Autoprovision of Rules in AWS
I have question about how the autoprovision of rules is processed in AWS when an internal lb is tagged. I noticed on the sms and from the cme log that all previously auto generated rules are first deleted then re-added before policy installation. Why is it implemented this way? Wouldn’t there be potential issues when the rulebase becomes very large? Also, it could potentially cause an outage. I recently encountered a scenario where the connectivity between my sms and gateway was down momentarily; the gateway was still running and functional. The cme service proceeded to remove the rules and push policy. Since the connectivity was down the policy installation failed. However if the connectivity were to be restored before policy push the gateways would receive a policy with no rules.
Also, what really matters here is the last installed policy as any policy changes made on the management aren't committed to the gateway until a policy install takes place.
A policy with literally no rules should fail policy installation on the verification step.
Unless what you're referring to is a policy with none of the auto-generated rules.
There are manual rules so the rule base is not completely empty. I do not feel comfortable using the autoprovision service due to this reason. I am planning on creating these rules manually. I noticed that the rules are using Logical Server objects as destinations. Also, I noticed the Server group is set to a dummy group. Can the logical servers be completely configured through smartconsole or is there a configuration needed on the cli?
However, if you don't use the autoprovisioning service, you will have to make manual changes each time there's an autoscale event or a gateway/load balancer is replaced, which does happen from time to time.
Using autoprovisioning in this configuration is highly recommended.