Best Practices for HA Setup: Chronicle Forwarders vs. BindPlane Collectors (Failover Strategies)?

Hey community,

I'm evaluating High Availability (HA) scenarios for Google SecOps. Specifically, I'm exploring the following points:

Chronicle Forwarders: Is it feasible to have two forwarders configured for automatic failover without a load balancer, or is a load balancer (VIP + health checks) mandatory?

BindPlane Collectors: Given this emerging technology, what's the optimal practice? Can we reliably set them up as active/active, relying on Google's internal deduplication? Is there a better recommended approach?

Our team understands the theory, but we haven't validated this practically yet. I'd appreciate any experiences, lessons learned, or recommendations on the best practices for achieving optimal HA.

Thanks in advance!

Page 1 / 1

Hi @pablo_vallejo ,

For Chronicle Forwarders, best practice is to use a load balancer (VIP + health checks) for clean failover. Running two forwarders without it can cause duplicates or missed data unless carefully controlled.

For BindPlane Collectors, active/active is supported, and Google handles deduplication. Just ensure consistent tagging and source IDs.

In both cases, test failover and monitor ingestion logs to validate HA.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded