Warm Standby requires reliable layer-2 connectivity between NetCloud Exchange Service Gateways. In most cases, this means that both service gateways need to be in the same data center or Virtual Private Cloud (VPC)/virtual network (Vnet). The NCX Service Gateways are deployed in a high availability pair with both service gateways sharing a Virtual Router Redundancy Protocol (VRRP) instance to manage the election of a primary responder to the shared WAN virtual IP (VIP). For on-premises deployments, a shared LAN IP address is also possible.
Warm Standby provides high availability in the case of NCX Service Gateway failure or public cloud availability zone outage. It does not directly provide high availability of WAN or LAN connectivity, except in public cloud, where LAN subnet routes are updated to lead to the LAN interface of the active service gateway.
The two NCX Service Gateways should be in the same data center (or different data centers with reliable layer-2 connectivity) or VPC/Vnet. Low latency between the primary and secondary service gateway MGMT interfaces is required for reliable operation.
Virtual IP (VIP) addresses for WAN, LAN, or both, are shared between a primary and secondary NCX Service Gateways. Heartbeat messages are sent between the service gateways over their MGMT interfaces.
Note
A LAN VIP is not supported in a public cloud.
Under normal circumstances, the VIPs are associated with the primary service gateway. Secure Connect site routers communicate and build tunnels to the VIP address shared by the two service gateways, instead of individual communication and tunnels to each service gateway.
Connection state is managed individually by each service gateway, but the DNS cache is synchronized between the service gateways to increase availability when the active service gateway changes.
If the secondary service gateway stops receiving heartbeat messages from the primary, the VIPs are transferred to the secondary service gateway.
When the primary service gateway is operational again (sending heartbeat messages to the secondary service gateway), the VIPs are transferred back to it.