This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Forum for HA and Autoscaling UTM deployments @ AWS?

I feel like it would be beneficial to have a separate sub-forum specifically for discussing UTM deployments in the AWS environment.  Particularly for those of us working on getting the HA and/or Autoscaling implementations to work properly.  While the webpage here: www.sophos.com/aws seems to suggest that AWS integration is a widely used and perfectly tuned feature of the UTM, those of us who have been tinkering around with it know that Sophos still has a ways to go in ramping up their own internal expertise and supporting documentation for this use-case.    All the more reason for easy channels for collaboration among the community.

At the very least, I'd love to hear from anyone else out there who's currently working with the HA implementation.  I'm alternately impressed and frustrated with it thus far :)  but I think it could be a truly amazing product with a bit more fine tuning-- and I think strong community involvement is going to be the driving force to make that happen.  



This thread was automatically locked due to age.
Parents
  • Dear lprikockis:

    I totally agree with your overview of Sophos UTM HA within AWS and that it's going to take a lot of community collaboration to make this a great implementation solution for AWS. . I used the Cloud Formation stack and have deployed the Sophos UTM HA within it own new VPC with a warm standby in a second availibilty zone. I have two separate VPC's, which contain Linux EC2 Iinstance in one and Windows EC2 instances in the other. I have been able to create a Peering connection to the Linux VPC and can ping hosts in that VPC. What I am stuck on is, how to route all the traffic from the 2 other VPC's using peering through the Sophos UTM using only one EIP. I believe it involves some special routing tables and security groups within AWS, but I haven't figured it out yet. Also, i want to have two VPN tunnels defined as well. I am new to using Sophos UTM, but am eager to learn all I can.

    Any assistance is highly apprecitate,

    Thanks,

    Scott Spangler

  • Hi Scott,

    As you may be aware, AWS doesn't allow transitive routing across VPCs, even with a peering connection. One option you could consider to overcome this is the Outbound Gateway (OGW) component of the Auto-Scaling UTM deployment (a different deployment type than the HA deployment, but also deployed via Cloud Formation). The OGW is a Sophos developed Linux based instance, which forms a GRE tunnel with the Worker UTMs in an auto-scaling deployment - this can go across a peering connection. The OGW is then configured as the target in your peered VPC client subnet's route table, to reach the Internet. However, this does require additional instances, and UTM costs, as you would need a Controller UTM, two or more Workers (1+ per AZ), and one or more OGW instances. The Quick Start Guide for the UTM on AWS contains a description of the Auto-scaling deployment - https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosUTMAWS.pdf?la=en. It is also possible to obtain a HA UTM Cloud Formation template that deploys into an existing VPC rather than create a new one - this may be another option, but if you have two VPCs, one for Windows and one for Linux, then you would probably need two separate HA deployments.

    Regards,

    Peter

  • Hi Peter,

     

    Thanks for bringing the transitive peering problem to my attention. What I performed on Friday night, was to roll back and delete the HA-UTM Cloud Formation Stack. Then I performed a standalone UTM install within my Linux VPC, which allowed me to create an second network interface with a static private IP when building the instance to use as a internal(inside) interface for the UTM instance. My UTM, subnets and routing tables are all assigned to the same AZ. I have been able to configure an masquarade and some NAT rules. Then I am able to ssh using a different high port number for each of the Linux hosts through using UTM Outside interface EIP and high ssh port number. Also, can monitor the firewall log and see that its functioning correctly. 

    Now the next question: Would it be best, just to spin up another UTM standalone instance within the Windows VPC and establish the two VPN connections from the Windows VPC?. I have realized that the HA-UTM model is fairly new and hasn't been used extensively yet from what I have been reading in this forum. And also, would it be possible to create a peering connect having just the Linux VPC and Windows VPC just in case their was a reason in the future that communication was needed between the Windows EC2 instances and Linux EC2 Instances.

    Maybe the below scenario would work. VPC A would be my Windows VPC with two VPN connections and VPCB would be my Linux VPC. Each VPC would contain it's own Sophos UTM standalone instance.

