minimal disruption.

HA Prerequisites

Before setting up an HA (High Availability) cluster configuration, specific prerequisites need to be met. The stipulated requirements for the CyberEdge HA configuration are detailed as follows:

  • In virtualized CyberEdge HA deployments both nodes must be virtual machines with identical network configurations. (CE Hardware to Virtual Machine is NOT a supported configuration)
  • In hardware based CyberEdge HA deployments both nodes must be identical models.

Supported Configurations

The following matrix outlines the supported HA Pair configurations options

Node 1
Node 2
Micro 4G Micro 4G
Micro+ Micro+
H-Series H-Series
HR-Series HR-Series
HR2-Series HR2-Series
HR3-Series HR3-Series
Virtual Virtual

For CyberEdge HR-Series hardware, both nodes must include identical 10G or 40G network interface options to enable utilization within a HA cluster. Each CyberEdge node must be installed with the same firmware version to ensure the successful creation of a HA cluster.

Info

Information on how to update the firmware of your CyberEdge can be found here

Create a HA Cluster

The CyberEdge HA (High Availability) system functions using an Active/Passive network structure. By default, the primary active node in an HA cluster manages all traffic. Configuration synchronization within CyberEdge is conducted from the primary active node to the secondary node via a dedicated HA network connection within the management zone. The cluster join process will guide you through the setup.

graph LR
  A[Switch] --> B{VRRP};
  B -->|Route| C[Primary Active Node];
  B -->|Route| D[Secondary Passive Node];
  C --> E[Switch];
  D --> E[Switch];
  E --> F[Internet];

Important information

These instructions apply to version 0.16.3 and later. If you are using an earlier version of the CyberEdge, please update your firmware prior to creating the HA cluster.

The installation guide operates under the assumption that all prerequisites have been fulfilled, and both CyberEdge nodes are appropriately licensed and running on identical firmware versions. You should also have your primary active CyberEdge node configured and accessible. To create a cluster:

  1. Access the management user interface on the node you wish to join to the cluster (secondary node)
  2. Go to Network > Connections and edit the Management connection
  3. Specify the IP address to be in the same subnet as the management IP address of the primary node
  4. Save and apply changes
  5. Go to System > Nodes > Node Actions
  6. Click "Join Cluster"
  7. Enter the Management IP of the primary node you wish to join
  8. Provide a hostname to be used by the secondary node
  9. Click "Join"

The CyberEdge will now begin the cluster creation process. During this process, the configuration from the primary active node will be synchronized to the secondary passive node. Once the cluster join has completed, DNS for the management user interface https://localnetwork.zone will always resolve to the primary active node.

Info

The cluster join process make take several minutes to complete

Important information before joining a cluster

  • A HA cluster is always created by joining the secondary node to the primary. During the join process, the node you are joining to will always become the primary active node
  • This is a very disruptive action and will clear any unapplied configuration changes. You should join a cluster only during a scheduled maintenance window
  • It is possible to periodically lose access to the web user interface during the CyberEdge cluster join process
  • Both CyberEdge nodes must have unique management IPs and share the same management subnet
  • You should verify the secondary node can ping the management interface of the primary node before attempting to joint the cluster. To do so, go to Status > Network tools > Ping to ping the IP of the management interface
  • Do not reboot either node during the HA cluster join process as it may result in one of more nodes becoming unrecoverable

Configuration Sync

After the successful creation of a cluster, automatic configuration synchronization takes place by duplicating the active primary node to the secondary passive node. When in a cluster, CyberEdge configuration accommodates distinct configuration options that can be exclusively applied to a specified node. These parameters are identified in the management user interface through a split config icon (node field) where applicable.

Config Sync

Node fields that are supported include:

  • IPv4 networks and gateways can be configured per node. This can be accessed via Networks > Connections > Edit (Add or Edit)
  • Static route destinations and gateways. This can be accessed via Networks > Connections > Add Static Route (Add or Edit)
  • IPv4 networks for Client to Site VPN virtual connection. Networks > Connections > Edit (Add or Edit)
  • BGP Router ID, BGP Peer IP and BGP Remote AS. To set node specific BGP configuration go to Routing > BGP (Add or Edit BGP Peer)
  • New connection rate limit exclusions. To set node specific exclusions go to Security Centre > General > New Connection Rate Limits > Excluded ranges

VRRP Configuration

The Virtual Router Redundancy Protocol (VRRP) serves as a protocol designed to improve router reliability in a network. It enables a several CyberEdge units to work together, offering a single virtual IP address. Should the primary active node fail, VRRP allows a secondary CyberEdge node to take over the routing and network functions. For typical CyberEdge High Availability (HA) network setups, employing VRRP is advisable. To configure VRRP navigate to:

  1. Routing > VRRP > VRRP Instances
  2. Click "Add" to create a new VRRP instance
    • Assign a virtual router ID. The virtual router id is used to identify a group of devices
    • Select a network connection to be used by VRRP. In the case of a LAN side VRRP configuration, this typically used a network from the local zone
    • Specify an IPv4 address you wish to use as the virtual IP address. This IPv4 address will be the unified IP address for the VRRP group
  3. Click "Save" and apply changes

The virtual IP address should now responded to ping.

Info

The default recommended VRRP liveness check is 1 second

HA Node Fail back Behavior

In the event of a failover, the option to decide on an automatic fail back to the assigned primary node when the triggering event resolves is available. This choice helps prevent unnecessary back-and-forth transitions between nodes, especially in scenarios where there might be an intermittent, persistent issue. Additionally, in geo-distributed networks, a specific node might be favored due to its strategic positioning within the network. To adjust the fail back settings, navigate to:

  1. System > Nodes > High Availability Settings > Fail back behavior
  2. Set the required Fail back behavior
  3. Click "Save" and apply changes

Note

HA Failover event email notifications are sent to the configured system administrator

Connection Sync

Connection table syncing allows active connections to be replicated from the active node to the secondary node if required. By default, connection sync is disabled. It is a best practice recommendation to set connection syncing to disabled. To enable connection syncing between nodes in a HA configuration navigate to:

  1. System > Nodes > High Availability Settings
  2. Set Connection Syncing to enabled
  3. Click "Save" and apply changes

New connections added to the connection table will now be replicated.

Important note

  • Enabling connection sync can be disruptive process and should be completed during a suitable change window
  • When connection synching has been enabled only newly created connections will be replicated to the second node