Deploy the ASA Virtual Auto Scale Solution on Alibaba Cloud

About the Auto Scale Solution

The auto scale solution helps organisations to automatically scale up the number of ASA virtual instances if there is a spike in traffic and also scale down the number of instances during a lull in traffic. This solution leads to efficient handling of network resources, improves high availability, and reduces operational costs.

Starting from Secure Firewall ASA version 9.20.1, Cisco provides Terraform templates to enable deployment of a horizontal auto scaling solution for ASA virtual firewalls deployed in the Alibaba Cloud environment. The auto scaling solution enables an automated increase or decrease in the number of ASA virtual firewalls based on CPU utilization.

Guidelines and Limitations for the Auto Scale Solution on Alibaba Cloud

  • Only IPv4 is supported.

  • Any specific DNS requirements of the load balancer’s public IP are out of scope as the external load balancer is created by the terraform template.

  • As Alibaba Cloud does not support parallel attachment of Elastic Network Interfaces (ENIs) to Classic Load Balancers, ensure that you set the minimum number of instances to be deployed to 1 for the initial deployment of the functions terraform stack. You can modify this setting, as required, at a later stage.

  • We assume that user applications are behind the Internal Load Balancer (ILB), and the ASA virtual routes all traffic through the load balancer or directly to the application.

  • Device logs obtained by using the show tech command do not contain auto scale logs. The auto scale logs can be checked in the Alibaba Cloud Function Compute logs.

  • If the ASA virtual instance is not accessible via SSH despite many retries, the instance is deleted. Alibaba Cloud then creates a new ASA virtual instance to meet the minimum and maximum constraints of the scaling group.

  • If ASA virtual licensing fails despite many retries, the instance is deleted. Alibaba Cloud then creates a new ASA virtual instance to meet the minimum and maximum constraints of the scaling group.

  • The scale-out operation takes a couple of minutes to perform the following tasks:

    • Launch new ASA virtual

    • Get Public IP

    • Configure Interfaces

    • Create and attach Elastic Network Interfaces (ENIs)

    • License ASAv

    • Create Network Objects

    • Create Service Objects

    • Create Static Routes

    • Create NAT Rules

  • ASA virtual is configured using CLI.

  • ASDM and CSM is not supported.

Use Case for the Auto Scale Solution on Alibaba Cloud

The ASA virtual auto scale solution for Alibaba Cloud is an automated horizontal scaling solution that positions an ASA virtual instance group between an Internal Load Balancer (ILB) and an External Load Balancer (ELB).

  • The ELB distributes traffic from the internet to ASA virtual instances in the instance group. The firewall then forwards traffic to the application.

  • The ILB distributes outbound internet traffic from an application to ASA virtual instances in the instance group. The firewall then forwards traffic to the Internet.

  • The number of ASA virtual instances in the scale set will be scaled up or down and configured automatically based on CPU utilization.

Download the Deployment Package

The ASA virtual auto scale solution for Alibaba Cloud is a template-based deployment that makes use of the serverless infrastructure provided by Alibaba Cloud, such as Function Compute, Resource Orchestration Service (ROS), Event Bridge, Object Storage Service (OSS), and so on.

Download the following deployment scripts and templates that are required to launch the ASA virtual auto scale solution for Alibaba Cloud from the GitHub repository:

  • main.tf and variables.tf function terraform templates in the functions_template folder - Used to set up Alibaba Cloud functions.

  • main.tf and function.tf resource terraform templates in the resources_template folder - Used to set up the resources required to enable auto scale functionality.

  • alibaba_lib.py, basic_functions.py, and index.py functions in the scalein folder - Contains parameters to set up the scale-in functionality.

  • alibaba_lib.py, basic_functions.py, and index.py functions in the scaleout folder - Contains parameters to set up the scale-out functionality.

  • requirements.txt file - Contains information on the cryptography package, functions, and layers used to set up the auto scale functionality.

