This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Forum for HA and Autoscaling UTM deployments @ AWS?

I feel like it would be beneficial to have a separate sub-forum specifically for discussing UTM deployments in the AWS environment.  Particularly for those of us working on getting the HA and/or Autoscaling implementations to work properly.  While the webpage here: www.sophos.com/aws seems to suggest that AWS integration is a widely used and perfectly tuned feature of the UTM, those of us who have been tinkering around with it know that Sophos still has a ways to go in ramping up their own internal expertise and supporting documentation for this use-case.    All the more reason for easy channels for collaboration among the community.

At the very least, I'd love to hear from anyone else out there who's currently working with the HA implementation.  I'm alternately impressed and frustrated with it thus far :)  but I think it could be a truly amazing product with a bit more fine tuning-- and I think strong community involvement is going to be the driving force to make that happen.  



This thread was automatically locked due to age.
Parents
  • hi, any update on this ? im interested in this feature on AWS.

     

    thanks

    P.

  • I've been trying this for few weeks as well.  

     

    Apparently, the firmware upgrade within UTM does not do anything for HA/Autoscaling.  It's basically UTM software patch(eg. Windows security patch vs Windows Service Pack).  What has to happen is that you have to download entirely new AMI version(9.4x) from AWS marketplace and reconfigure the new instance from scratch.  or use backup to reload your configurations.  Which it kind of sucks because, it requires more work than just simple upgrade.  

     

    Sophos is really behind on their contents on this matter.  Their template is pointing to the wrong AMI version(9.3x) so you have to manually change that first and their instructions is wrong as well.  

  • Hi LeoKim,

    Thanks for your feedback. We're still working out some kinks with our conversion utility, but once finished you shouldn't have to reconfigure the new instance from scratch. We're also creating a process that will automatically update all our CloudFormation templates so you have the most recent AMIs.

    I'd be interested in hearing your feedback so we can create a better product and process for our customers. If you can, please reach out to aws.marketplace@sophos.com to schedule some time with me.

    Thanks again.

    Rich Vorwaller

    Product Manager, Sophos IaaS

  • So yesterday I finally upgraded one of our UTMs to the newest 9.407-3 version.  I thought I would investigate this conversion utility further since the last time I looked at it was July (see above in this thread).   One would logically think that if including it prematurely before was a mistake (again, see earlier in this thread), if they hadn't removed it in the intervening versions then presumably they fixed/finished the functionality.

    Nope :(

     

    Unexpected error in aws_convert_to_deployment: No such file or directory at /usr/local/ap510/site/lib/IPC/Run3.pm line 426.

     

    To me, that just seems sloppy and unprofessional to not only have a much touted feature fail, but fail in such an ugly way.  So I opened a support case and was told:

    "There will be an upcoming release to address the below source for the error message.  
    Other alternatives are deploy using a Cloud formation template for either a HA or AS configuration. "

     

    So basically, despite the fancy UI, this feature is still completely unusable and the only option is to hack around with CF templates and try to get something working that way... last I checked though, the CF templates provided created a whole new VPC (https://community.sophos.com/kb/en-US/122742) so that's not really much of an option for dealing with an existing environment that you want to upgrade.

    If this were a free piece of software created by volunteers then I could understand this, but how does a supposedly "Enterprise" piece of commercial software get released with such a glaring flaw?

  • Hi lprikockis,

    Thanks for your feedback. Completely understand your frustration. As we mentioned in a previous post, the UI utility was released prematurely. To remove it would have caused some additional problems for the release, so we decided to leave it in as with the message that is was not yet available. However, no excuses. We want to provide a better experience for our customers, and appreciate your points. We're working on getting this fixed in our next release.

    Can you email us your support case ID? I'd like to review the case and possibly your logs to make sure our next release will indeed address the problem you reported. Please reach out to aws.marketplace@sophos.com.

    Thanks again.

    Rich Vorwaller

    Product Manager, Sophos IaaS

Reply
  • Hi lprikockis,

    Thanks for your feedback. Completely understand your frustration. As we mentioned in a previous post, the UI utility was released prematurely. To remove it would have caused some additional problems for the release, so we decided to leave it in as with the message that is was not yet available. However, no excuses. We want to provide a better experience for our customers, and appreciate your points. We're working on getting this fixed in our next release.

