Clustering offers a more comprehensive High Availability (HA) framework for customers deploying resilient architectures. This topic discusses PAN Clustering.
PAN Clustering is a concept where two Virtual Network Functions (VNFs) are created in Network Edge in an active/passive manner. Under certain user-configurable conditions, the active unit will fail over to the standby with minimal effect on the data plane. This option is ideal for users who want to maintain business continuity. It's often required when deploying mission-critical applications and workloads.
Note: PAN also supports an active-active clustering option, but this must be deployed with the HA device option in Network Edge and is not supported with the clustering option.
A PAN cluster in Network Edge will create two virtual devices and the required linkages between them as required by PAN. This process could take up to an hour depending on other platform variables. This guide will provide a deeper technical overview of PAN Clustering.
Clustering is only supported with Self-Configured devices and customer-provided licenses (BYOL).
Important: If one or more devices in your cluster have to be deleted and re-created, the device(s) will have a new UUID. Manual intervention is necessary. You will have to associate the new UUID with your existing license.
Architecture
The clustering workflow will create two Palo Alto firewalls in Network Edge. Clustering will consume two virtual interfaces (e1/17 and e1/18) in addition to the two virtual interfaces required by Network Edge orchestration (management and e1/1). The two additional interfaces are used for HA Control and state synchronization. The remaining interfaces are available for customer configuration.
For clustering, license tokens are required to move forward in the workflow. Both licenses can be the same or different. There is no token validation at the time of device creation. However, the Palo Alto licensing server is contacted shortly after to confirm validity of licenses.
Creating the cluster could take up to 60 minutes. Once completed, the two devices will appear in the portal labeled Node 0 and Node 1.
The WAN IP address used for management is shared by both Node 0 and Node 1. Only the active unit in the cluster is accessible through this address. It's still possible to configure the passive unit through the console connection. Go to Tools in Network Edge.
Clustered devices are treated as a single device in the Equinix Portal. Virtual connections that are built to the cluster are connected to both devices but only show as a single connection because the standby unit inherits the interface addressing of the active unit.
Equinix Components
-
Equinix Fabric – Equinix Fabric is a switching platform that provides private connectivity to a wide selection of providers that are participants on the Fabric. Virtual circuits are provisioned on the Fabric using software-defined networking to establish connectivity to providers that are connected to the Fabric. Virtual connections can be created using the Fabric Portal or APIs.
-
Equinix Network Edge – Network Edge is an ETSI-compliant NFV platform that hosts VNFs (routers, firewalls, and SD-WAN) from various vendors such as Cisco, Juniper, Palo Alto, Fortinet, Versa, Aruba, and Check Point. VNFs can be deployed in real-time and, once deployed, you can start building virtual connections to providers on the Fabric.
Recommendations
These recommendations provide a starting point. Customer requirements might differ from this list.
-
Choice of Location – The clustering option only allows for devices in the same metro location. Clustering across metros is not currently supported.
-
Panorama Support of Standby Firewall – Panorama is Palo Alto’s global manager for multiple physical or virtual firewall devices. It's typically run in the cloud or on premise for customers that want to manage multiple firewalls with a common policy manager. Panorama can access both active and standby firewalls. Both the active and passive nodes of the HA A/P deployment are assigned unique registered IPs for full visibility.
Considerations
When implementing this architecture, consider the following factors:
-
Performance – By default, only one device is active when clustering. Care should be taken when determining the total amount of required firewall throughput.
Related Topics
