Forum for HA and Autoscaling UTM deployments @ AWS?

Thank you for the update I went ahead and upgraded the existing firewall, to version  9409 as you can see in my screen shot below but I was unable to complete the HA setup still. Is there a reson why I cant deploy HA after the upgrade? Do i really need to launch a brand new instance from AWS market place first? If so which instance do I need Launch.

Thanks Vitale,

There are two ways customers can update Sophos UTM on AWS. One way is via up2date, which I believe is the method you used. This update path is only available for our Stand Alone (Single AMI) release and uses the normal update process for all UTMs.

Because our Auto Scaling and HA releases uses multiple AMIs, these releases don't update via up2date. Instead we've built a process called Cloud Update which uses CloudFormation stack updates to update the different AMIs. The conversion utility also uses CloudFormation stack updates as the process converts a Single AMI to multiple AMIs (depending on the option you choose). This means that the conversion utility won't work until (1) AWS publishes the latest AMI in the AWS Marketplace, and (2) we've updated our CloudFormation templates with the new AMI IDs (which AWS gives us).

docs.aws.amazon.com/.../using-cfn-updating-stacks.html

Again, we just pushed 9.409 to the AWS Marketplace yesterday. It usually takes AWS a couple of days to scan and publish them, with the holidays it may take a bit more. As soon as AWS comes back with the new AMI IDs, we'll update our templates and then the conversion utility should work. We'll let you know when we hear back from AWS.

Hope that makes sense. If not, ping us via aws.maketplace@sophos.com and we can arrange a call.

Thanks.

Hi.  I have been waiting for these AMIs to publish but it seems like it is taking longer than expected.   Do you have any kind of update on when they will be available?  I'm waiting to deploy a new single instance of 9.409 using HVM so that I can prepay for a reserved instance.

Thanks!

Tim

Hi Tim/Vitale,

Apologies for the delay. The AMIs are now available. Let us know what you think. Thanks.

community.sophos.com/.../sophos-utm-9-409-on-aws-release-notes

RichVorwaller

I just tried HA (warm) standby I get the following precheck error.

Huston I think we have lift off after retring and waiting 5 min recreating IAM roles I think we have a conversion.

No the conversion failed and is rolling back who can call me 718-790-1150 and help me with this.

AWS stack error

My username and access key policy for AWS sophos is below it has SNS in it why is it failing

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack"
            ],
            "Resource": "*",
            "Condition": {
                "ForAllValues:StringLike": {
                    "cloudformation:TemplateUrl": [
                        "https://s3.amazonaws.com/sophos-nsg-cf/*"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:Create*",
                "ec2:Describe*",
                "ec2:AuthorizeSecurityGroup*",
                "ec2:AllocateAddress",
                "ec2:AssociateRouteTable",
                "ec2:ReplaceNetworkAclAssociation",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:TerminateInstances",
                "cloudformation:Describe*",
                "cloudwatch:PutMetricAlarm",
                "autoscaling:Create*",
                "autoscaling:Describe*",
                "autoscaling:PutScalingPolicy",
                "autoscaling:PutNotificationConfiguration",
                "autoscaling:UpdateAutoScalingGroup",
                "elasticloadbalancing:CreateLoadBalancer",
                "elasticloadbalancing:ModifyLoadBalancerAttributes",
                "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
                "elasticloadbalancing:ConfigureHealthCheck",
                "iam:CreateRole",
                "iam:PutRolePolicy",
                "iam:CreateInstanceProfile",
                "iam:AddRoleToInstanceProfile",
                "iam:PassRole",
                "sns:CreateTopic",
                "sns:ListTopics",
                "sns:Subscribe",
                "s3:CreateBucket",
                "s3:Get*",
                "s3:Delete*",
                "s3:List*",
                "s3:PutObject"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:Delete*",
                "ec2:DisassociateRouteTable",
                "ec2:releaseAddress",
                "autoscaling:Delete*",
                "elasticloadbalancing:DeleteLoadBalancer",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:Delete*"
            ],
            "Resource": "*"
        }
    ]
}

I added some more SNS actions.

                "sns:CreateTopic",
                "sns:Publish",
                "sns:ListTopics",
                "sns:Subscribe",
                "sns:CreateTopic",
                "sns:GetTopicAttributes",
                "sns:ListSubscriptionsByTopic",