AWS VPN Capacity Expansion
Workflow #0008
This workflow demonstrates the ability to dynamically expand Cisco Adaptive Security Appliance (ASA) head end capacity using Amazon EC2 if an existing ASA has VPN user load over 70%. If load is 70% or more, approval is requested using the built-in task/approval features within SecureX orchestration prior to Amazon Web Services (AWS) deployment.
Change Log
Date | Notes |
---|---|
Nov 24, 2020 | - Initial release |
Sep 10, 2021 | - Updated to use the new system atomics |
Aug 31, 2022 | - Minor updates to naming and descriptions |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Webex - Post Message to Room
- Webex - Search for Room
- The following atomic actions must be imported before you can import this workflow:
- None
- The targets and account keys listed at the bottom of the page
- Cisco Adaptive Security Appliance (ASA)
- Cisco Webex
- Amazon Web Services (AWS)
Workflow Steps
- Attempt to locate the Webex room and get its ID
- SSH to the target ASA and get its VPN device load
- Check whether or not the load is 70% or more
- If the load is less than 70%, end the workflow
- If the load is 70% or more:
- Create an approval task
- Post a message to Webex indicating an approval is required
- When a response is received, continue
- If the request was approved, deploy a new ASAv using the AWS EC2 API and post a confirmation to Webex with the new public IP address
- If the request was denied, post a message to Webex indicating the denial
- If the request expired, post a message to Webex indicating the request was not acted on
Configuration
- If you want the workflow to run on a schedule, you need to create a schedule and then add it as a trigger within the workflow
- Set the
Task Approver
local variable to the email address of the person who should approve requests from this workflow - Update the
Create deployment approval request
activity with aTask Requestor
andTask Owner
(the approver is defined in the local variable). You can also change the due date time (default: 1 hour) and expiration time (default: 1 hour) if you want - Update the
Create ASA instance in EC2
activity with:- The
AMI Image ID
of the AMI you want to be instantiated - The
Security Group ID(s)
you want the instance added to - The
Keypair Name
of the authentication key pair this instance should use - The
Instance Type
to create (default:m4.large
)
- The
- See this page for information on configuring the workflow for Webex
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
ASA VPN Target | Terminal Endpoint | Configured for your ASA | Account key for your ASA | |
AWS EC2 Target | AWS Endpoint | Configured for your AWS account | Account key for your AWS account | |
Webex Teams | HTTP Endpoint | Protocol: HTTPS Host: webexapis.com Path: None | None |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
(varies) | AWS Credentials | Username: Client ID Password: Client Secret | |
(varies) | Terminal Key-Based Credentials OR Terminal Password-Based Credentials | Depends on target type |