A web server hosted in the internal network needs to be publicly accessible. Two ISPs are in use, each with a distinct Virtual IP (VIP) mapped to the same internal server:

• ISP1: 203.0.113.13 → VIP1 → internal server 192.168.1.13.

• ISP2: 198.51.100.22 → VIP2 → internal server 192.168.1.13.

Automatic failover is required so that if ISP1 becomes unavailable, inbound traffic is redirected through ISP2, and vice versa.

1. Configure SD-WAN: Group both ISP interfaces into a single SD-WAN zone for centralized link management. 

2. Configure Health Checks: Set up link monitoring using reliable targets such as 8.8.8.8 to detect ISP availability.    

3. Create Two VIPs: Define a separate Virtual IP (VIP) for each ISP, mapping to the same internal server.  

4. Configure Firewall Policies: Establish firewall policies to allow inbound access to the internal server through both VIPs.

5. Dynamic DNS or External Failover (Optional): For DNS-based failover, configure a Dynamic DNS (DDNS) service to update public IPs based on ISP availability. Alternatively, use external monitoring platforms (e.g., Cloudflare, Route53) to detect VIP1 failure and switch DNS resolution to VIP2. 
   Caveats (TTL Management): It's crucial to point out the importance of low TTL (Time To Live) settings on DNS records. While DDNS updates quickly, clients will still cache old DNS entries for the duration of the TTL. A very low TTL (e.g., 60-300 seconds) ensures clients get the updated IP address sooner, but also increases DNS query load.

Failover Behavior.
When ISP1 becomes unavailable:

• SD-WAN detects the failure through health checks.

• Outgoing traffic is rerouted through ISP2.

• Inbound traffic to VIP1 fails, but access through VIP2 remains functional via DNS redirection or manual switching.

To ensure seamless failover, external DNS failover can automatically update the public DNS entry from VIP1 to VIP2.

Related documents:

SD-WAN

Technical Tip: Virtual IP (VIP) port forwarding configuration