Migrate from VIP to a single LoadBalancer

FortDoog · ‎09-13-2023

Hi.

I was wondering how to solve the following issue:

Right now, I have several customers connected via ipsec individually, each one with a different virtual IP to several servers inside my network.

What I want is to transform that into a single load balancer for all of them, BUT, without changing the IP on the client side. In that why I do not have to modify any phase02 on the tunnels, I want it to be as transparent as possible for the clients with a somewhat minimal disruption.

I was wondering if that is possible with a single FW?, and if (please) anyone could give me a pointer for that.

So far, what I was thinking was to create a LB for each client, but, I mean, it doesn´t feel optimal.

Instead, a single LB for all the customers would be more effective.

My issue is that I do not see a way to do it, like, pointing all current VIP to a single LB IP, but all inside the FW.

So far, I do not see it without the need of another FW, and without messing up the client side of things.

Any ideas?

"Well, hello there"

AlexC-FTNT · ‎09-13-2023

You're correct. As long as all those tunnels point to individual VIPs, then you will need all of the VIPs.

And to use a single VIP will require the clients to point to that one single IP.

- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

FortDoog · ‎02-14-2024

Good day all.

I know, it´s been a while. But something came up to my mind.

EDIT:

Can the FW do the following while having multiple vdoms?

In vdom mode; "technically"; I could point all the VIPs to a LB in another vdom; right?; and I could do this without service interruption (the firewall already has 2 vdoms).

But the thing is, can the FW software understand all of this correctly? Is not a fancy solution BUT, if it works...

"Well, hello there"

Jakob-AHHG · ‎02-14-2024

Does the FortiGate handle the IPsec?

If so, it should be easy to setup a loadbalancer behind the FG, make a cluster that points to the server(s) that can handle the customer and then flip the VIP's internal IP to the loadbalancer IP.

We have an internal LB from loadbalancer.org that handle both layer4 & layer 7 services, but we don't have IPsec tunnels in front of it (yet).

We have the LB in a DMZ range, balancing trafic in to webservers and internally to other systems.

Jakob Peterhänsel,
IT System Admin,
Arp-Hansen Hotrel Group A/S, Copenhagen, DK

FortDoog · ‎02-16-2024

Let´s use graphs again,

The problem:

And what I think could be the solution, using a second vdom:

Is this a valid solution? poiting all the VIP to a virtual server in another vdom in the same firewall?

"Well, hello there"

Jakob-AHHG · ‎02-16-2024

Hmm, no, in my mind, the solution would be to:

Setup a loadbalancer behind the FortiGate.
Set up rules on it, to allow it to serve the app's in the Cluster.
Make a test VIP with/without an IPsec tunnel and test it works
Move over one VIP to point to the Loadbalancer (in a service window as needed)
Move the rest when allowed.

There should, in my knowledge, be no reason to implement another VDOM for this, unless you have other reasons.

We only have 2 VDOM's (+Global) at our main site, because the inbound SDWAN/ISP connections is moved there.

All VIP's and other rules, are ate the root VDOM.

Hope it makes sense.

Jakob Peterhänsel,
IT System Admin,
Arp-Hansen Hotrel Group A/S, Copenhagen, DK