It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure Scaling Policies for a CloudGen Firewall Auto Scaling Cluster

  • Last updated on

Scaling policies are required for the firewall cluster to adjust the capacity in response to changes in demand. Define CloudWatch alarms for the high and low thresholds. Use the custom metrics collected from the firewall cluster or the default EC2 system metrics. Add scaling policies to the Auto Scaling group that trigger a scaling action when the health check is in alarm state. 

Custom Metrics

The firewall published the following custom metrics in the Barracuda/CGF namespace:

Custom VPN Metrics
  • Client to Site VPN tunnels        
  • SSL VPN clients
  • Site to Site VPN tunnels up
  • Site to Site VPN tunnels down
Custom System Metrics
  • load
  • Used memory
  • Protected IPs
Custom Firewall Metrics
  • Bytes in
  • Bytes out
  • Bytes total
  • Packets in
  • Packets out
  • Packets total
  • Connections dropped
  • IPS Hits
  • Forwarding Connections new
  • Forwarding Connections total
  • Connections new
  • Connections total
  • Connections blocked
  • Connections failed

Step 1. Create CloudWatch Alarm

Create two CloudWatch alarms, one for the high and one for the low alarm threshold.

  1. Log into the AWS console.
  2. Click Services and select CloudWatch.
  3. In the left menu, expand Alarms and select All alarms.
  4. Click Create alarm.
    create_alarm.png
  5. Click Select metric.
  6. From the Browse Metrics drop-down list, select the Barracuda CloudGen Firewall.
    aws_scaling_policies_02.png
  7. Filter for the Auto Scaling group name.
  8. Select the check box for the metric.
    aws_scaling_policies_03.png
  9. Click Next.
  10. Enter a Name.
  11. Configure the Alarm Threshold:
    • Logic operator – Select >= when defining an alarm to scale out, <= when defining and alarm to scale in.
    • Alarm threshold – Depending on the instance and metric type, enter the threshold. If unsure, use CloudWatch to monitor your cluster under load to determine the correct value to match your workload.
    • Period – Enter the time period the threshold must be exceeded for alarm to be triggered.
    aws_scaling_policies_04.png
  12.  In the Alarms section, click delete to not receive a notification when the alarm is triggered. Alternatively, select an SNS topic that is configured to send notification emails when the alarm is triggered.
    aws_scaling_policies_05.png
  13. From the Period drop-down list, select the number of minutes.
  14. From the Statistics drop-down list, select  Average or Sum depending on the metric.
  15. Click Create Alarm.

The alarm is in the INSUFFICIENT state until there is enough data for the alarm. As soon as enough data is available, the alarm state changes to OK or Alarm.

aws_scaling_policies_07.png

Step 2. Add Scaling Policy to Scale Out

  1. Log into the AWS console.
  2. Click Services and select EC2.
  3. In the left menu, click Auto Scaling Groups. 
  4. Select the CloudGen Firewall Auto Scaling group.
  5. In the lower half, click the Scaling Policies tab.
  6. Click Add policy.
    aws_scaling_policies_08.png
  7. Enter a Name.
  8. From the Execute policy when drop-down list, select the matching CloudWatch alarm created in Step 1.
  9. Configure the action:
    • Action – Select add to scale out, or Remove to scale in. Click set to use an explicit number of instances. 
    • Number of instances – Depending on the action, enter the number of instances to scale (add / remove) or the number of instances to scale to (set).
  10. (optional) Click add steps to define a more granular scaling policy that takes into account by how much the threshold is exceeded.
  11. In the Instances need text box, enter the number of seconds to wait before the next scaling action.
    aws_scaling_policies_09.png
  12. Click Create.

Repeat this for both Scale In and Scale Out policies. Use CloudWatch dashboard widgets to visualize the alarm thresholds

awsIG_cloudwatch_monitor_alarms.png