We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

Bring-Your-Own-License (BYOL) Auto Scaling

  • Last updated on

Refer to the Pay-As-You-Go (PAYG)/Hourly Auto Scaling article if you want to deploy the Hourly/PAYG Barracuda CloudGen WAF in the auto scaling model.

To deploy the Bring-Your-Own-License (BYOL) Barracuda CloudGen WAF in the auto scaling model, follow the instructions mentioned in this article.

BYOL Auto Scaling CloudFormation Template (CFT)

Two types of auto scaling deployments are supported for BYOL auto scaling:

Basic Bootstrapping

In Basic Bootstrapping, the CFT will deploy the Barracuda CloudGen WAF in the auto-scaling group and create the service with the values provided while creating the stack. Use this mode of deployment if you are starting with your first deployment.The Basic Bootstrapping CFT is available on GitHub.

Backup Bootstrapping

In Backup Bootstrapping (deployment using the backup file), the service(s) and other configurations are restored from the specified backup file to the auto scaling group. Use this deployment when you want to replicate the existing auto scaling group for various reasons.

The BYOL Auto Scaling CloudFormation Template includes:

  • The number of Barracuda CloudGen WAF instances to be deployed and provisioned in the auto scaling group.
  • Enables the specified IAM role to access the S3 buckets.
  • The S3 buckets are defined as:
  • License S3 Bucket: This S3 bucket includes licensing related information. Ensure this bucket is created before creating the stack for the auto scaling group.
    • licenses.json: A license file contains the list of licenses that are used uploaded by the administrator. This file should be created in the valid JSON format and should be saved in the name “barracuda-byol-license-list.json”.

Create a license file

  1. Open notepad or any text editor. Type the licenses in the format illustrated below.
    JsonLicenseFile.png

    It is recommended that you validate the JSON file using JSONLint or any other online validator before uploading the license file. The created WAF instances might fail during provisioning if the JSON file is not valid.

  2. Save the license file. Note that you save the file with the name "barracuda-byol-license-list.json" as mentioned earlier.

Upload the license file 

  1. Upload the license file "barracuda-byol-license-list.json" to the License S3 Bucket you created.
    • licenses.dat: Contains all the available (unused) and used licenses. This file is generated by the Barracuda when the stack is created.  It is highly recommended not to edit or delete this file. Note that editing or deleting this file may affect your auto scaling setup.
    • license usage history file: It is a log file that contains license usage activity by different instances whenever the instances are scaled up/down because of auto scaling.
  • Cluster S3 Bucket: Provides details of instances that are in cluster. A file is created for each instance with the serial number and primary IP address (i.e. WAN IP address) of the instance that is in cluster. 
  • Backup S3 Bucket: Contains the backup file(s) restored by the administrator.
  • EC2 Security group created and attached to the deployed Barracuda CloudGen WAF instances.
  • Cloud Watch Alarms created for CPU and network usage to determine the scaling up/down of instances.
  • Proxy Server Details: If the subnet where the instance will be deployed does not have access to the internet, the Barracuda CloudGen WAF uses the specified proxy server to connect to the Barracuda Provisioning server to license the Barracuda CloudGen WAF.

To backup system configuration to Amazon S3 bucket, see the "Backing Up the Barracuda CloudGen WAF Instance(s) System Configuration in Amazon Web Services" section in the Backing Up and Restoring your System Configuration article.

You can enable Role Based Administration (RBA) to the Barracuda CloudGen WAF instance on Amazon Web Services by using the Backup Based BYOL CloudFormation Template (CFT). When an instance is deployed with the backup based BYOL CFT, the administrator can access the Barracuda CloudGen WAF web interface ONLY with the LDAP password. For more information, refer to the “Admin Password Masking for the Barracuda CloudGen WAF Instances Deployed in Amazon Web Services (AWS)” section in the Role-Based Administration article.

The Backup Bootstrapping CFT is available on GitHub.

Prerequisites

  • Latest Barracuda CloudGen WAF CFT Template.
  • Availability Zone(s), VPC ID, and subnet ID where you want to deploy the Barracuda CloudGen WAF and protect your servers.
  • Elastic Load Balancer to load balance the traffic between the deployed Barracuda CloudGen WAFs. For more information, see Elastic Load Balancing in the AWS documentation.
  • S3 buckets:
    • License S3 bucket: The location where the “license.json” file needs to be created and saved. The “license.json” file contains the licenses that can be used. The file name should be “barracuda-byol-license-list.json”.
    • Cluster S3 bucket: The information related to clustering is stored.
    • Backup S3 bucket (Optional): This is required for backup based bootstrapping, the configuration is restored from the selected backup.

      You can have a single bucket with sub-directories for each function, instead of three separate buckets for each function. It is also possible to use a single S3 bucket for all the three functions. Any of these options can be chosen by providing the relevant inputs for each field when launching an instance.

  • Create an IAM role to access the S3 buckets. See IAM Policy.

    The IAM role’s ARN should be used as the input value in the launch parameters.

Default Values of the Barracuda CloudGen WAF BYOL CloudFormation Template

The following are the default values of the Barracuda CloudGen WAF BYOL CloudFormation Template (CFT). You can modify the values as needed.

  • Scaling Min Size - The minimum number of Barracuda CloudGen WAF instances to be deployed initially to serve the web traffic. Default: 1
  • Scaling Max Size - The maximum number of instances to be scaled up to handle the traffic whenever required.  Default: 4
  • Instance Type - Instance type to be used in Amazon Web Services (AWS). Default: m3.medium
  • Security Group with the following ports opened:

    Port Protocol Description
    8000 TCP Provides HTTP access to the Barracuda CloudGen WAF web interface.
    8443 TCP Provides HTTPS access to the Barracuda CloudGen WAF web interface.
    8002 TCP Required for clustering the instances and to auto scale the instances up/down.
    32575 TCP Required for clustering the instances and to auto scale the instances up/down.
    32576 UDP Required for clustering the instances and to auto scale the instances up/down.
  • Default Cool Down time for scaling the instances up/down is set to 300 seconds.
  • Alarms for CPU and Bandwidth. Note: These alarms are designed in such a way as to ensure that auto scaling does not lead to instability. The alarms will scale up quickly and scale down slowly to ensure traffic to the site is not disrupted.

    Alarm Type Threshold Value (Average) Action Evaluation Periods
    Network-In High Alarm 70% of max throughput for 5 minutes Bring up one instance 5 minutes
    Network-In Low Alarm < 50% of max throughput for 1 hours 15 minutes" Bring down one instance 1 hours 15 minutes
    Network-Out High Alarm 70% of max throughput for 5 minutes Bring up one instance 5 minutes
    Network-Out Low Alarm < 50% of max throughput for 1 hours 15 minutes" Bring down one instance 1 hours 15 minutes
    CPU High Alarm > 85% for 5 minutes Bring up one instance 5 minutes
    CPU Normal Alarm < 60% for 1 hours 15 minutes Bring up one instance 1 hours 15 minutes
Last updated on