APMs in multiple datacenters
Has anyone configured an APM in one datacenter to sync to another APM in a DR datacenter?
We have three APMs with their main purpose is VPN. My original thought was to have an HA pair (sync-failover-group) in our main datacenter and have one of them sync (sync-only-group) to another at our DR datacenter. The DR datacenter contains different IP subnets not local to the main datacenter however it is routeable between the two.
APM1 --sync-failover-group--> APM2 APM1 --sync-only-group--> APM3 (DR)
On the main DC APM, I have two VIPs created - one on a local subnet and the other local only at the DR DC. The firewall at main DC NATs out the local VIP. When the sync-only occurs to the DR DC APM, the VIP local to DR will be NATed.
After configsync occurs the only thing left would be to change the assigned IP Pool for connecting clients at DR. We have GTMs that would determine which APM (Main or DR) users go to.
As it turns out, this doesn't seem to be a supported method. Supports says configsyncs should occur between local systems.
Our APM has a large amount of configuration I would hate to have to manually copy to DR (via SCF). This will be prone to errors or have out of sync issues.
I am hoping someone else has VPN requirements at a DR site that needs to have the same policies synchronized with their main site.
Any suggestions?