Deployment Steps for Geo Cluster in AWS Transit Gateway High Availability

This section gives advanced use cases for using Check Point's Security Geo ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. in AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services.. A typical Security Geo Cluster use case is cross VPC, region, and account protection (see more use cases here). Using AWS attachment and inter-region peering, you can interconnect and protect an entire distributed environment by means of a central security solution. This solution is highly available and does not interfere with safe traffic.

Step 1: Prepare Your AWS Account

To prepare your AWS account, do these steps:

  1. If you do not already have an AWS account, create one at AWS.

  2. Use the region selector in the navigation bar to choose the AWS region, where you want to deploy Check Point CloudGuard Cross AZ Cluster on AWS.

  3. Create a key pair in your preferred region.

  4. If necessary, request a service limit increase for the AWS resources you are going to use.

    You may have to do this, if you have an existing deployment that uses the AWS resources below, and you may exceed the default limit with this deployment.

    The resources that may need a service limit increase are:

    • Number of On-demand EC2 instances.

    • Number of Elastic IP addresses.

    • Number of VPCs for each region.

    • Number of VPN connections for each region.

    • Number of Customer for each region.

    • Number of virtual private for each region.

    • VPN connections for each VPC.

By default, this Deployment guide uses c5.xlarge for the Security Gateways and m5.xlarge for the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

Deployment minimum permissions

For a successful deployment, the relevant IAM policy must have minimum permissions set configured below.

In the AWS VPCClosed AWS Virtual Private Cloud. A private cloud that exists in the public cloud of Amazon. It is isolated from other Virtual Networks in the AWS cloud. Console navigate to IAM service, select the relevant IAM policy and copy/paste this text:

Copy 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Permissions",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStacks",
                "cloudformation:ListStackResources",
                "cloudformation:ValidateTemplate",
                "ec2:AllocateAddress",
                "ec2:AssociateAddress",
                "ec2:AssociateRouteTable",
                "ec2:AttachInternetGateway",
                "ec2:AttachNetworkInterface",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateInternetGateway",
                "ec2:CreateLocalGatewayRouteTable",
                "ec2:CreateNetworkInterface",
                "ec2:CreateRoute",
                "ec2:CreateRouteTable",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSubnet",
                "ec2:CreateTags",
                "ec2:CreateVpc",
                "ec2:DeleteInternetGateway",
                "ec2:DeleteNetworkInterface",
                "ec2:DeleteRoute",
                "ec2:DeleteRouteTable",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteSubnet",
                "ec2:DeleteVpc",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeInstances",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeRegions",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcClassicLink",
                "ec2:DescribeVpcClassicLinkDnsSupport",
                "ec2:DescribeVpcs",
                "ec2:DetachInternetGateway",
                "ec2:DetachNetworkInterface",
                "ec2:DisassociateAddress",
                "ec2:DisassociateRouteTable",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ModifySubnetAttribute",
                "ec2:ModifyVpcAttribute",
                "ec2:ReleaseAddress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "iam:AddRoleToInstanceProfile",
                "iam:AttachRolePolicy",
                "iam:CreateInstanceProfile",
                "iam:CreatePolicy",
                "iam:CreateRole",
                "iam:DeleteInstanceProfile",
                "iam:DeletePolicy",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:GetInstanceProfile",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfilesForRole",
                "iam:ListPolicyVersions",
                "iam:ListRolePolicies",
                "iam:PutRolePolicy",
                "iam:RemoveRoleFromInstanceProfile"
            ],
            "Resource": "*"
        },
        {
            "Sid": "IAMPassRole",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "ec2.amazonaws.com"
                }
            }
        }
    ]
}
Copy 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Permissions",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStacks",
                "cloudformation:ListStackResources",
                "cloudformation:ValidateTemplate",
                "ec2:AllocateAddress",
                "ec2:AssociateAddress",
                "ec2:AssociateRouteTable",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateNetworkInterface",
                "ec2:CreateRoute",
                "ec2:CreateRouteTable",
                "ec2:CreateSecurityGroup",
                "ec2:CreateTags",
                "ec2:DeleteNetworkInterface",
                "ec2:DeleteRouteTable",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeAddresses",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeInstances",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcs",
                "ec2:DescribeRegions",
                "ec2:DetachNetworkInterface",
                "ec2:DisassociateAddress",
                "ec2:DisassociateRouteTable",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ReleaseAddress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "iam:AddRoleToInstanceProfile",
                "iam:AttachRolePolicy",
                "iam:CreateInstanceProfile",
                "iam:CreatePolicy",
                "iam:CreateRole",
                "iam:DeleteInstanceProfile",
                "iam:DeletePolicy",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:GetInstanceProfile",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfilesForRole",
                "iam:ListPolicyVersions",
                "iam:ListRolePolicies",
                "iam:PutRolePolicy",
                "iam:RemoveRoleFromInstanceProfile"
            ],
            "Resource": "*"
        },
        {
            "Sid": "IAMPassRole",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "ec2.amazonaws.com"
                }
            }
        }
    ]
}

