How to Deploy Sophos UTM on AWS in AWS VPCs with Cold Standby or Warm Standby High Availability

About AWS HA

High availability (HA) allows you to protect services hosted in AWS with Sophos UTM on AWS while easily eliminating a single point of failure. Due to the structure of AWS, standard HA features in Sophos UTM on AWS aren't helpful in this environment. Therefore, we've constructed an HA solution to work specifically within AWS. As such, two flavors of AWS HA are available: Cold standby and warm standby.

Cold Standby

Cold Standby runs only a single instance and stores persistent information in Amazon's S3 storage. In the event of a failure, AWS creates a new instance, restores persistent information, and migrates the attached public IP to the new instance.

Warm Standby

Warm standby works very much like cold standby, but AWS creates a second instance in advance to accelerate the recovery process.

The following diagram provides a more detailed description of the behavior of each:

Flow chart showing the different AWS HA solutions for UTM 9

How to set up HA in AWS

  1. Sign in to AWS Console.

  2. From the Services drop-down, select CloudFormation.

    AWS Services menu showing CloudFormation

  3. Click Create Stack.

    Create stack button

  4. Enter a name for your HA stack, then select Specify an Amazon S3 template URL and enter the template URL of your preferred HA setup:

    • https://s3.amazonaws.com/sophos-nsg-cf/utm/utm-latest-ha_warm_standby.template
    • https://s3.amazonaws.com/sophos-nsg-cf/utm/utm-latest-ha_standalone.template

    Template selection

  5. Click Next.

  6. Fill in the template parameters:

    AdminPassword: Sets the default password for the “admin” account, which you need to sign in to the firewall.

    AMI: Keep the setting autodetect if this option is available.

    AvailabilityZone1&2: Availability zones have a default limit of five subnets. Select two availability zones with room for at least one subnet. Alternatively, request a subnet limit increase from AWS.

    The firewall uses the settings City, Country, Organization, Hostname, and Email only to generate its signing certificate. It uses Email also as the target address for important notifications.

    ExistingElasticIP (optional): Enter an existing elastic IP to the firewall.

    ExistingS3Bucket (optional): Enter an existing bucket for storage of configuration and logs.

    Keyname: Specify a key name you want to use for shell access to the firewall.

    LicensePool (optional): Specify a license pool.

    LicenseType: Choose whether to install an hourly or BYOL licensed firewall.

    NetworkPrefix: The firewall creates two subnets and uses this /16 definition as the prefix for them.

    TrustedNetwork: Enter the public IP network range you'll connect from if you need remote shell access.

    Stack parameters

    You’ll see a prompt to set additional options for your HA stack which aren't required.

  7. Click Next.

  8. Review the summary and click Create.

    The creation process begins. It'll take several minutes to complete, at which point you should see something like this:

    Stack creation is complete

  9. If the template fails to deploy, it'll result in an error such as this:

    Stack creation has failed

    In this event, be sure to provide full details from the events log to help troubleshoot the cause.

  10. Once the deployment succeeded, you'll see the UTM on AWS instance running:

    UTM instance is running

    Once it has finished restarting, you can then access it using this address: https://<PublicIP>:4444/