Upgrade Cluster in azure - Public IP
Hello community. I'm at the moment planning the migration of an azure cluster from R80.10 to R80.40. I know i have to redeploy a new machine for this, however, my question is about the Virtual Public IP address used for vpns site to site. Do I have to change the Public IP for the new one in my VPNs site to site (telling the peers about the new IP)? or is there a way to keep the old public IP address?
According to the Checkpoint documentation, the Cluster Public IP must be in the same resource group that the VMs, however, in the microsoft documentation, it mentions that Standard public IPs (which are the ones used by the cluster) can't be move between resource groups, so, I can't move the old public IP to the new resource group. I was wondering if someone has found a way or workaround for this?
Thank you for any help you can give me
I have an unsupported workaround to keep the same public IP address on the SMS, but I haven't tried it for a FW cluster. Rather than disassociating the public IP address with the NIC, this method actually removes the NIC from the old VM and attaches it to the new VM which works across resource groups. I have a video detailing the process here: https://youtu.be/dm80UUlsKTI?t=624 you may be able to use a similar method with the FW cluster.
Keep in mind this is not supported but I have seen it work in lab/production environments. Your mileage may vary. I would recommend trying this in a lab environment first, if you end up trying it out let me know how it goes!
I have done something similar and from my tests this will work (downtime is included in this scenario).
- Create a new resource group in the same subscription. Make sure its in the same region as the old one.
- Deploy the new cluster there, use the same naming for the cluster as it is in the old Resource Group. The frontend and backend network must be the same.
- Add the new cluster in the CP Management and configure it.
- Shutdown the old cluster.
- In the new resource group move the public IP address to another resource group (or delete it).
- Move the public IP address from the old resource group to the new resource group.
- Reconfigure the new cluster to use the new IP address.
- Note down the IP address on the back-end load balancer in the old Resource Group. Change the IP address with another one that is free in the range.
- On the backend load balancer in the new resource group, replace the IP address with the one that was noted down in step 8.
- I don't know if you use the front-end load balancer for anything but it should be roughly the same process.
I have done steps 1-9 and it works like charmed 🙂 for the public load balancer I have never used it.
Hi Prerag, thank you for the info, May I ask, when did you do this test?. The thing is I was checking the azure documentation and it says that you can't move a Standard Public IP to a different resource Group (or maybe I'm misunderstanding it?).
The cluster HA uses Standard Public IP and even the balancers that are deployed are the Standard Ones ( Basic Public IPs, which can be move between resource groups, wouldn't be compatible with these kind of balancers.) That is why I was wondering if maybe something changed or I'm doing something wrong.
You are correct, when I get to think about it, it was when we did the testing with Public IP address prefix and unsupported editing of the Azure HA scripts to support public ip prefixes.
I have done some testing and I've sent you the steps in the mailbox. It relies on exporting the ARM template from the new cluster, modifying the value of the external and internal load balancer name, and the public IP address reference. You deploy this ARM template in the same resource group as the old cluster. It will again require downtime, but also check with Check Point if this will be supported.
Well good news!, there is a new R80.40 template which allows to reuse the VIP from the previous cluster. I haven't tested yet but according to the notes this was included.