    Example: Edge to Edge Routing Through a VPN Connection or an AWS Direct Connect Connection

    You have a VPC peering connection between VPC A and VPC B (pcx-aaaabbbb). VPC A also has a VPN connection or an AWS Direct Connect connection to a corporate network. Edge to edge routing is not supported; you cannot use VPC A to extend the peering relationship to exist between VPC B and the corporate network. For example, traffic from the corporate network can’t directly access VPC B by using the VPN connection or the AWS Direct Connect connection to VPC A.

     

     

    From a cost perspective, it will be lower costs using the standalone model, however, with the UTM instance, subnets and routing tables all in the same AZ, possibly I can come up with a recovery scenario or in the future move to the HA-UTM model.

    Any additional help and suggestions is highly appreciated,

    Thanks,

    Scott Spangler

    DevOps Engineer

Reply
  • Hi Peter,

     

    Thanks for bringing the transitive peering problem to my attention. What I performed on Friday night, was to roll back and delete the HA-UTM Cloud Formation Stack. Then I performed a standalone UTM install within my Linux VPC, which allowed me to create an second network interface with a static private IP when building the instance to use as a internal(inside) interface for the UTM instance. My UTM, subnets and routing tables are all assigned to the same AZ. I have been able to configure an masquarade and some NAT rules. Then I am able to ssh using a different high port number for each of the Linux hosts through using UTM Outside interface EIP and high ssh port number. Also, can monitor the firewall log and see that its functioning correctly. 

    Now the next question: Would it be best, just to spin up another UTM standalone instance within the Windows VPC and establish the two VPN connections from the Windows VPC?. I have realized that the HA-UTM model is fairly new and hasn't been used extensively yet from what I have been reading in this forum. And also, would it be possible to create a peering connect having just the Linux VPC and Windows VPC just in case their was a reason in the future that communication was needed between the Windows EC2 instances and Linux EC2 Instances.

    Maybe the below scenario would work. VPC A would be my Windows VPC with two VPN connections and VPCB would be my Linux VPC. Each VPC would contain it's own Sophos UTM standalone instance.

    Example: Edge to Edge Routing Through a VPN Connection or an AWS Direct Connect Connection

    You have a VPC peering connection between VPC A and VPC B (pcx-aaaabbbb). VPC A also has a VPN connection or an AWS Direct Connect connection to a corporate network. Edge to edge routing is not supported; you cannot use VPC A to extend the peering relationship to exist between VPC B and the corporate network. For example, traffic from the corporate network can’t directly access VPC B by using the VPN connection or the AWS Direct Connect connection to VPC A.

     

     

    From a cost perspective, it will be lower costs using the standalone model, however, with the UTM instance, subnets and routing tables all in the same AZ, possibly I can come up with a recovery scenario or in the future move to the HA-UTM model.

    Any additional help and suggestions is highly appreciated,

    Thanks,

    Scott Spangler

    DevOps Engineer

Children
  •  Hi Scott,

     

    Yes your approach should be OK, running two separate UTMs, and yes is lower in cost than the Auto-scaling deployment. You would need to administer them separately, however we also have a free product called Sophos UTM Manager on the Marketplace which could help with this (you do still need to pay EC2 costs). You could still use the HA architecture, say with Cold Standby, so that you are not paying for additional instances. We have had this type of deployment for about two years now, and are finding more customers are starting to look at it. The ability to convert from a standalone to a HA deployment from within the UTM is relatively new however. With Cold standby, you only have a primary UTM running, and should it fail, a new UTM instance will be launched automatically in a different AZ, so the cost should be almost identical to a standalone deployment. The EIP is then associated with the new UTM instance. The failover process generally takes about 7-8 minutes. Also, UTM configuration is stored in an S3 bucket, so when the new one launches, it will download the config. file from the S3 bucket, and so your configuration is retained.

    You can use the Remote Access feature to create an IPsec VPN into your servers, or a site to site VPN between your on-premise network and the VPC(s). You can also create a site to site VPN between the two UTMs, although a peering connection between your Windows VPC and Linux VPC would allow the instances to communicate with one another provide the route tables are configured appropriately.

     

    Hope this helps.

     

    Regards,

    Peter