This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Forum for HA and Autoscaling UTM deployments @ AWS?

I feel like it would be beneficial to have a separate sub-forum specifically for discussing UTM deployments in the AWS environment.  Particularly for those of us working on getting the HA and/or Autoscaling implementations to work properly.  While the webpage here: www.sophos.com/aws seems to suggest that AWS integration is a widely used and perfectly tuned feature of the UTM, those of us who have been tinkering around with it know that Sophos still has a ways to go in ramping up their own internal expertise and supporting documentation for this use-case.    All the more reason for easy channels for collaboration among the community.

At the very least, I'd love to hear from anyone else out there who's currently working with the HA implementation.  I'm alternately impressed and frustrated with it thus far :)  but I think it could be a truly amazing product with a bit more fine tuning-- and I think strong community involvement is going to be the driving force to make that happen.  



This thread was automatically locked due to age.
Parents
  • hi, any update on this ? im interested in this feature on AWS.

     

    thanks

    P.

  • I've been trying this for few weeks as well.  

     

    Apparently, the firmware upgrade within UTM does not do anything for HA/Autoscaling.  It's basically UTM software patch(eg. Windows security patch vs Windows Service Pack).  What has to happen is that you have to download entirely new AMI version(9.4x) from AWS marketplace and reconfigure the new instance from scratch.  or use backup to reload your configurations.  Which it kind of sucks because, it requires more work than just simple upgrade.  

     

    Sophos is really behind on their contents on this matter.  Their template is pointing to the wrong AMI version(9.3x) so you have to manually change that first and their instructions is wrong as well.  

  • Hi Vitale,

    Over the weekend, AWS published our latest UTM 9.408 release, which had a fix for the conversion utility. However, this morning our dev team confirmed certain scenarios where the conversion utility may convert PAYG AMIs to BYOL AMIs. Based on that, we pulled the conversion templates to prevent any customers from unintentionally converting over to BYOL. We're working on a fix and will update the forum once it goes live. Apologies for any inconveniences. Release notes are pasted below for reference.

    Thanks.

    community.sophos.com/.../sophos-utm-9-408-on-aws-release-notes

  • Do you know the time line and the Aws markets place AMI number that will be released in the upcoming days ?

     

     

     

     

    Thank You

     

    Vitale Mazo

     

     

    Vitale Mazo | Senior Systems Engineer
    Novus Partners Inc | 200 Park Avenue, 27th Floor  | New York, NY 10166
    212.586.3030 Ext. 1093 | Cell: 718-790-1150 | Vmazo@novus.com

  • Hi guys

     

    Interesting reading. In the same situation here also. Unable to build a warm standby instance. Assume by reading this it is known about and we can expect something soon, tho a little concerning for an enterprise product what has happend in this thread. Not to worry, I do have faith in this, and believe once stable it will be a great product.

    Please update us once you have an ETA of a finished product as such. I am assuming that the EIP can be moved between each instance (between primary and standby) if an instance fails - could someone please confirm that. And what would you recommend in terms of placing these instances in a cluster across 2 Availability Zones, or building a cluster in each AZ ? 

    Thanks

  • Hi Zak,

    Thanks for looking at the UTM on AWS and appreciate you reaching out. Note that the most recent comments are around a new feature we've put in place that allows a customer to go from an already deployed stand alone/single UTM instance, to either a High Availability or Auto Scaling cluster of UTM's. You can currently simply use the existing CloudFormation template to install a new VPC and the HA pair of UTM's as discussed in the below linked KB which also has the CFT links. Also below is a link to our Github repo that we're populating with new CFT's and info, and also a link to our Auto Scaling Guide in case you have any questions about that. Let us know if you have anymore questions or need assistance with anything.

    I am assuming that the EIP can be moved between each instance (between primary and standby) if an instance fails - could someone please confirm that. Confirmed. The EIP is assigned to the active UTM instance and will be migrated to the passive UTM as part of the failover process. 

    And what would you recommend in terms of placing these instances in a cluster across 2 Availability Zones, or building a cluster in each AZ ? The linked CFT will deploy the UTM's into different Availability Zones per AWS Best Practice guidance. The UTM's also are monitored by AWS services such as CloudWatch and part of an Auto Scaling group, so if there is an issue with their health or the AZ, they'll be recreated automatically. The KB has some more info on the design.

