Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Azure HA

Hello! 

Can anyone confirm that I understand this correctly: There is no way to get Active-Passive or Active-Active HA working in Azure with 2 XG instances as Azure does not support MAC spoofing. 

Manually configure HA in Azure - Sophos Firewall -> since here only one Firewall gets created

Additional configuration for virtual hosts - Sophos Firewall -> and this one mentions allowing MAC spoofing for hypervisors in order to get HA working 

So, does this mean I should just use a single XG instance instead of two in Azure?



This thread was automatically locked due to age.
Parents Reply Children
  • Hello Vivek

    Thank you for your respond! 

    Yes, I read through these guides and I currently use Auzure Availability Sets to achieve HA for my instances - but the problem I face is config sync and IPsec tunnels.

    Firstly, config sync would be nice (like active-passive) so my clients would not always need to export / import firewall configs if they change something. Also, im currently using 2 XGs behind an Azure Loadbalancer. Whenver I only use 1 firewall (and stop the other) IPsec works really fine even behind the LB. However, if both firewalls are live, IPsec stops working and my site-to-site VPNs go down.

    So, achieving active-passive would be really nice but i guess this is not possible in Azure (as stated in https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/122520/sophos-firewall-implement-a-full-ha-inbound-outbound-on-azure)

  • Azure uses SD-Network technologies to connect devices. The rules "of the old world" like ARP and other stuff does not apply there anymore. If you change for example the default gateway to another device, the device is fully offline. Therefore, you will not get the link between both appliances, and you will not get the ARP change to virtual running. 

    You could disable ARP Spoofing on SFOS in the WebUI, which uses the physical MACs, but even then, you have a "vIP", which will be used. Azure does not allow a IP Move from A to B. 

    __________________________________________________________________________________________________________________