    Can you email us your support case ID? I'd like to review the case and possibly your logs to make sure our next release will indeed address the problem you reported. Please reach out to aws.marketplace@sophos.com.

    Thanks again.

    Rich Vorwaller

    Product Manager, Sophos IaaS

Children
  • RichVorwaller said:

    To remove it would have caused some additional problems for the release, so we decided to leave it in as with the message that is was not yet available.

    I can understand the difficulty of backing out the change completely, but I certainly didn't see any "message that it was not yet available".   Couldn't some note to that effect be added to the text on that screen so that at least there was no expectation that it would work?

  • RichVorwaller

     

    I just tried HA (warm) standby I get the following precheck error.

     

     

     

     

     

    Thank You

     

    Vitale Mazo

     

     

    Vitale Mazo | Senior Systems Engineer
    Novus Partners Inc | 200 Park Avenue, 27th Floor  | New York, NY 10166
    212.586.3030 Ext. 1093 | Cell: 718-790-1150 | Vmazo@novus.com

  • Huston I think we have lift off after retring and waiting 5 min recreating IAM roles I think we have a conversion.

     

     

     

     

     

    Thank You

     

    Vitale Mazo

     

     

    Vitale Mazo | Senior Systems Engineer
    Novus Partners Inc | 200 Park Avenue, 27th Floor  | New York, NY 10166
    212.586.3030 Ext. 1093 | Cell: 718-790-1150 | Vmazo@novus.com

  • No the conversion failed and is rolling back who can call me 718-790-1150 and help me with this.

     

     

     

     

     

     

    Thank You

     

    Vitale Mazo

     

     

    Vitale Mazo | Senior Systems Engineer
    Novus Partners Inc | 200 Park Avenue, 27th Floor  | New York, NY 10166
    212.586.3030 Ext. 1093 | Cell: 718-790-1150 | Vmazo@novus.com

  • AWS stack error

     

