Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 6 subscribers
  • Views 7904 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing all traffic into and out of a VPC

JC2

I have been trying to find documentation on how to stand up a UTM instance in a VPC in such a way that all traffic coming in or out passes through it. The vast majority of instances will be in a private subnet fronted by ELBs that are in the public subnet, if that matters. Traffic that stays inside the VPC doesn't need to go through the UTM. We are not setting up a VPN with a VPC endpoint and we aren't doing cross-region. Can anyone help?



This thread was automatically locked due to age.
Parents
  • 0

    Hi JC2,

    Sorry for this delayed reply and hopefully our team will get better at continually watching the forums to assist. Below is a guide on our UTM on AWS which discusses how our Auto Scaling implementation works with an AWS Elastic Load Balancer for Inbound traffic, and also discusses our latest release and our new feature called OGW (Outbound Gateway). This adds onto the existing Inbound Auto Scaling support by providing an Outbound Load Balancer to send traffic from clients to UTM's for scanning. Below that is also a link to a more generic guide that talks about the solution in general, and mainly from a single UTM deployment view. Essentially what you want to do is setup your UTM(s) in your public facing VPC, and then use it as the Inbound connection point (via an Elastic IP attached to the UTM, or via an ELB as with Auto Scaling). For Outbound traffic you need to modify your internal client route tables to point to either the UTM ENI (Elastic Network Interface), or use the UTM OGW solution as discussed in the Guide. Note that if you want to just send traffic directly to your UTM ENI, you must change the default settings on the ENI interface for Source/Destination to False

    https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosUTMAWS.pdf

    https://www.sophos.com/en-us/medialibrary/PDFs/other/UTM-on-AWS-FAQ.pdf

    Hope this helps but let us know if you have more questions.

    Bill

  • 0 in reply to BillProut

    Based on the above documents, does this mean that this UTM LB architecture essentially replaces the UTM-HA configuration that I had previously been working with?  i.e., https://community.sophos.com/kb/hu-hu/122202

    If that previous HA implementation is indeed being abandoned by Sophos, I'd like to know so I can avoid spending any more time getting it to work and concentrate on this new approach.

    thanks

Reply Children
  • 0 in reply to lprikockis_01

    No, we don't plan to abandon the HA config noted in that KB link. That provides Active/Passive failover which many customers use. The configuration described in the previously linked documents is for an active/active Auto Scaling setup, and provides a way to balance and failover both inbound and outbound traffic. The main differences between the 2 deployment options is that Active/Passive HA has about a 1 - 6 minute failover time based on the model chosen (Warm or Cold Standby). The HA solution also does not address how to failover outbound route tables via the Sophos supplied CloudFormation templates. This can be done of course, but its not something we offer a solution for at this time. The Auto Scaling deployment is designed with maximum uptime in mind and utilizes services such as ELB to distribute incoming traffic and handle disruptions. For outbound route failover and distribution we've also designed a feature called OGW as part of that offering. OGW helps ensure that outbound route table entries are updated as needed and so helps with building a more resilient environment. 

  • 0 in reply to BillProut

    ok.. thanks for the clarification.   Though the ability to automatically adjust the outbound route tables is a key concern for us (we currently have been playing around with a modified version of the HA CF template that implements routing updates-- albeit not 100% reliably) so I should probably take a closer look at the new OGW functionality.

    One further question on that-- how far is Sophos from offering a way to launch the Autoscaling deployment into an existing VPC?

  • 0 in reply to lprikockis_01

    Regarding the ability to deploy into existing VPC's... we're just about to release a new version of our UTM software and new CloudFormation templates that will support this. The new UTM version will include a feature which allows you to migrate from a single UTM deployed into a VPC to an HA or Auto Scaling deployment. What the feature does is essentially gather some information and then use the AWS CloudFormation service and our provided templates to build a new HA or AS solution alongside of the existing UTM, or as a replacement for the existing UTM. At the same time we release this new functionality we'll also make available the CloudFormation templates used which will allow anyone to deploy a UTM solution into an existing VPC. We expect that release to be generally available via AWS Marketplace sometime next week. 

    Btw below is an AWS APN blog post with more detailed information in case its useful in testing the OGW functionality. 

    https://aws.amazon.com/blogs/apn/new-security-solution-sophos-outbound-gateway/