Cloud SWG dedicated IP address redundancy and failover behaviour
search cancel

Cloud SWG dedicated IP address redundancy and failover behaviour

book

Article ID: 276631

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Dedicated IP address enabled for certain domains.

Dedicated IP address feature enabled for multiple locations (EMEA, NA and APAC) so that routing to dedicated IP address gateway remains as close to user as possible.

SaaS Applications performing ACLs based on the assigned dedicated IP addresses for this tenant.

What happens if a dedicated IP address site is unavailable - do we failover to next nearest site?

What is all dedicated IP address sites are down - do we fail open or closed?

Environment

Cloud SWG.

Dedicated IP address feature enabled.

 

Resolution

Each dedicated IP address site has multiple gateways - if one gateway is down, and the next gateway in the same site is up, the traffic will egress out of the next gateway with a dedicated IP address. Only when all gateways in the same site are down, will that dedicated IP address site be marked as down.

When the Cloud Proxy tries to forward the request to the dedicated IP address site, but that dedicated IP address site is unavailable, the Proxy will only attempt  to forward to the 'next nearest' dedicated IP address site. If you have 15 dedicated IP address sites enabled for your tenant, it will not query all 15 in the case where they are all down i.e. the Proxy does not attempt to use every DEI location where a customer has resident dedicated IPs.

In the case where both the nearest and next nearest dedicated IP address sites are down, the proxy will fail open and egress with one of it's publically assigned IP addresses.