  • asav_user_config - Contains mandatory and customizable ASA virtual user configuration that is applied to every deployed ASA virtual instance. You can configure data interfaces, Alibaba Cloud health check port, access control rules, NAT rules, and routes to allow Alibaba Cloud health check configuration. Ensure that the name of this file matches the value of the variable asav_user_config_file_name in the variables.tf function terraform template file.


Note

Cisco-provided deployment scripts and templates for auto scale are provided as open source examples, and are not covered within the regular Cisco TAC support scope.

Components of the Auto Scale Solution on Alibaba Cloud

The following components make up the ASA virtual auto scale solution for Alibaba Cloud.

Resource Orchestration Service

Alibaba Cloud Resource Orchestration Service (ROS) is a fully managed service for cloud computing resource orchestration and automated deployment. Resource Orchestration Service (ROS) is used to manage multiple stacks as a single unit called a Stack group with high efficiency and cost-effectiveness. ROS uses terraform templates to create multiple stacks across accounts and regions and enables unified stack deployment in different directory folders and accounts.

Cisco provides terraform templates that can be deployed using Alibaba Cloud ROS. These templates create the following resources on Alibaba Cloud. These resources are used to set up the auto scale solution.

  • Elastic Compute Service (ECS) Launch Template

  • Elastic Scaling Service (ESS) Scaling Group

  • ESS Alarms for adding and removing instances from scaling groups

  • ESS Lifecycle Hook for Scale in action

  • Server load balancer (SLB) for deploying external load balancer (ELB) and internal load balancer (ILB)

  • SLB vServer groups, and listeners

  • NAT gateway

  • Elastic IP address

  • Route Table

  • Function Compute Service and functions for Scale out and Scale in actions

  • Scale-out and scale-in action triggers

  • Log Project and Log Store

Auto Scaling Group

A scaling group is a basic management unit in auto scaling. It is used to manage Elastic Compute Service (ECS) instances that are applied to similar scenarios and can be associated with multiple Server Load Balancer (SLB) instances. After a scaling group is associated with SLB, ECS instances that are added to the scaling group are automatically added as backend servers of the associated SLB instances.

The internal IP addresses of these instances are automatically added to the Allow lists of the associated RDS instances. A scaling configuration is a template used by Auto Scaling to automatically create ECS instances. A scaling rule is used to specify information such as the number of ECS instances to be scaled or to set the boundary values of a scaling group. After a scaling rule is created, a scaling task can automatically execute the scaling rule.

To automatically scale ECS instances based on their running metrics, use an event-triggered task that dynamically manages ECS instances in a scaling group based on monitoring metrics from CloudMonitor and EventBridge.

Classic Load Balancer

A Classic Load Balancer (CLB) distributes inbound network traffic across multiple backend servers based on forwarding rules. CLB uses virtual IP addresses to provide load balancing services for the backend pool, which consists of servers deployed in the same region. Network traffic is distributed across multiple backend servers based on forwarding rules. This ensures the performance and availability of applications. CLB monitors the health of backend servers and does not distribute network traffic to unhealthy backend servers. This eliminates single points of failure (SPOFs) and improves the availability of applications.

EventBridge

EventBridge is a serverless event bus service provided by Alibaba Cloud that can be accessed from other Alibaba Cloud services, custom applications, and software-as-a-service (SaaS) applications. EventBridge can also route events between these services and applications based on the standard CloudEvents 1.0 specification. EventBridge can be used to build loosely coupled and distributed event-driven architectures. The following figure shows the event flow in Event Bridge.

  • The event Source publishes events that are generated by Alibaba Cloud services, custom applications, and SaaS applications to the System Event Bus.

  • The Event Bridge stores and routes received events to the event Target based on the Event Rule.

  • The event Target receives the events.

Function Compute

Alibaba Cloud Function Compute is a fully-managed event-driven computing service that enables you to focus on writing and uploading code, without the need to procure and manage infrastructure resources such as servers. Function Compute prepares computing resources, runs code, and provides features such as log query, performance monitoring, and alert. Function Compute integrates different services in an event-driven manner. Based on this, you can create elastic, reliable, and secure applications and services, and even complete a set of backend services for processing multimedia data within a few days. When an event source triggers an event, the associated function is automatically called to process the event. See Function Compute for more information.