Step 2: Subscribe to CloudGuard Network Security

To subscribe to Check Point CloudGuard Network, do these steps:

  1. Log in to the AWS Marketplace.

  2. Search for "CloudGuard Network Security".

  3. Select one of these licensing options for Check Point CloudGuard Security Gateways:

    Or one of these licensing options for a Check Point CloudGuard Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.:

    Note - If you want to manage more than five Security Gateways, select the BYOL option and contact Check Point Sales to purchase a license.

  4. Select Continue to subscribe.

  5. Select Accept Terms to confirm that you accept the AWS Marketplace license agreement.

Note - In the deployment steps that follow, you are prompted for the licensing information for the Security Gateways and Security Management Server that you selected.

Step 3: Deploying the Security Geo Cluster for Transit Gateway High Availability (HA)

Before you deploy Check Point's Security Geo Cluster in AWS's TGW HA, select a CloudFormation template for a "new" or "existing" VPC. Next, follow the instructions in this section on how to deploy the AWS TGW HA. Finally, review and test the deployment. If you decide to deploy the Geo Cluster without association of Elastic IP to the Cluster MemberClosed Security Gateway that is part of a cluster., see Deploying Geo Cluster Members without an Elastic IP

Select one of the CloudFormation templates to launch the Geo Cluster for Transit Gateway HA template in your AWS account.

Notes:

  • When you deploy the CloudFormation template, the Check Point First Time Wizard runs automatically. (Note - This is a one-time reboot).

  • To route all traffic going outside the VPC by means of Check Point's Cluster Active Member, the CloudFormation template automatically creates an AWS routing table that associates the internal subnets from bot Availability Zones.

  • To route all traffic from the TGW attachments outside the subnet by means of Check Point's Cluster Active Member, the CloudFormation template automatically creates an AWS routing table that associates the TGW subnets from both Availability Zones.

  • After you run the template, the default Active Member is "Member A".

Parameters for Deploying a Geo Cluster for TGW HA into a New VPC

Use these parameters for deploying a Geo Cluster in a New VPC:

Parameter Name Default Value Description

VPC CIDR

10.0.0.0/16

The CIDR block for the VPC.

Availability Zones

Requires input

The specific Availability Zones you want to use for the Cluster Members.

This field shows the available zones within your selected region. You must select two Availability Zones from this list. The logical order of your selections is preserved in your deployment. Each member is deployed in a different Availability Zone.

Public Subnet 1 CIDR

10.0.0.0/24

CIDR block for Public Subnet 1 located in the 1st Availability Zone.

Public Subnet 2 CIDR

10.3.0.0/24

CIDR block for Public Subnet 2 located in the 2nd Availability Zone.

Private Subnet 1 CIDR

10.1.0.0/24

CIDR block for Private Subnet 1 located in the 1st Availability Zone.

Private Subnet 2 CIDR

10.4.0.0/24

CIDR block for Private Subnet 2 located in the 2nd Availability Zone.

TGW Subnet 1 CIDR

10.2.0.0/24

CIDR block for TGW Subnet 1 (used for the Security VPC TGW attachment) located in the 1st Availability Zone.

TGW Subnet 2 CIDR

10.5.0.0/24

CIDR block for TGW Subnet 2 used for the Security VPC TGW attachment) located in the 2nd Availability Zone.
Parameter Name Default Value Description

Version & license

R80.40-PAYG-NGTP

The license to use for the Security Gateways.

Admin shell

/etc/cli.sh

Default administrator shell when logging in to GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. OS on your instance.