    High Availability KB

    https://community.sophos.com/kb/hu-hu/122202

    Github repo

    https://github.com/sophos-iaas/aws-cf-templates

    UTM on AWS Auto Scaling Guide

    https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosUTMAWS.pdf

    Bill

     

  • Zak,

     

    Bill is correct in the above statement. This thread is specifically to address and understand how long current customers on the latest Sophos UTM 9  version 9.408-4  on a AWS with a live production VPC environment have to wait before the  HA deployment feature within the GUI works. This thread is for sophos to report on ETA's report current firmware that address the issue and  issues with HA configurations, I would visit other threads that already answer and address concerns of EIP's and how they move between AWS AZ's.

     

     

     

     

     

    Thank You

     

    Vitale Mazo

     

     

    Vitale Mazo | Senior Systems Engineer
    Novus Partners Inc | 200 Park Avenue, 27th Floor  | New York, NY 10166
    212.586.3030 Ext. 1093 | Cell: 718-790-1150 | Vmazo@novus.com

  • Any update on the HA release I will have to use cisco or fortnet for my AWS solution if we can not make the HA conversion work. Please let us know timeline ?

     

     

     

     

    Thank You

     

    Vitale Mazo

     

     

    Vitale Mazo | Senior Systems Engineer
    Novus Partners Inc | 200 Park Avenue, 27th Floor  | New York, NY 10166
    212.586.3030 Ext. 1093 | Cell: 718-790-1150 | Vmazo@novus.com

  • Hi Vitale,

    We're looking to fix this in 9.409, which is scheduled for the week of December 26. We'll keep you posted when we publish.

    Thanks.

  • Rich thank you for the update will this address the HA GUI deployment

     

     

     

     

    Thank You

     

    Vitale Mazo

     

     

    Vitale Mazo | Senior Systems Engineer
    Novus Partners Inc | 200 Park Avenue, 27th Floor  | New York, NY 10166
    212.586.3030 Ext. 1093 | Cell: 718-790-1150 | Vmazo@novus.com

  • Hi Vitale,

    You're welcome. We just pushed 9.409 to the AWS Marketplace today. It will probably take AWS a couple of days to scan the AMIs and publish them. We'll let you know when we hear a date. Once 9.409 is published, the conversion utility for HA should work. We'll follow up in January with a 9.10 release that will support the conversion utility for Auto Scaling.

    Let me know if you have any questions. Thanks.

  • Thank you for the update I went ahead and upgraded the existing firewall, to version  9409 as you can see in my screen shot below but I was unable to complete the HA setup still. Is there a reson why I cant deploy HA after the upgrade? Do i really need to launch a brand new instance from AWS market place first? If so which instance do I need Launch.

     

     

     

     

    Thank You

     

    Vitale Mazo

     

     

    Vitale Mazo | Senior Systems Engineer
    Novus Partners Inc | 200 Park Avenue, 27th Floor  | New York, NY 10166
    212.586.3030 Ext. 1093 | Cell: 718-790-1150 | Vmazo@novus.com

Reply
  • Thank you for the update I went ahead and upgraded the existing firewall, to version  9409 as you can see in my screen shot below but I was unable to complete the HA setup still. Is there a reson why I cant deploy HA after the upgrade? Do i really need to launch a brand new instance from AWS market place first? If so which instance do I need Launch.

     

     

     

     

    Thank You

     

    Vitale Mazo

     

     

    Vitale Mazo | Senior Systems Engineer
    Novus Partners Inc | 200 Park Avenue, 27th Floor  | New York, NY 10166
    212.586.3030 Ext. 1093 | Cell: 718-790-1150 | Vmazo@novus.com

Children
  • Thanks Vitale,

    There are two ways customers can update Sophos UTM on AWS. One way is via up2date, which I believe is the method you used. This update path is only available for our Stand Alone (Single AMI) release and uses the normal update process for all UTMs.

    Because our Auto Scaling and HA releases uses multiple AMIs, these releases don't update via up2date. Instead we've built a process called Cloud Update which uses CloudFormation stack updates to update the different AMIs. The conversion utility also uses CloudFormation stack updates as the process converts a Single AMI to multiple AMIs (depending on the option you choose). This means that the conversion utility won't work until (1) AWS publishes the latest AMI in the AWS Marketplace, and (2) we've updated our CloudFormation templates with the new AMI IDs (which AWS gives us).

    docs.aws.amazon.com/.../using-cfn-updating-stacks.html

    Again, we just pushed 9.409 to the AWS Marketplace yesterday. It usually takes AWS a couple of days to scan and publish them, with the holidays it may take a bit more. As soon as AWS comes back with the new AMI IDs, we'll update our templates and then the conversion utility should work. We'll let you know when we hear back from AWS.

    Hope that makes sense. If not, ping us via aws.maketplace@sophos.com and we can arrange a call.

    Thanks.