Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 61 replies
  • Answers 2 answers
  • Subscribers 13 subscribers
  • Views 202002 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Forum for HA and Autoscaling UTM deployments @ AWS?

lprikockis

I feel like it would be beneficial to have a separate sub-forum specifically for discussing UTM deployments in the AWS environment.  Particularly for those of us working on getting the HA and/or Autoscaling implementations to work properly.  While the webpage here: www.sophos.com/aws seems to suggest that AWS integration is a widely used and perfectly tuned feature of the UTM, those of us who have been tinkering around with it know that Sophos still has a ways to go in ramping up their own internal expertise and supporting documentation for this use-case.    All the more reason for easy channels for collaboration among the community.

At the very least, I'd love to hear from anyone else out there who's currently working with the HA implementation.  I'm alternately impressed and frustrated with it thus far :)  but I think it could be a truly amazing product with a bit more fine tuning-- and I think strong community involvement is going to be the driving force to make that happen.  



This thread was automatically locked due to age.
  • 0 in reply to Scott Spangler

     Hi Scott,

     

    Yes your approach should be OK, running two separate UTMs, and yes is lower in cost than the Auto-scaling deployment. You would need to administer them separately, however we also have a free product called Sophos UTM Manager on the Marketplace which could help with this (you do still need to pay EC2 costs). You could still use the HA architecture, say with Cold Standby, so that you are not paying for additional instances. We have had this type of deployment for about two years now, and are finding more customers are starting to look at it. The ability to convert from a standalone to a HA deployment from within the UTM is relatively new however. With Cold standby, you only have a primary UTM running, and should it fail, a new UTM instance will be launched automatically in a different AZ, so the cost should be almost identical to a standalone deployment. The EIP is then associated with the new UTM instance. The failover process generally takes about 7-8 minutes. Also, UTM configuration is stored in an S3 bucket, so when the new one launches, it will download the config. file from the S3 bucket, and so your configuration is retained.

    You can use the Remote Access feature to create an IPsec VPN into your servers, or a site to site VPN between your on-premise network and the VPC(s). You can also create a site to site VPN between the two UTMs, although a peering connection between your Windows VPC and Linux VPC would allow the instances to communicate with one another provide the route tables are configured appropriately.

     

    Hope this helps.

     

    Regards,

    Peter

Unfiltered HTML