Password hash

Optional

The administrator password hash.

Run this command to get the password hash:

openssl passwd -1 <PASSWORD>

SIC key

Requires input

One-time activation key.

Enter a string that contains 8 to 127 alphanumeric characters.

Allow upload & download

true

When true, the instance can automatically download the Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. contracts and other important data. Also, this improves product experience by sending data to Check Point. For more information on configuration, see sk111080.
Primary NTP server

169.254.169.123 (Optional)

 Option to input a different NTP server.
Secondary NTP server 0.pool.ntp.org (Optional) Option to input a different Secondary NTP server.

Smart-1 Cloud (Check Point’s management server as a Service) is a recommended option to use CloudGuard Network Security gateways.

Parameter Name

Default Value

Description
Smart-1 Cloud Token for member A

Requires input

Follow the instructions in sk180501 to create tokens for each member and paste them into the applicable fields.

Smart-1 Cloud Token for member B

Requires input

Follow the instructions in sk180501 to create tokens for each member and paste them into the applicable fields.

Parameters for Deploying a Geo Cluster for TGW HA into an Existing VPC

Use these parameters for deploying a Geo Cluster in a New VPC:

Parameter Name Default Value Description
VPC CIDR

Requires input

The ID of your existing VPC.

Public Subnet 1

Requires input

Select a Public Subnet in the first Availability Zone of your VPC.
Public Subnet 2

Requires input

Select a Public Subnet in the second Availability Zone of your VPC.
Private Subnet 1

Requires input

Select a Private Subnet in the first Availability Zone of your VPC.
Private Subnet 2 Requires input Select a Private Subnet in the first Availability Zone of your VPC.

Transit Gateway

HA Subnet 1

Requires input

Select a Transit Gateway HA Subnet (this will be used for the Security VPC TGW attachment) in the first Availability Zone of your VPC.

Transit Gateway

HA Subnet 2

Requires input

Select a Transit Gateway HA Subnet this will be used for the Security VPC TGW attachment) in the first Availability Zone of your VPC.
Parameter Name Default Value Description

Members name prefix

Optional

Prefix for Cluster Members name tag (the name ends with "member A" or "member B").

Instance type

c5.xlarge

The EC2 instance type for the Security Gateways.

Key name

Requires input

A pair of public and private keys that allows you to connect securely to your instance after it launches.

When you created an AWS account, this is the key pair that you created in your preferred region.

Existing IAM role name

Optional

A predefined IAM role to attach to the instance profile. If the IAM role is not set to existing, it is ignored.

Allocate Elastic IPs for cluster members

true

When the value is true, then the Cluster Member is deployed with an Elastic IP. If the value is false, then make sure the Cluster Members can connect to an EC2 endpoint.
Parameter Name Default Value Description

Password hash

Optional

The administrator password hash. Run this command to get the password hash: openssl passwd -1 <PASSWORD>

SIC key

Requires input

One-time activation key. Enter a string that contains 8 to 127 alphanumeric characters.

Allow upload & download

true

When true, the instance can automatically download the Software Blade contracts and other important data. Also, this improves product experience by sending data to Check Point. For more information on configuration, see sk111080.

Enable Instance Connect

false

When the value is true, then the AWS Instance Connect is enabled on the Cluster Member, and allows for opening a SSH console to the instance over HTTPS by means of the AWS web console.

Primary NTP server

169.254.169.123 (Optional)

 Option to input a different NTP server.

Secondary NTP server

0.pool.ntp.org (Optional)

 Option to input a different Secondary NTP server.

Smart-1 Cloud (Check Point’s management server as a Service) is a recommended option to use CloudGuard Network Security gateways.

Parameter Name

Default Value

Description
Smart-1 Cloud Token for member A

Requires input

Follow the instructions in sk180501 to create tokens for each member and paste them into the applicable fields.

Smart-1 Cloud Token for member B

Requires input

Follow the instructions in sk180501 to create tokens for each member and paste them into the applicable fields.