    Events
    2017-01-07 Status Type Logical ID Status reason
      00:11:32 UTC-0500 DELETE_IN_PROGRESS AWS::EC2::RouteTable RouteTable  
      00:11:30 UTC-0500 DELETE_COMPLETE AWS::EC2::Subnet Subnet2  
      00:11:29 UTC-0500 DELETE_COMPLETE AWS::EC2::Subnet Subnet1  
      00:11:29 UTC-0500 DELETE_COMPLETE AWS::EC2::Route Route  
      00:11:17 UTC-0500 DELETE_COMPLETE AWS::IAM::Role UTMRole  
      00:11:16 UTC-0500 DELETE_IN_PROGRESS AWS::IAM::Role UTMRole  
      00:11:15 UTC-0500 DELETE_COMPLETE AWS::EC2::SecurityGroup UntrustedGroup  
      00:11:15 UTC-0500 DELETE_COMPLETE AWS::EC2::SecurityGroup UTMSecurityGroup  
      00:11:15 UTC-0500 DELETE_COMPLETE AWS::EC2::SecurityGroup TrustedNetworkGroup  
      00:11:14 UTC-0500 DELETE_COMPLETE AWS::IAM::InstanceProfile UTMInstanceProfile  
      00:11:14 UTC-0500 DELETE_IN_PROGRESS AWS::EC2::Subnet Subnet1  
      00:11:13 UTC-0500 DELETE_FAILED AWS::SNS::Topic UnhealthyTopic User: arn:aws:iam::525021013121:user/Sophos is not authorized to perform: SNS:DeleteTopic on resource: arn:aws:sns:us-east-1:525021013121:sophosHaWarm-UnhealthyTopic-QPUZOQHRU0JT
      00:11:13 UTC-0500 DELETE_IN_PROGRESS AWS::EC2::Route Route  
      00:11:13 UTC-0500 DELETE_IN_PROGRESS AWS::EC2::SecurityGroup UTMSecurityGroup  
      00:11:13 UTC-0500 DELETE_IN_PROGRESS AWS::EC2::Subnet Subnet2  
      00:11:13 UTC-0500 DELETE_IN_PROGRESS AWS::IAM::InstanceProfile UTMInstanceProfile  
      00:11:13 UTC-0500 DELETE_IN_PROGRESS AWS::EC2::SecurityGroup TrustedNetworkGroup  
      00:11:13 UTC-0500 DELETE_IN_PROGRESS AWS::SNS::Topic UnhealthyTopic  
      00:11:13 UTC-0500 DELETE_IN_PROGRESS AWS::EC2::SecurityGroup UntrustedGroup  
      00:10:52 UTC-0500 ROLLBACK_IN_PROGRESS AWS::CloudFormation::Stack sophosHaWarm The following resource(s) failed to create: [Subnet1, UnhealthyTopic, UTMSecurityGroup, UntrustedGroup, Route, UTMInstanceProfile, TrustedNetworkGroup, Subnet2]. . Rollback requested by user.
      00:10:50 UTC-0500 CREATE_FAILED AWS::EC2::SecurityGroup UntrustedGroup Resource creation cancelled
      00:10:49 UTC-0500 CREATE_FAILED AWS::EC2::SecurityGroup TrustedNetworkGroup Resource creation cancelled
      00:10:49 UTC-0500 CREATE_FAILED AWS::EC2::SecurityGroup UTMSecurityGroup Resource creation cancelled
      00:10:47 UTC-0500 CREATE_FAILED AWS::EC2::Subnet Subnet2 Resource creation cancelled
      00:10:47 UTC-0500 CREATE_FAILED AWS::IAM::InstanceProfile UTMInstanceProfile Resource creation cancelled
      00:10:47 UTC-0500 CREATE_FAILED AWS::EC2::Subnet Subnet1 Resource creation cancelled
      00:10:47 UTC-0500 CREATE_FAILED AWS::EC2::Route Route Resource creation cancelled
      00:10:46 UTC-0500 CREATE_IN_PROGRESS AWS::IAM::InstanceProfile UTMInstanceProfile Resource creation Initiated
      00:10:46 UTC-0500 CREATE_FAILED AWS::SNS::Topic UnhealthyTopic User: arn:aws:iam::525021013121:user/Sophos is not authorized to perform: SNS:GetTopicAttributes on resource: arn:aws:sns:us-east-1:525021013121:sophosHaWarm-UnhealthyTopic-QPUZOQHRU0JT
      00:10:46 UTC-0500 CREATE_IN_PROGRESS AWS::IAM::InstanceProfile UTMInstanceProfile  
      00:10:41 UTC-0500 CREATE_COMPLETE AWS::IAM::Role UTMRole  
      00:10:40 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::Route Route Resource creation Initiated
      00:10:39 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::Route Route  
      00:10:35 UTC-0500 CREATE_COMPLETE AWS::EC2::RouteTable RouteTable  
      00:10:35 UTC-0500 CREATE_IN_PROGRESS AWS::SNS::Topic UnhealthyTopic Resource creation Initiated
      00:10:35 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::Subnet Subnet2 Resource creation Initiated
      00:10:34 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::Subnet Subnet1 Resource creation Initiated
      00:10:34 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::RouteTable RouteTable Resource creation Initiated
      00:10:34 UTC-0500 CREATE_IN_PROGRESS AWS::SNS::Topic UnhealthyTopic  
      00:10:34 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::Subnet Subnet2  
      00:10:34 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::SecurityGroup UntrustedGroup  
      00:10:34 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::RouteTable RouteTable  
      00:10:34 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::Subnet Subnet1  
      00:10:34 UTC-0500 CREATE_IN_PROGRESS AWS::IAM::Role UTMRole Resource creation Initiated
      00:10:33 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::SecurityGroup TrustedNetworkGroup  
      00:10:33 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::SecurityGroup UTMSecurityGroup  
      00:10:33 UTC-0500 CREATE_IN_PROGRESS AWS::IAM::Role UTMRole  
      00:10:28 UTC-0500 CREATE_IN_PROGRESS AWS::CloudFormation::Stack sophosHaWarm User Initiated

     

     

     

     

    Thank You

     

    Vitale Mazo

     

     

    Vitale Mazo | Senior Systems Engineer
    Novus Partners Inc | 200 Park Avenue, 27th Floor  | New York, NY 10166
    212.586.3030 Ext. 1093 | Cell: 718-790-1150 | Vmazo@novus.com

  • My username and access key policy for AWS sophos is below it has SNS in it why is it failing

     

     

