Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Simon_Macpherso
Advisor

CloudGuard HA IAAS Deployment

Hello all,

I've deployed a CloudGuard IaaS HA cluster to Azure public cloud using Terraform.

I’ve based my Terraform code on the latest HA configuration templates available on the CheckpointSW repo.

https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/azure/high-availability-new-vne...

I notice after deployment that the azure-ha.json file has not been updated with the required keys values.

Simon_Macpherso_2-1636518509456.png

Running azure_ha_test.py reports missing attributes.

Simon_Macpherso_0-1636518491399.png

The cloud-init.sh script exists in the root module and custom_data in os_profile is references the correct path i.e. custom_data = templatefile("${path.module}/cloud-init.sh" 

Should the azure-ha.json file contain the relevant values immediately after deployment or are these values added to the file once the gateways have been added and configured on the management server and received policy? I haven't added the gateways to a new cluster on the management server yet. 

 

Regards,

Simon

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

You're not officially in HA mode until you add the gateways and push policy, so I would presume these get added once that's happened.

0 Kudos
Simon_Macpherso
Advisor

I've added the cluster to smart console and pushed a policy to the gateways. 

The gateways are now in HA mode.

However, the azure-ha.json remains unpopulated. 

Also HA is not working correctly.

On the cli, when the primary is active I can SSH to it via the cluster IP. If I reboot the primary (active) and try to SSH in to the secondary using the the cluster IP I cannot connect, even though the cluster has successfully failed over to the standby (now active). Once the primary has are booted and reenters the cluster in standby mode, I still cannot connect using the cluster IP. If I reboot the secondary (active), the cluster fails over and I can connect to the primary (now active) using the cluster IP. So I can only connect to the cluster using the cluster VIP when the primary is active.    

 

0 Kudos