Layers

Layers are used to publish and deploy custom resources such as common dependencies, runtime environments, and function extensions. The public libraries can be extracted from them and functions that depend on layers are reduced in terms of sizes of code packages when deployed.

When you build a layer, you need to package the content into a zip file. The Function Compute runtimes decompress and deploy the content of the layer in the /opt directory. When multiple layers are configured for a function, the content of these layers is merged and stored in the /opt directory in reverse order.

Licenses

The auto scale solution is supported with the BYOL licensing model. Ensure that the number of licenses that are reserved is greater than or equal to max_asa_count . Select the entitlement based on the instance shape.

Prerequisites for the Auto Scale Solution on Alibaba Cloud

  • Infrastructure like VPCs, vSwitches, ASA virtual images, subnets and their respective security groups, and routes, should be available.

  • Create VCN and subnets as these are used by their applications and other elements in their resource group.

  • Ensure that three VPCs are available/created. An auto scale deployment will not create, alter, or manage any networking resources. As the ASA virtual requires 3 network interfaces, your virtual network requires 3 subnets for the following types of traffic:

    • Management traffic

    • Inside traffic

    • Outside traffic

  • Create a network security group and attach the same to all the subnets based on their environment requirements.

Input Parameters

Cisco provides terraform templates to enable deployment of a horizontal auto scaling solution for ASA virtual firewalls deployed in the Alibaba Cloud environment. The auto scaling solution enables an automated increase or decrease in the number of ASA virtual firewalls based on CPU utilisation.

The parameters in the main.tf function template file are given below.

Parameters

Description
resource "alicloud_log_project" This project is the resource management unit in Log Service and is used to isolate and control resources. You can manage all the logs and the related log sources of an application by using projects.
resource "alicloud_log_store" This log store is a unit in Log Service to collect, store, and query the log data. Each logstore belongs to a project, and each project can create multiple logstores.
resource "alicloud_fc_service" Provides an Alibaba Cloud Function Compute Service resource. The resource is the base for launching the function and trigger configuration.
resource "alicloud_log_store_index" Log Service provides the log search/analytics function to query and analyze large amounts of logs in real time. You can use this function by enabling the index and field statistics.
resource "alicloud_fc_function" "scalein_action" Scale-in function to handle the scaled in ASA virtual instances.
resource "alicloud_fc_function" "scaleout_action" Scale-out function to handle the scaled out ASA virtual instances.
resource "alicloud_fc_trigger" "scalein_action_trigger" Provides an Alibaba Cloud Function Compute Trigger resource. Based on the trigger, scale-in function is initiated in response to events in the network.
resource "alicloud_fc_trigger" "scaleout_action_trigger" Provides an Alibaba Cloud Function Compute Trigger resource. Based on the trigger, scale-out function is initiated in response to events in the network.

The parameters in the variables.tf function template file are given below.

Parameters

Description
access_key and secret_key These are the access keys and secret keys to the Alibaba Cloud account.
region Region in which you deploy the auto scale solution.
account_id Enterprise Alias ID given by Alibaba Cloud.
vswitch_mgmt_id The vSwitch ID for the management interface.
vswitch_inside_id and vswitch_outside_id The vSwitch IDs for the inside and outside interfaces.
scaling_group_name Name of the auto scaling group deployed in the auto scale solution.
security_group_id This is created for the VPC that is set up.
elb_name Name of the external load balancer.
ilb_name Name of the internal load balancer.
inside_security_zone_name and outside_security_zone_name Names of the inside and outside security zones.
management_security_zone_name Name of the management security zone.
asav_user_name and asav_password User name and password for the ASA virtual instance.
asav_enable_password The enable password for the ASA virtual instance.
asav_license_key License key of the ASA virtual instance.
log_project_name Name of the project created in the Simple Log Service.
log_store_name Name of the logstore in Log Service that is used to collect, store, and query logs.
fc_service_name Service name of the service created in the Function Compute.
fc_scaleout_fn_name and fc_scalein_fn_name Names of the scale-out and scale-in functions.
fc_scaleout_trigger_name and fc_scalein_trigger_name Names of the scale-out and scale-in trigger functions.
function_bucket Name of the bucket used to store objects.
layers_name Name for the group of layers that has to be created for successful deployment of the auto scale solution.
scaleout_function_zip_key and scalein_function_zip_key Zip keys for the scale-out and-scale in functions.
launch_template_name Name of the deployment template.
asav_inside_gateway Name of the ASA virtual instance's inside gateway.
asav_user_config_file_name Name of the ASA virtual user configuration file.