Step 4: Deploying the AWS Transit Gateway

Deployment minimum permissions

Follow the AWS instructions to deploy Transit Gateways

When you create the Transit Gateway, configure these settings in Amazon VPC console:

  1. Disable the Default route table association.

  2. Disable the Default route table propagation.

  3. For cross-account spokes, enable the Auto accept shared attachments.

Note - If you did not disable the Default route table association and the Default route table propagation settings, then delete the existing Transit Gateway and create a new one. If you do not delete the earlier Transit Gateway, AWS associates and propagates all attachments to the Transit Gateway to the same default Transit Gateway route table. As a result, traffic can flow directly between spokes and not through CloudGuard Gateways. To change this, move the association and propagation to the correct Transit Gateway route table.

Step 5: Configuring the Security Geo Cluster for Transit Gateway HA

Attaching Spoke VPCs to the Transit Gateway

To attach Spoke VPCs to the Transit Gateway:

  1. Create the Spoke VPCs and its subnets.

  2. Attach all Spoke VPCs to the Transit Gateway created earlier.

  3. Add a default route to the Transit Gateway in each Spoke VPC route table:

    Destination: 0.0.0.0/0

    Target: Transit Gateway ID

Notes:

  • The route table must be the route table in which the associated subnets are those attached to the Transit Gateway.

  • To remove a link from a spoke, delete the VPC attachment from the Transit Gateway.

Attaching a Security VPC to the Transit Gateway

To route all traffic coming into the TGW to the Security Gateways and send traffic from the Gateways to the correct destination, you must attach the Security VPC to the TGW.

To attach a Security VPC to the Transit Gateway:

Step Description

1

Attach the Security VPC (in which the Cluster Members are deployed in) to the Transit Gateway you created. The subnets you use for the VPC attachment must be the dedicated TGW subnets in both Availability Zones.

2

Add a default route to the Transit Gateway in the public route table (to which the public subnets are associated too):

The route table must contain a default route to the Internet Gateway and specific routes for the spokes to the Transit Gateway.

Route 1:

Destination: <SPOKES_CIDR_INITIAL>

Target: Transit Gateway ID

Route 2:

Destination: 0.0.0.0/0

Target: Internet Gateway ID

Configuring Transit Gateway Route Tables

To configure a Transit Gateway route table:

Step Description

1

In Amazon VPC console, go to the Transit Gateway Route Tables tab.

2

Configure a checkpoint route table:

  • Create a new checkpoint route table.

    • Associate the Security VPC attachment.

    • Propagate the route table to the spokes.

This creates a route from each CloudGuardTransit Gateway HA member to all spoke VPCs.

3

Configure a spokes route table:

  1. Create a new spokes route table.

  2. Associate the spokes attachments to the route table.

  3. Create a static default route to the Security VPC attachment.

This creates a default route from each spoke to the Security VPC attachment that is directed to the Active CloudGuard HA member.

Step 6: Configuring the Security CloudGuard Geo Cluster for Transit Gateway HA in SmartConsole

For the Security Gateways to run as a synchronized cluster and to apply a security policyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. to the cluster, you must configure the cluster object on the Security Management.

Configuring the Cluster Object

Step Description

1

Use SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to connect to your Check Point Security Management Server.

2

If the Security Management Server and the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. have to communicate through public IP addresses, make sure that the Security Management Server object is defined with the elastic IP address.

Edit the Security Management Server object and change the IP address.

Important - If you change the main IP address of the Security Management Server, you must issue and install the license(s) for the new IP address.

3

Create the Cluster Member:

In SmartConsole, at the top click Cluster > Cluster... > Classic Mode.

4

Define the cluster's general properties:

  1. In the Cluster Name field, enter a name for the cluster object (as in "Cluster_HA").

  2. In the IPv4 Address, enter a dummy IP address (such as 0.0.0.0).

  3. Current limitation: The Geo Cluster does not work with the IPsec VPN, for that reason clear the IPsec VPN checkbox.

5

Define the Cluster Members:

  1. In the Cluster's object left pane, click Cluster Members.

  2. Configure Member A:

    1. Click Add > New Cluster Member.

    2. In the Name field, enter the member's name (in our example: Member_A).

    3. In the IPv4 Address field, enter the member's IP address of its external interface (eth0).

      • If the management connects to the Cluster Members over a private IP address, enter the private IP address of the interface.

      • If the management connects to the Cluster Members over a public IP address, enter the Elastic IP address of the interface.