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "cloudformation:CreateStack"
                ],
                "Resource": "*",
                "Condition": {
                    "ForAllValues:StringLike": {
                        "cloudformation:TemplateUrl": [
                            "https://s3.amazonaws.com/sophos-nsg-cf/*"
                        ]
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:Create*",
                    "ec2:Describe*",
                    "ec2:AuthorizeSecurityGroup*",
                    "ec2:AllocateAddress",
                    "ec2:AssociateRouteTable",
                    "ec2:ReplaceNetworkAclAssociation",
                    "ec2:RevokeSecurityGroupEgress",
                    "ec2:TerminateInstances",
                    "cloudformation:Describe*",
                    "cloudwatch:PutMetricAlarm",
                    "autoscaling:Create*",
                    "autoscaling:Describe*",
                    "autoscaling:PutScalingPolicy",
                    "autoscaling:PutNotificationConfiguration",
                    "autoscaling:UpdateAutoScalingGroup",
                    "elasticloadbalancing:CreateLoadBalancer",
                    "elasticloadbalancing:ModifyLoadBalancerAttributes",
                    "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
                    "elasticloadbalancing:ConfigureHealthCheck",
                    "iam:CreateRole",
                    "iam:PutRolePolicy",
                    "iam:CreateInstanceProfile",
                    "iam:AddRoleToInstanceProfile",
                    "iam:PassRole",
                    "sns:CreateTopic",
                    "sns:ListTopics",
                    "sns:Subscribe",
                    "s3:CreateBucket",
                    "s3:Get*",
                    "s3:Delete*",
                    "s3:List*",
                    "s3:PutObject"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:Delete*",
                    "ec2:DisassociateRouteTable",
                    "ec2:releaseAddress",
                    "autoscaling:Delete*",
                    "elasticloadbalancing:DeleteLoadBalancer",
                    "iam:RemoveRoleFromInstanceProfile",
                    "iam:Delete*"
                ],
                "Resource": "*"
            }
        ]
    }

     

     

     

     

    Thank You

     

    Vitale Mazo

     

     

    Vitale Mazo | Senior Systems Engineer
    Novus Partners Inc | 200 Park Avenue, 27th Floor  | New York, NY 10166
    212.586.3030 Ext. 1093 | Cell: 718-790-1150 | Vmazo@novus.com

  • I added some more SNS actions.

     

                    "sns:CreateTopic",
                    "sns:Publish",
                    "sns:ListTopics",
                    "sns:Subscribe",
                    "sns:CreateTopic",
                    "sns:GetTopicAttributes",
                    "sns:ListSubscriptionsByTopic",

     

     

     

     

     

    Thank You

     

    Vitale Mazo

     

     

    Vitale Mazo | Senior Systems Engineer
    Novus Partners Inc | 200 Park Avenue, 27th Floor  | New York, NY 10166
    212.586.3030 Ext. 1093 | Cell: 718-790-1150 | Vmazo@novus.com

  • The auto scaling is not working I'm stuck at this point

     

     

     