The parameters in the main.tf resource template file are given below.

Parameters

Description
resource "alicloud_ecs_launch_template" Provides an ECS Launch Template resource.
resource "alicloud_ess_scaling_group" Provides an ESS scaling group resource which is a collection of ECS instances with the same application scenarios. It defines the maximum and minimum numbers of ECS instances in the group, and their associated Server Load Balancer instances, RDS instances, and other attributes.
resource "alicloud_ess_scaling_rule" Provides an ESS scaling rule resource.
resource "alicloud_ess_alarm" Provides an ESS alarm task resource.
resource "alicloud_ess_lifecycle_hook" Lifecycle hook for the scaling group.
resource "alicloud_ess_notification" Provides a resource for event notifications.
resource "alicloud_slb_load_balancer" Provides an Application/Server Load Balancer resource.
resource "alicloud_slb_server_group" A virtual server group contains several ECS instances. The virtual server group can help you to define multiple listening dimension, and to meet the personalized requirements of domain name and URL forwarding.
resource "alicloud_slb_listener" Provides an Application Load Balancer Listener resource.
resource "alicloud_nat_gateway" Provides a resource to create a VPC NAT Gateway.
resource "alicloud_eip_address" Provides a EIP Address resource.
resource "alicloud_eip_association" Provides an Alibaba Cloud EIP Association resource for associating Elastic IP to ECS Instance, SLB Instance or Nat Gateway.
resource "alicloud_snat_entry" Provides a SNAT resource
resource "alicloud_route_table" Provides a route table resource.
resource "alicloud_route_entry" Provides a route entry resource. A route entry represents a route item of one VPC route table.
resource "alicloud_route_table_attachment" Provides an Alibaba Cloud Route Table Attachment resource for associating Route Table to VSwitch Instance/NAT Gateway.

The parameters in the variables.tf resource template file are given below.

Table 1.

Variables

Description
access_key and secret_key These are the access keys and secret keys to the Alibaba Cloud account.
region The region in which you deploy the auto scale solution.
account_id The ID of your account.
asav_image_id Specifies the ASA virtual image ID.
instance_type ASA virtual instance type. For example, ecs.g5ne.xlarge.
internet_charge_type The usage payment terms as per your requirement. By default, this is set to ‘PayByBandwidth’.
internet_max_bandwidth_in and internet_max_bandwidth_out The maximum input and output bandwidth. By default, this is set to 25 and 20 Gbps respectively.
network_type Specifies the network type. In this case, it is specified as vpc.
security_group_id Specifies the security group ID. This is set during creation of VPC.
system_disk_name Specifies the name of the system disk.
delete_with_instance_flag When this is set to true, it enables you to delete the boot disk with the instance flag.
launch_template_name The name of the deployment template.
vpc_id The ID that is created during the creation of the VPC.
zone_id This specifies the region in which the instance is created.
scaling_group_name Name of the auto scaling group deployed in the auto scale solution.
vswitch_mgmt_id The vSwitch ID for the management interface.
vswitch_inside_id and vswitch_outside_id The vSwitch IDs for the inside and outside interfaces.
scaleout_rule_name and scalein_rule_name Specifies the rule names for the scaleout and scalein functions.
min_asav_size and max_asav_size Minimum and maximum number of ASA virtual instances that can be deployed as part of the auto-scaling group – These values can be updated as required. By default, this is set to 1 and 3 instances respectively.
cpu_threshold_scaleout and cpu_threshold_scalein Maximum and minimum CPU utilisation values – Scale-out and scale-in actions are triggered based on these values. These values can be updated as per the end user’s requirements. By default, this is set to CPU usage at 70% and 40% respectively.
add_instance_event_name and rm_instance_event_name Specifies the addition and removal of event names in the scaling group.
elb_name and ilb_name Name of the external and internal load balancers.
elb_vserver_group_name and ilb_vserver _group_name Specifies of the ELB and ILB virtual server names.
instance_user_data Base64 encoded format of Day Zero configuration that has to be applied to every instance that is to be deployed.
nat_gateway_name Specifies the name of the NAT gateway.
route_table_name Specifies the NAT gateway’s route table name.
alicloud_eip_address_name Specifies the external IP address name for the AliBaba cloud.
scalein_lifecycle_hook_name and scaleout_lifecycle_hook_namel Name of the lifecycle hooks for the scale-in and scale-out functions.

