Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Autoprovision of Rules in AWS

 

 

I have question about how the autoprovision of rules is processed in AWS when an internal lb is tagged. I noticed on the sms and from the cme log that all previously auto generated rules are first deleted then re-added before policy installation. Why is it implemented this way? Wouldn’t there be potential issues when the rulebase becomes very large?  Also, it could potentially cause an outage. I recently encountered a scenario where the connectivity between my sms and gateway was down momentarily; the gateway was still running and functional. The cme service proceeded to remove the rules and push policy. Since the connectivity was down the policy installation failed. However if the connectivity were to be restored before policy push the gateways would receive a policy with no rules.

0 Kudos
3 Replies
Highlighted
Admin
Admin

There could be multiple changes that have happened since the last time the policy was installed and it is far easier to just delete/rewrite the rules versus try to figure out surgically what rules to modify.
Also, what really matters here is the last installed policy as any policy changes made on the management aren't committed to the gateway until a policy install takes place.
A policy with literally no rules should fail policy installation on the verification step.
Unless what you're referring to is a policy with none of the auto-generated rules.
0 Kudos
Highlighted

There are manual rules so the rule base is not completely empty. I do not feel comfortable using the autoprovision service due to this reason. I am planning on creating these rules manually. I noticed that the rules are using Logical Server objects as destinations. Also, I noticed the Server group is set to a dummy group. Can the logical servers be completely configured through smartconsole or is there a configuration needed on the cli?      

0 Kudos
Highlighted
Admin
Admin

Believe you can configure them entirely in SmartConsole.
However, if you don't use the autoprovisioning service, you will have to make manual changes each time there's an autoscale event or a gateway/load balancer is replaced, which does happen from time to time.
Using autoprovisioning in this configuration is highly recommended.
0 Kudos