2 Different Public Address for High Availability

this is my first time asking a question here, and I was wondering is it possible to have two different ISP public IPs connected to a single system for high availability?

for example, if our ISP 1 became offline the 2nd ISP will be available, just like google and youtube have different Public addresses, I am just at a loss where to config this.

we are currently using fortinet 300D.


Solution 1:

Yes, but how you implement this will affect the user experience when one of the systems fails.

At it's simplest you can enter 2 address A records in your external facing DNS and users will be sent to both addresses (known as round-robin DNS load balancing). This is not particularly good, as it means that when one of the addresses is unavailable approximately half of the user connections will fail. It also is inefficient as clients of one ISP my be sent through the other ISP, or through the ISP with the less desirable route. Client application and DNS caching can delay clients getting the address to the working system, so failing clients tend to fail for fairly long periods without intervention to restart applications and flush DNS caches. If you keep the DNS TTL short and don't mind brief outages you can manually disable an address when the service is not available at that address, however the user experience is still of a brief failure.

To smarten this up you need to have an external system check that your service is available, and automatically update the DNS records to point users to the working system(s). Further improvements have the DNS system directly connected to the back-end monitoring to direct users to the less loaded system. Although automated, there is still a user experience in which some users will still see a failure.

None of this is specific to your firewall, which simply presents two external interfaces to the two ISPs. Note it is not possible to route traffic for ISP1 through ISP2 or vice versa as internet routing will simply drop this traffic. You cannot "cross connect" two ISPs and expect anything to work.

Major enterprises will generally not depend on DNS round-robin alone. Instead they will move to their own network (or partner networks) and have the ISPs route to their network in a system known as peering. The corporate network may have many peers consisting of multiple ISPs distributed on a regional to global scale. By exchanging routing information clients are routed from their ISP through the ISP(s) that are currently working and onto the corporate network. This can still result in brief outages while networks are unreachable, however these systems provide excellent redundancy for the corporate network to be reachable even during link outages.

Other more complex sophisticated solutions are possible, but outside the scope of a StackExchange answer. As examples:

  • Place a load balancer on a highly reliable system (Azure, AWS, etc.) and have it forward traffic to the monitored address that is "up".
  • Use a VPN based peer (sometimes referred to as a tunnel broker) to get an external IP independant of your ISPs, and allow the VPN tunnel to come across both ISPs
  • move the entire system to a high availability location