All VPCs, instances, and the OSS bucket, have to be in the same region for the scripts to work as intended. Ensure that you do not change the variable names as the auto scale scripts are dependent on these names. You can only change the values of the variables.

Deploy the Auto Scale Solution

Perform the steps given below to deploy the auto scale solution.

Procedure

Step 1

Clone the Git Repository to the local folder.

git clone <Git Repository URL> -b <branch Name>

Step 2

Create the Object Storage Service Bucket (OSS).

  1. On the Alibaba Cloud OSS console, choose Object Storage Service (OSS) in the left navigation pane.

  2. Click the Buckets tab.

  3. Click Create Bucket and enter the Bucket Name along with any other required details in the dialog box.

  4. Click OK to create the OSS bucket.

Step 3

Set up the Virtual Private Cloud and vSwitches.

  1. On the Alibaba cloud VPC console, in the top navigation bar, choose the region where you want to create a VPC and a vSwitch.

  2. On the VPC page, click Create VPC and enter the VPC Name, IPv4 CIDR block, and any other required details.

  3. Scroll below to the VSwitch section and click +Add to add virtual switches (vSwitches) for management, inside, and outside interfaces.

  4. Click OK to create the VPC.

Step 4

Import layers into the Alibaba Cloud by uploading the asav_autoscale_layers.zip file that you downloaded from GitHub.

  1. Log in to the Alibaba Cloud Function Compute Console and go to Advanced Features > Layers.

  2. Choose a region in the top navigation bar.

  3. On the Layers page, click Create Layer.

  4. Enter a Name for the layer along with a Description. The Name used here must match the value used for the layers_name parameter in the variables.tf function template file.

  5. In the Compatible Runtime field, choose Python 3.9.

  6. For the Layer Upload Method, choose Build Dependency Layer Online.

  7. From the Build Environment drop-down list, choose Python 3.9.

  8. Open the requirements.txt file that you downloaded from GitHub and copy the content that is in it.

  9. In the requirements.txt File field, paste the content that you copied from the requirements.txt file.

  10. Click Create.

Step 5

Update the variables in the following templates to ensure that the auto scale solution is deployed using the required VPC and custom variable names.

  • cloud_autoscale/Alibaba/ASAv/autoscale_deployment/variables.tf

  • cloud_autoscale/Alibaba/ASAv/functions_deployment/variables.tf

See Input Parameters for more information on the template variables.

Step 6

Create the scalein_action.zip and scaleout_action.zip files by using the commands given below. Note the filenames and provide the same in the variables.tf file used in the function template. 


user@vms:/workspace/cloud_autoscale/Alibaba/ASAv/scalein$zip scalein_action.zip *
adding: scalein/alibaba_lib.py (deflated 85%)
adding: scalein/basic_functions.py (deflated 73%)
adding: scalein/index.py (deflated 65%)

user@vms:/workspace/cloud_autoscale/Alibaba/ASAv/scaleout$zip scaleout_action.zip *
adding: scaleout/alibaba_lib.py (deflated 84%)
adding: scaleout/basic_functions.py (deflated 78%)
adding: scaleout/index.py (deflated 73%)

The files in each of the zip files are given below.

