Control which azure cloudguard instance receives traffic
I have r80.30 cloudguard in azure scaleset fronted by standard lb. How can I control which instance in the scaleset receives traffic from the lb? Is the best way to block the health probes on port 8117 on the specific instance? If yes, what is the best way to do that?
Why do you want to control traffic to a gateway?
1) You can change the order in the ClusterXL object like in a real ClusterXl. So you can control the direction. <<< Best way:-)
2) For maintenance work you can also start a "clusterXL_admin down" on a gateway.
3) The monitoring of port 8117 is included in the implied rules. So you may have to change the implied rules in the global properties and add a drop rule. I don't think that's a good idea!
thanks for your reply.
To answer your question, I want to be able perform maintenance on the instances in the scaleset. In this case apply the latest hotfix. Reading the Microsoft documentation on standard load balancers, if the health probe fails for a particular instance it will redirect new traffic to another instance. It will also let the current sessions terminate on their own. This is what I want so that there is no disruption of traffic. AWS makes this easy by just deregistering the instance from the target group.
My azure cloudguard is in a scaleset so it is not configured to use clusterXL. there isn’t a cluster object defined in smart console. The cme service creates only gateway objects. In this case I don’t think option 1 or 2 will work. Unless I am missing something
the Health Check Port is controlled by the kernel parameter "cloud_balancer_port":
[Expert@gw]# fw ctl get int cloud_balancer_port
cloud_balancer_port = 8117
this is also defined in /var/opt/fw.boot/modules/fwkern.conf
so you could try to modify the parameter on the fly like
fw ctl set int cloud_balancer_port 8119
at least on my instance, the healt check was answered by a "RST" after the modification but not sure what the LB is doing