This article describes how to use Cloud Guard Security Gateways' Custom metrics in AWS Auto Scaling Groups.
It is assumed that the reader is familiar with general AWS concepts and services such as:
- AWS CloudWatch
- Elastic Compute Cloud (EC2)
This document contains supplementary information to sk112575: CloudGuard Auto Scaling for AWS. If you are not familiar with the CloudGuard for AWS auto scaling solution, review it before proceeding to the solution below.
CloudGuard Security Gateways can report their statistics to the AWS CloudWatch service. For more information, refer to sk108769: Amazon Web Services (AWS) CloudWatch integration.
In order to use metrics in AWS Auto Scaling Groups, Cloud Guard Gateways report their metrics as a group by adding a unique CloudWatch dimension to each metric. The Dimension field allows the user to view CloudGuard metrics in CloudWatch as a group.
It is also possible to use those group metrics to trigger AWS Auto Scaling Group scaling events. In Auto Scaling Group deployment, by default, scaling policies are created based on the AWS EC2 CPU Utilization metric.
There are situations in which different Gateway statistics are required based on custom metrics: The Gateway can report different aspects of performance measuring that might be more relevant to and accurate for the user. For a list of all available custom metrics, refer to sk108769: Amazon Web Services (AWS) CloudWatch integration.
In order to properly use Cloud Guard custom metrics in AWS Auto Scaling Groups, do the following:
1. In AWS CloudWatch Service: Create a new CloudWatch Alarm based on the CloudGuard custom metric.
2. In AWS EC2 Service: Replace the Auto Scaling Group Scaling Policy to be triggered from the new CloudWatch Alarm.
Create a new CloudWatch Alarm
Note: To create a CloudWatch Alarm, you must have metrics that are already reported by instances. You cannot create an Alarm before the Auto Scaling Group is already deployed and reporting metrics.
1. Open your AWS CloudWatch Console.
2. Under Alarms, create a new Alarm.
3. Choose select metric and select custom namespace Check Point.
4. Select the AutoScalingGroup dimension.
You should now see all metrics reported by CloudGuard Gateways with the auto scaling group identifier.
Note: CloudGuard Auto Scaling Group identifier combined out of the instances CloudFormation stack name with generated random suffix
5. Select the required metric for the alarm and click select metric.
6. Under Specify metric and conditions, define your threshold and conditions:
* Keep the statistics field on average.
* Use static threshold type.
7. In the Configure actions section, make sure to remove all actions (scaling actions will be linked from the auto scaling menu).
8. Add a description for the alarm (unique name and description).
9. Preview and create the new alarm.
The new Alarm should appear with its status in the AWS CloudWatch Alarms view.
Configure the Auto Scaling Group in EC2
This section describes how to link the new alarm to an auto scaling group 'scaling policy' instead of to the default scaling policy:
1. in AWS EC2 console, find and select the required Auto Scaling Group and go to the Scaling policies tab.
2. Delete all existing Scaling policies to set up the new alarm.
3. Select Add Policy to create a new Scaling Policy.
4. Select create a simple scaling policy or create a scaling policy with steps which supports Alarms (refer to the AWS documentation to learn more about types of scaling policies)
5. Under execute policy when select the new custom Alarm you created in the section above.
6. Complete the policy name and action to take.
7. Important - In order to complete the scaling behavior for scale down flows, as well: Repeat the two sections above with an additional Alarm for the state in which the Gateways group should reduce its size and an additional Scaling Policy action defining how to scale down.
- It is possible to use more than one metric for triggering auto scaling events, However, you should fine-tune your thresholds with great attention to avoid conflicts or loops of Scaling Policies.
- You can use CloudWatch Metrics Math to create an additional custom metric composed of two different custom metrics. For more information about Metric Math. refer to Amazon CloudWatch: Using Metric Math.
- Warning: Dimension is based on the group IAM Instance Profile. Do not use the Auto scaling group IAM Instance Profile for different instances which are not part of the Auto scaling group. If a different ASG instance will report metrics with the same Instance Profile ID, this might cause unexpected results such as faulty metrics reporting and undesired scaling events.
- EnableCloudWatch parameter must be enabled in the CloudGuard auto scaling group CloudFormation deployment template in order to report statistics.