  • index.py

  • alibaba_lib.py

  • basic_functions.py

Step 7

Upload the scalein_action.zip and scaleout_action.zip files to the OSS Bucket.

  1. On the Alibaba Cloud Object Storage Service console, go to Buckets > OSS bucket created by you > Objects > Upload Object > Select Files.

  2. Choose the scalein_action.zip and scaleout_action.zip files from the local folder and click Upload. Ensure that the files are zipped and not in a folder.

Step 8

Upload the asav_user_config.txt file to the OSS bucket.

  1. On the Alibaba Cloud Object Storage Service console, go to Buckets > OSS bucket created by you > Objects > Upload Object > Select Files.

  2. Choose the asav_user_config.txt file from the local folder and click Upload.

Step 9

Create Terraform Templates.

  1. In the Alibaba Cloud ROS console, click Templates > My Templates.

  2. Click Create Template.

  3. Click Terraform > Open File.

  4. Choose main.tf and variables.tf, and click Open.

  5. Click Save Template > Save as My Template.

  6. In the Template Name field on the Save as My Template window, enter asav_functions.

  7. Click OK.

Repeat steps 7a) to 7g) and create the autoscale terraform template.

Step 10

Create the functions stack.

  1. In the Alibaba Cloud ROS console, click Templates > My Templates.

  2. Click Create Stack in the row mentioning the name of the functions template that you created.

  3. In the Use New Resources (Standard) page, enter the Stack Name.

  4. (Optional) You can change the values of the variables in the template as per your requirements.

  5. Click Create.

  6. (Optional) Click the Events tab and toggle Auto-refresh to see the creation of the stack resources in real-time. You can also click the Refresh icon to refresh the status of the events on this page. After all the resources have been created, you will see Created next to Status in the Stack Information tab which signifies that the stack has been created.

Step 11

Create the Auto Scale Stack.

  1. In the Alibaba Cloud ROS console, click Templates > My Templates.

  2. Click Create Stack in the auto scale template row.

  3. In the Use New Resources (Standard) page, enter the Stack Name and any other required parameters.

  4. Click Create.

  5. (Optional) Click the Events tab and toggle Auto-refresh to see the creation of the stack resources in real-time. You can also click the Refresh icon to refresh the status of the events on this page. After all the resources have been created, you will see Created next to Status in the Stack Information tab which signifies that the stack has been created.

You have now created all the required resources and deployed the ASA virtual auto scale solution on Alibaba Cloud.

Deployment Verification for the Auto Scale Solution on Alibaba Cloud

In the Alibaba Cloud Auto Scaling console, click Auto Scaling > Scaling Groups to display the deployed auto scaling group.

Logs for the Auto Scale Solution on Alibaba Cloud

To display the logs after deployment, go to Alibaba Cloud Homepage > Services > Service details > Functions > Function details > Logs > Function Logs. You can see the logs here to check the progress of the scale-out and scale-in functions.

You can see the licensing method along with the feature tier and throughput levels on the ASA virtual instances.

Troubleshooting for the Auto Scale Solution on Alibaba Cloud

  • Issue: Unable to SSH to the ASA virtual instance

    Troubleshooting: Ensure that the password of the ASA virtual instance is correct in the environment variables.

  • Issue: Unable to import the module index or the ‘module not found’ message is displayed in the Alibaba Cloud Function logs.

    Example:

    {'errorMessage': "Unable to import module 'index'", 'errorType': 'ImportModuleError',
'stackTrace': ["ModuleNotFoundError: No module named 'aliyunsdkslb’”]}

    Troubleshooting: Ensure that the slb layer is attached to your function.


    Note

    The issue and troubleshooting step is similar for the other layers in the function.

  • Issue: License Registration Failed

    Troubleshooting:

    • Ensure that the License ID token is correct.

    • Ensure that the ASA virtual can reach the CSSM.

    • Check the number of available licenses in the Smart Licensing Virtual Account.