    4. Click Communication.

    5. Enter the one-time activation key used in the Geo Cluster CloudFormation Template.

    6. Click Initialize.

  3. Configure Member B:

    1. Click Add > New Cluster Member.

    2. In the Name field, enter a member's name (in our example: Member_B).

    3. In the IPv4 Address field, enter the member's IP address of its external interface (eth0):

      • If the management is connecting to the Cluster Members over private IP address, enter the private IP address of the interface.

      • If the management is connecting to the Cluster Members over public IP address, enter the Elastic IP address of the interface.

    4. Click Communication.

    5. Enter the one-time activation key used in the Geo Cluster CloudFormation Template.

    6. Click Initialize.

6

Change the cluster mode to Active-Active:

  1. In the Cluster's object left pane, click ClusterXL and VRRP.

  2. Select Active-Active.

7

Mandatory step:

Click OK.

8

Open the cluster object and continue the configuration.

9

Configure the Cluster's Topology:

  1. In the Cluster's object left pane, click Network Management.

  2. Click Get Interfaces > Get Interfaces with Topology > click Accept.

  3. Configure eth0:

    1. Click eth0 and click Edit.

    2. In the Network Type select Cluster (the IPv4 must stay as 0.0.0.0).

    3. Click Topology > disable Anti-Spoofing > click OK.

  4. Configure eth1:

    1. Click eth1 and click Edit.

    2. In the Network Type select Cluster and Sync (the IPv4 must stay as 0.0.0.0).

      Note - This network is also used for State Synchronization.

    3. Click Topology > disable Anti-Spoofing > click OK.
8

Verify the settings:

  1. To close the window, click OK.

  2. Install policy on the cluster.

Allowing Outbound Traffic for the Spoke VPCs

Step Description

1

Use SmartConsole to connect to your Check Point Security Management Server.

2

Create an Internal NetworkClosed Computers and resources protected by the Firewall and accessed by authenticated users. for the Spoke VPCs:

In the right navigation bar, click new > Network.

3

Define Network general properties:

  1. Enter a name for your network (as in internal_aws_networks).

  2. In the IPv4 section insert the Network Address and the Net mask of the Spoke VPCs.

4

Create a NAT ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. for the network to hide behind the Cluster Gateways:

  1. In the Network's object left pane, click NAT.

  2. Check the Add automatic address translation rules.

  3. Leave the configuration as default:

    • Translation method: Hide

    • Hide behind the gateway

5

Check the settings:

  1. To close the window, click OK

  2. Install Policy.

Note:

These are steps for creating a general internal network for the spoke VPCs. There may be cases that more internal networks will need to be created (as in spoke 1 CIDR – 10.1.0.0/16, spoke 2 CIDR – 169.168.0.0/16 will need two different network objects).

Limitation:

During failover, outbound traffic that runs over protocols and save sessions (as in SSH) will need to be restarted.

Step 7: Review and Test the Deployment

Use these steps to check for proper configuration and set up of all components.

If the set up was successful, you will see these components:

Step Description

1

In AWS WebUI:

  1. In the VPC console, under Route Tables, go to the Private Route table (to which the Private Subnets of the Security VPC are associated).

  2. In the Routes table, make sure there is a default route to the Active member's private interface (eth1).

  3. In the VPC console, under Route Tables go to the TGW Route table (to which the TGW attachment Subnets of the Security VPC are associated).

  4. In the Routes table make sure there is a default route to the Active member's public interface (eth0).

2

Log in to both members in the Expert mode:

  1. Run cphaprob state to validate that the cluster is operating correctly.

    Output of cphaprob state command on both cluster member must show identical information for Load State (“ACTIVE”).

    Example:

    [Expert@HostName:0]# cphaprob stat

Cluster Mode: Active Active with IGMP Membership

Number       Unique Address   Assigned Load   State    Name
1 (local)    10.0.1.20        N/A             Active   Member-A
2            10.0.1.30        N/A             Active   Member-B

  2. Run $FWDIR/scripts/aws_ha_test.py and make sure that it ends successfully without errors.

3

Simulate a cluster failover:

From the Active member that is not on standby, run in the Expert mode:

clusterXL_admin down

After two seconds, you should see in AWS WebUI > VPC Console > Route Tables that all route tables (that had a default route directed to the Active Member) are now directed to the Standby Active member.

Notes:

  • To see the changes, refresh the AWS WebUI.

  • It can take a few minutes until failover is fully configured to pass traffic through the Active Member,