    2017-01-07 Status Type Logical ID Status reason
      00:29:38 UTC-0500 CREATE_IN_PROGRESS AWS::AutoScaling::AutoScalingGroup UTMScalingGroup Resource creation Initiated
      Physical ID:sophosHAwarm-UTMScalingGroup-1JU9ZT57300OS
      00:29:37 UTC-0500 CREATE_IN_PROGRESS AWS::AutoScaling::AutoScalingGroup UTMScalingGroup  
      00:29:32 UTC-0500 CREATE_COMPLETE AWS::AutoScaling::LaunchConfiguration UTMLaunchConfiguration  
      00:29:32 UTC-0500 CREATE_IN_PROGRESS AWS::AutoScaling::LaunchConfiguration UTMLaunchConfiguration Resource creation Initiated
      00:29:31 UTC-0500 CREATE_IN_PROGRESS AWS::AutoScaling::LaunchConfiguration UTMLaunchConfiguration  
      00:29:26 UTC-0500 CREATE_COMPLETE AWS::IAM::InstanceProfile UTMInstanceProfile  
      00:27:52 UTC-0500 CREATE_COMPLETE AWS::EC2::SubnetRouteTableAssociation Subnet1RouteTableAssociation  
      00:27:48 UTC-0500 CREATE_COMPLETE AWS::EC2::SubnetRouteTableAssociation Subnet2RouteTableAssociation  
      00:27:37 UTC-0500 CREATE_COMPLETE AWS::EC2::Route Route  
      00:27:36 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::SubnetRouteTableAssociation Subnet1RouteTableAssociation Resource creation Initiated
      00:27:34 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::SubnetRouteTableAssociation Subnet1RouteTableAssociation  
      00:27:32 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::SubnetRouteTableAssociation Subnet2RouteTableAssociation Resource creation Initiated
      00:27:31 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::SubnetRouteTableAssociation Subnet2RouteTableAssociation  
      00:27:30 UTC-0500 CREATE_COMPLETE AWS::EC2::SecurityGroup UntrustedGroup  
      00:27:30 UTC-0500 CREATE_COMPLETE AWS::EC2::Subnet Subnet1  
      00:27:28 UTC-0500 CREATE_COMPLETE AWS::EC2::SecurityGroup TrustedNetworkGroup  
      00:27:28 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::SecurityGroup UntrustedGroup Resource creation Initiated
      00:27:27 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::SecurityGroup TrustedNetworkGroup Resource creation Initiated
      00:27:27 UTC-0500 CREATE_COMPLETE AWS::EC2::SecurityGroup UTMSecurityGroup  
      00:27:27 UTC-0500 CREATE_COMPLETE AWS::EC2::Subnet Subnet2  
      00:27:26 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::SecurityGroup UTMSecurityGroup Resource creation Initiated
      00:27:24 UTC-0500 CREATE_IN_PROGRESS AWS::IAM::InstanceProfile UTMInstanceProfile Resource creation Initiated
      00:27:24 UTC-0500 CREATE_IN_PROGRESS AWS::IAM::InstanceProfile UTMInstanceProfile  
      00:27:23 UTC-0500 CREATE_COMPLETE AWS::SNS::Topic UnhealthyTopic  
      00:27:22 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::Route Route Resource creation Initiated
      00:27:21 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::Route Route  
      00:27:19 UTC-0500 CREATE_COMPLETE AWS::IAM::Role UTMRole  
      00:27:13 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::Subnet Subnet1 Resource creation Initiated
      00:27:13 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::Subnet Subnet1  
      00:27:12 UTC-0500 CREATE_COMPLETE AWS::EC2::RouteTable RouteTable  
      00:27:11 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::SecurityGroup UntrustedGroup  
      00:27:11 UTC-0500 CREATE_IN_PROGRESS AWS::IAM::Role UTMRole Resource creation Initiated
      00:27:11 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::RouteTable RouteTable Resource creation Initiated
      00:27:11 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::Subnet Subnet2 Resource creation Initiated
      00:27:11 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::SecurityGroup UTMSecurityGroup  
      00:27:10 UTC-0500 CREATE_IN_PROGRESS AWS::SNS::Topic UnhealthyTopic Resource creation Initiated
      00:27:10 UTC-0500 CREATE_IN_PROGRESS AWS::IAM::Role UTMRole  
      00:27:10 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::RouteTable RouteTable  
      00:27:10 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::SecurityGroup TrustedNetworkGroup  
      00:27:10 UTC-0500 CREATE_IN_PROGRESS AWS::EC2::Subnet Subnet2  
      00:27:10 UTC-0500 CREATE_IN_PROGRESS AWS::SNS::Topic UnhealthyTopic  
      00:27:04 UTC-0500 CREATE_IN_PROGRESS AWS::CloudFormation::Stack sophosHAwarm User Initiated

     

     

     

     

    Thank You

     

    Vitale Mazo

     

     

    Vitale Mazo | Senior Systems Engineer
    Novus Partners Inc | 200 Park Avenue, 27th Floor  | New York, NY 10166
    212.586.3030 Ext. 1093 | Cell: 718-790-1150 | Vmazo@novus.com

  •  

     

     

     

    Thank You

     

    Vitale Mazo

     

     

    Vitale Mazo | Senior Systems Engineer
    Novus Partners Inc | 200 Park Avenue, 27th Floor  | New York, NY 10166
    212.586.3030 Ext. 1093 | Cell: 718-790-1150 | Vmazo@novus.com

  • Issue was caused by not having an AWS market place license for the secondary HA unit, went to the market place and added a secondary subscription.

     

     

     

     

    Thank You

     

    Vitale Mazo

     

     

    Vitale Mazo | Senior Systems Engineer
    Novus Partners Inc | 200 Park Avenue, 27th Floor  | New York, NY 10166
    212.586.3030 Ext. 1093 | Cell: 718-790-1150 | Vmazo@novus.com