Internal passthrough Network LB with L3_DEFAULT fo...

blech · 10-09-2023 02:14 PM

Hello,

I am currently setting up an HA firewall cluster in the GCP. Now the idea was to use an internal passthrough network load balancer with an L3_DEFAULT forwarding rule for failover, as we want ICMP traffic to go through the firewall. Basically, we would like to use an L3_DEFAULT internal forwarding rule in the second step of the setup described at https://docs.fortinet.com/document/fortigate-public-cloud/7.4.0/gcp-administration-guide/194181/crea....

Now https://cloud.google.com/load-balancing/docs/internal/ilb-next-hop-overview states that a "load balancer whose forwarding rule uses the L3_DEFAULT protocol cannot be the next hop for a static route". However, we would like to peer the VPC which the internal interface of our firewall is in with another VPC. Is there some workaround to make this work with an internal LB supporting all L3 protocols and not only TCP and UDP?

Thanks a lot in advance.

VannGuce

Hi,

Apparently that will be the limitation of internal passthrough load balancer wherein we cannot use it with L3_Default forwarding rule as a next hop for static route.

However, I believe that you can achieve this under your HA firewall cluster as long as vpc peering is established using other options. You can set up a virtual IP for incoming traffic and set it up as a destination for incoming traffic. Check how clustering can help with this configuration[1]. Then try using a custom route to direct traffic in your virtual IP.

[1]https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/564712/fgcp-fortigate-cluster...

Internal passthrough Network LB with L3_DEFAULT forwarding rule as next hops