Example Cloud HA Configuration

Diagram

This diagram shows an example of a CloudEOS and vEOS Router deployment in which the Cloud HA has been configured.

See For examples

Configuration

To enable CloudHa and set the hysteresis timer (the wait time to recover local subnets traffic after failure recovery), use the following general configuration.

Note: Hysteresis time should not be set to less than 20 seconds.
"generalConfig" : {
"enable_optional" : "true",
"hysteresis_time_optional" : "20"
 }

BFD Configuration

To configure the BFD link between the HA pair of CloudEOS and vEOS Routers that is used to detect peer failure, the peer IP address and local BFD source interface must be provided. The peerVeosIp address can be any reachable address of the peer CloudEOS and vEOS router (direct or tunnel). The bfdSourceInterface corresponds to local CloudEOS and vEOS router interface to be used for reaching peerVeosIp address.

 "bfdConfig" : {
"peerVeosIp" : "10.1.0.5",
"bfdSourceInterface" : "Ethernet1"
 }

Cloud Configuration

In order to have access to the cloud services, the CloudEOS and vEOS Router must be provided with credentials. Additionally, a proxy may be configured for the connection to the cloud services to go through.

AWS

In AWS, a region must be specified. It is recommended to authorize the CloudEOS and vEOS Router by assigning it an IAM role, but optionally an explicit credential can be specified.

 "awsConfig" : {
"region" : "us-west-1",
 "aws_credentials_optional": {
 "aws_access_key_id" : "AKIAIOSFODNN7EXAMPLE",
 "aws_secret_access_key" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
 },
 "http_proxy_optional": {
 "http_port_optional" : "3128",
 "http_proxy_port_optional" : "3128" ,
 "http_proxy_optional" : "10.1.0.10",
 "http_proxy_user_optional" : "JohnDoe",
 "http_proxy_password_optional" : "MyPassword"
 }
 }

Azure

There are two authorization models that can be used in Azure: SDK Auth Credentials and Active Directory Credentials. SDK Auth Credentials are the recommended authorization model.
  • SDK Auth Credentials

    To generate SDK Auth Credentials please follow the instructions on this page: https://docs.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az_ad_sp_create_for_rbac.

    "azureSdkAuthCredentials" : {
    "clientId": "e817439781-b494-474c-a138-7d1dawefj3902",
    "clientSecret": "f5e873436-a1a5-4a1d-b5d8-203fdasdfb5bc3",
    "subscriptionId": "ef16892c-aa46-4aba-ae9a-d4fhsb1c612c",
    "tenantId": "5haf781ec-cb78-48ea-a1df-1a95dfjd809946e",
    "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
    "resourceManagerEndpointUrl": "https://management.azure.com/",
    "activeDirectoryGraphResourceId": "https://graph.windows.net/",
    "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
    "galleryEndpointUrl": "https://gallery.azure.com/",
    "managementEndpointUrl": "https://management.core.windows.net/"
    }
  • Active Directory Credentials

    To authorize using Active Directory credentials, a username and password are required. https://docs.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az_ad_sp_create_for_rbac.

    "azureActiveDirectoryCredentials" : {
    "email" : "johndoe@website.com",
    "password" : "MyPassword",
    "subscriptionId" : "ef16892c-aa46-4aba-ae9a-d4fhsb1c612c"
    }

A full example of the Azure Configuration section is given below, using the SDK Auth credential model.

"azureConfig" : {
"azureSdkAuthCredentials" : {
"clientId": "e817439781-b494-474c-a138-7d1dawefj3902",
"clientSecret": "f5e873436-a1a5-4a1d-b5d8-203fdasdfb5bc3",
"subscriptionId": "ef16892c-aa46-4aba-ae9a-d4fhsb1c612c",
"tenantId": "5haf781ec-cb78-48ea-a1df-1a95dfjd809946e",
"activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
"resourceManagerEndpointUrl": "https://management.azure.com/",
"activeDirectoryGraphResourceId": "https://graph.windows.net/",
"sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
"galleryEndpointUrl": "https://gallery.azure.com/",
"managementEndpointUrl": "https://management.core.windows.net/"
},
"http_proxy_optional": "http://10.1.0.10:3128",
"https_proxy_optional": "http://johndoe:mypassword@10.1.0.10:3120/"
}

Routing Configuration

In order to program the route tables with the proper local routes during steady state, and the peer routes during failover, the individual routes must be specified in the CloudHa config.

As per the example above, we must configure the necessary route in Route Table 1 in the local routing configuration, and the necessary routes in both Route Table 2 and Route Table 3 in the peer routing configuration.

For CloudEOS and vEOS 2, we would configure Route Table 2 and Route Table 3 in the local routing configuration, and Route Table 1 in the peer routing configuration. The configuration for CloudEOS and vEOS 2 is not shown in this document.

Local Routing Configuration

AWS

In this section the routeTableId specified is for AWS route table ID rtb-17135a73 (shown as Route Table 1 in above diagram), the destination selects the individual route within the route table we wish to control, and the routeTarget points to the interface id eni-867caa86 (from AWS perspective) of the CloudEOS and vEOS Router that traffic should be directed to. Please note that this interface ID belongs to this CloudEOS and vEOS instance and represented as "Ethernet-<n>" in EOS configs.

