Conversion Utility
The Conversion feature allows you to convert a single Sophos UTM instance running on Amazon Web Service (AWS) into a more complex setup that offers High Availability (HA) or cluster capabilities. The new setup will be launched in the same Amazon Virtual Private Cloud (VPC) as your currently running instance and will import the current configuration.
Note – The original instance will not be part of the new setup, it will not be used after the conversion has been completed. You can use the instance otherwise or terminate it by enabling Terminate this instance after conversion after the pre-check.
HA/Auto Scaling requires AWS access keys so that Sophos UTM can communicate with the AWS APIs.
You have received your AWS credentials when you created your Amazon Web Service account. The AWS access keys need to provide full access to EC2
, S3, and CloudFormation and are only used during the conversion process. They will not be stored anywhere except on this Sophos UTM instance.
For more information on AWS, see the AWS Documentation.
To convert your instance, proceed as follows:
-
Make the following settings:
AWS access key ID: Enter the AWS access key ID. It is a 20-character alphanumeric sequence.
AWS secret access key: Enter the AWS secret access key. It is a 40-character sequence.
-
Select Amazon deployment type.
HA (Cold Standby): Starts a single Sophos UTM instance and provides an automatic recovery Sophos UTM instance including availability zone failover. The recovery instanced is located in another availability zone and will automatically takeover if the instance in the first availability zone fails.
HA (Warm Standby): Starts two Sophos UTM instances. One inactive and one in passive configuration. This provides faster recovery than Cold Standby but is more expensive due to the additional instance running.
Auto Scaling: Starts an Sophos UTM instance controlling an Auto Scaling cluster of Sophos UTM units. Auto Scaling automatically increases the number of Sophos UTM instances during peak periods (if necessary) and decreases the number of Sophos UTM instances during off-peak times to reduce costs.
Note – For more information on Auto Scaling, see the Auto Scaling Documentation. Auto Scaling currently only supports the Web Application Firewall feature. You need a minimal request policy in AWS for conversion. For more information, see section Minimal Request Policy in AWS.
-
Check for all necessary information.
Click Conversion Pre-Check.
All necessary information will be collected and displayed.
-
Check the collected information.
Make sure all entries are correct before you start the conversion process.
- SSH key name
- Elastic IP
- VPC ID
- Subnets
- Configuration data size
- Size of logfiles
- Size of database
-
Make the following settings:
Availability Zone 1: Select your preferred Availability Zone 1.
Availability Zone 2: Select your preferred Availability Zone 2.
Note – Availability Zone 1 and Availability Zone 2 cannot be the same. If one Availability Zone becomes unstable HA/Auto Scaling continues on the other Availability Zone.
Security Group: Select the Security Group to be used by the conversion stack.
Controller instance type: Instance type of the controller. Change, if required.
Worker instance type: Instance type of the worker. Change, if required.
CloudFormation Stack name: Enter a descriptive name for the CloudFormation Stack.
Copy logfiles: If enabled, logfiles will be copied into the new CloudFormation Stack after the conversion.
Copy database: If enabled, the database will be copied into the new CloudFormation Stack after the conversion.
Terminate this instance after conversion: If enabled, your Sophos UTM instance will be terminated after the conversion.
Caution – The option Terminate this instance after conversion cannot be undone once the conversion is complete. You cannot enable this feature unless you disable the Termination Protection of this instance.
-
Click Convert.
The Sophos UTM instance will be converted into a new CloudFormation Stack. This process can take up to 15 - 20 minutes.
Note – Once the conversion process has started it cannot be stopped from within .
Minimal Request Policy in AWS
For conversion, you need a minimal request policy in AWS. If you click Copy AIM Policy to clipboard on the Conversion tab, you can directly copy the policy text into AWS. Alternatively, you can copy the policy text from here:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack"
],
"Resource": "*",
"Condition": {
"ForAllValues:StringLike": {
"cloudformation:TemplateUrl": [
"https://s3.amazonaws.com/sophos-nsg-cf/*"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:Create*",
"ec2:Describe*",
"ec2:AuthorizeSecurityGroup*",
"ec2:AllocateAddress",
"ec2:AssociateRouteTable",
"ec2:ReplaceNetworkAclAssociation",
"ec2:RevokeSecurityGroupEgress",
"ec2:TerminateInstances",
"cloudformation:Describe*",
"cloudwatch:PutMetricAlarm",
"autoscaling:Create*",
"autoscaling:Describe*",
"autoscaling:PutScalingPolicy",
"autoscaling:PutNotificationConfiguration",
"autoscaling:UpdateAutoScalingGroup",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
"elasticloadbalancing:ConfigureHealthCheck",
"iam:CreateRole",
"iam:PutRolePolicy",
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:PassRole",
"sns:CreateTopic",
"sns:ListTopics",
"sns:Subscribe",
"s3:CreateBucket",
"s3:Get*",
"s3:Delete*",
"s3:List*",
"s3:PutObject"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:Delete*",
"ec2:DisassociateRouteTable",
"ec2:releaseAddress",
"autoscaling:Delete*",
"elasticloadbalancing:DeleteLoadBalancer",
"iam:RemoveRoleFromInstanceProfile",
"iam:Delete*"
],
"Resource": "*"
}]
}
Note – For more information on policies in AWS, see the Amazon User Guide.