diff --git a/README.md b/README.md index a825cb6..e23990d 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ Two firewalls are deployed with identical network interfaces. A virtual IP (VIP) ### ๐Ÿงท Port Security & VIPs - `port_security` **must be enabled** on interfaces where the **VIP** is active. -- **Do not attach** the VIP IP to any server or instance! +- **Do not attach** the VIP interface to any server or instance! - VIP must be added as an `allowed_address_pair` on **both firewalls'** relevant interfaces. --- @@ -27,18 +27,6 @@ Two firewalls are deployed with identical network interfaces. A virtual IP (VIP) --- -## ๐Ÿ” Configuration Rules - -| Rule | Explanation | -|---------------------------------------------------|-------------| -| **Do NOT attach VIP IP to any VM** | The VIP is managed by the HA sync between the firewalls. | -| **VIP must be set with `/32`** | CIDR ranges are not supported for allowed addresses. | -| **VIP must be defined as `allowed_address_pair`** | On both firewalls where it can be active. | -| **Port security must be enabled** | On interfaces holding the VIP. | -| **Security groups must allow traffic for VIP** | If port security is enabled, define rules accordingly. | - ---- - ## ๐Ÿšง Limitations & Notes - **VIP must not be attached to any instance** @@ -62,4 +50,6 @@ Two firewalls are deployed with identical network interfaces. A virtual IP (VIP) - **HA Sync and Preemption is not handled by Terraform** The logic for state sync, failover, and preemption priorities must be configured manually in the firewall GUI or CLI. This project only provisions the infrastructure. +- **floating IP switch only possible with GARP** + Important: The Floating IP will only work correctly after the move if a Gratuitous ARP (GARP) is sent out โ€” this ensures that the IP-to-MAC binding is updated on neighboring network devices.