 "awsLocalRoutingConfig" : {
"routeTableIdAndRouteNetworkInterface" : [
{ "routeTableId" : "rtb-17135a73", "destination": "0.0.0.0/0", "routeTarget" : "eni-867caa86" } ,
]
 }

Azure

In this section the resource group specified is the one which contains the route table referenced beneath it. The routeTableName identifies Route Table 1, and the prefix selects the individual route within Route Table 1 we wish to control. The nextHopIp field uses the IP of the CloudEOS and vEOS Router interface that traffic should be directed to.

"azureLocalRoutingConfig" : {
"resourceGroupName" : "MyResourceGroup",
"routeTables" : [
{
"routeTableName" : "RouteTable1",
"routes" : [
{
"prefix" : "0.0.0.0/0",
"nextHopIp" : "10.1.0.4"
}
]
}
]
}

Peer Routing Configuration

As was done for the local configuration with Route Table 1, we must also configure Route Table 2 and Route Table 3 to point to CloudEOS and vEOS 1 during failover. Please note that the routeTarget refers to this CloudEOS and vEOS router's local interface.

AWS

 "awsPeerRoutingConfig" : {
"routeTableIdAndRouteNetworkInterface" : [
{ "routeTableId" : "rtb-33585b73", "destination": "0.0.0.0/0", "routeTarget" : "eni-867caa86" } ,
{ "routeTableId" : "rtb-2843124c", "destination": "0.0.0.0/0", "routeTarget" : "eni-867caa86" }
]
 }

Azure

"azurePeerRoutingConfig" : {
"resourceGroupName" : "MyResourceGroup",
"routeTables" : [
{
"routeTableName" : "RouteTable2",
"routes" : [
{
"prefix" : "0.0.0.0/0",
"nextHopIp" : "10.1.0.4"
}
]
},
{
"routeTableName" : "RouteTable3",
"routes" : [
{
"prefix" : "0.0.0.0/0",
"nextHopIp" : "10.1.0.4"
}
]
}
]
}

AWS Full Configuration Example

{
 "generalConfig" : {
"enable_optional" : "true",
"hysteresis_time_optional" : "20"
 },
 "bfdConfig" : {
"peerVeosIp" : "10.1.0.5",
"bfdSourceInterface" : "Ethernet1"
 },
 "awsConfig" : {
"region" : "us-west-1",
 "aws_credentials_optional": {
 "aws_access_key_id" : "AKIAIOSFODNN7EXAMPLE",
 "aws_secret_access_key" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
 },
 "http_proxy_optional": {
 "http_port_optional" : "3128",
 "http_proxy_port_optional" : "3128" ,
 "http_proxy_optional" : "10.1.0.10",
 "http_proxy_user_optional" : "JohnDoe",
 "http_proxy_password_optional" : "MyPassword"
 }
 },
 "awsLocalRoutingConfig" : {
"routeTableIdAndRouteNetworkInterface" : [
{ "routeTableId" : "rtb-17135a73", "destination": "0.0.0.0/0", "routeTarget" : "eni-867caa86" } ,
]
 },
 "awsPeerRoutingConfig" : {
"routeTableIdAndRouteNetworkInterface" : [
{ "routeTableId" : "rtb-33585b73", "destination": "0.0.0.0/0", "routeTarget" : "eni-867caa86" } ,
{ "routeTableId" : "rtb-2843124c", "destination": "0.0.0.0/0", "routeTarget" : "eni-867caa86" }
]
 }
}

Azure Full Configuration Example

{
"generalConfig" : {
"enable_optional" : "true",
"hysteresis_time_optional" : "20"
},
"bfdConfig" : {
"peerVeosIp" : "10.1.0.5",
"bfdSourceInterface" : "Ethernet1"
},
"azureConfig" : {
"azureSdkAuthCredentials" : {
"clientId": "e817439781-b494-474c-a138-7d1dawefj3902",
"clientSecret": "f5e873436-a1a5-4a1d-b5d8-203fdasdfb5bc3",
"subscriptionId": "ef16892c-aa46-4aba-ae9a-d4fhsb1c612c",
"tenantId": "5haf781ec-cb78-48ea-a1df-1a95dfjd809946e",
"activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
"resourceManagerEndpointUrl": "https://management.azure.com/",
"activeDirectoryGraphResourceId": "https://graph.windows.net/",
"sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
"galleryEndpointUrl": "https://gallery.azure.com/",
"managementEndpointUrl": "https://management.core.windows.net/"
},
"http_proxy_optional": "http://10.1.0.10:3128",
"https_proxy_optional": "http://johndoe:mypassword@10.1.0.10:3120/"
},
"azureLocalRoutingConfig" : {
"resourceGroupName" : "MyResourceGroup",
"routeTables" : [
{
"routeTableName" : "RouteTable1",
"routes" : [
{
"prefix" : "0.0.0.0/0",
"nextHopIp" : "10.1.0.4"
}
]
}
]
},
"azurePeerRoutingConfig" : {
"resourceGroupName" : "MyResourceGroup",
"routeTables" : [
{
"routeTableName" : "RouteTable2",
"routes" : [
{
"prefix" : "0.0.0.0/0",
"nextHopIp" : "10.1.0.4"
}
]
},
{
"routeTableName" : "RouteTable3",
"routes" : [
{
"prefix" : "0.0.0.0/0",
"nextHopIp" : "10.1.0.4"
}
]
}
]
}
}