On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

AWS VPN Capacity Expansion

Workflow #0008

This workflow demonstrates the ability to dynamically expand Cisco Adaptive Security Appliance (ASA) head end capacity using Amazon EC2 if an existing ASA has VPN user load over 70%. If load is 70% or more, approval is requested using the built-in task/approval features within SecureX orchestration prior to Amazon Web Services (AWS) deployment.

Overview GitHub

Change Log

Date Notes
Nov 24, 2020 - Initial release
Sep 10, 2021 - Updated to use the new system atomics
Aug 31, 2022 - Minor updates to naming and descriptions

See the Important Notes page for more information about updating workflows

Requirements

  • The following system atomics are used by this workflow:
    • Webex - Post Message to Room
    • Webex - Search for Room
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed at the bottom of the page
  • Cisco Adaptive Security Appliance (ASA)
  • Cisco Webex
  • Amazon Web Services (AWS)

Workflow Steps

  1. Attempt to locate the Webex room and get its ID
  2. SSH to the target ASA and get its VPN device load
  3. Check whether or not the load is 70% or more
    • If the load is less than 70%, end the workflow
    • If the load is 70% or more:
      • Create an approval task
      • Post a message to Webex indicating an approval is required
      • When a response is received, continue
      • If the request was approved, deploy a new ASAv using the AWS EC2 API and post a confirmation to Webex with the new public IP address
      • If the request was denied, post a message to Webex indicating the denial
      • If the request expired, post a message to Webex indicating the request was not acted on

Configuration

  • If you want the workflow to run on a schedule, you need to create a schedule and then add it as a trigger within the workflow
  • Set the Task Approver local variable to the email address of the person who should approve requests from this workflow
  • Update the Create deployment approval request activity with a Task Requestor and Task Owner (the approver is defined in the local variable). You can also change the due date time (default: 1 hour) and expiration time (default: 1 hour) if you want
  • Update the Create ASA instance in EC2 activity with:
    • The AMI Image ID of the AMI you want to be instantiated
    • The Security Group ID(s) you want the instance added to
    • The Keypair Name of the authentication key pair this instance should use
    • The Instance Type to create (default: m4.large)
  • See this page for information on configuring the workflow for Webex

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
ASA VPN Target Terminal Endpoint Configured for your ASA Account key for your ASA  
AWS EC2 Target AWS Endpoint Configured for your AWS account Account key for your AWS account  
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None		 None  

Account Keys

Account Key Name Type Details Notes
(varies) AWS Credentials Username: Client ID
Password: Client Secret		  
(varies) Terminal Key-Based Credentials
OR
Terminal Password-Based Credentials		 Depends on target type