Welcome to the long awaited beta launch of the "Elastic" firewall! With this launch, we will offer the ability to deploy Sophos UTM in AWS in an autoscaling environment. As the load grows, more firewalls can be dynamically added as needed, to handle it.
A single Queen firewall allows you to configure and report on all firewall nodes from one device. New firewalls are created as needed, and configuration changes made on the queen are replicated to the workers. All configuration, with exceptions for interfaces, and a few other necessarily unique settings, is replicated to all cluster nodes, whenever a change is made on the queen. Logs are returned to the queen, so all logging and reporting is done there, and no reporting work is done on the workers.
While all config is replicated, the system is currently optimized to work with webserver protection. Configuring a virtual server will configure a front-end ELB, which will distribute traffic to the workers in the swarm.
Also, as the master node is the repository for all logs and reports, all data is fully backed up to S3, and the queen will be fully rebuilt, including logs and reports, in the event of failure.
Getting Started:
You'll find the cloudformation template here:
https://s3.amazonaws.com/sophos-nsg-cf/utm/utm-latest-autoscaling.template
We have the AMI available in several regions for the beta:
- ami-876fdeec (us-east-1), default selection in template
- ami-1cb1b601 (eu-central-1)
- ami-03753739 (ap-southeast-2)
These are only BYOL AMIs, but the final marketplace release will support both BYOL and hourly.
One important point about licensing: Autoscaling requires admins be able to up the size of a license dynamically. To this end, BYOL AMIs will use UTM cluster licensing for autoscaling nodes. so if more nodes are needed, then the license size can be increased by admins, through the myutm portal, at any time. This does also put a limit of 10 hosts on BYOL licenses. No such limits will exist on hourly licenses.
Happy Testing!
