Link Search Menu Expand Document

AWS VPN Capacity Expansion

Workflow #0008

This workflow demonstrates the ability to dynamically expand ASA head end capacity using Amazon EC2 if an existing ASA has VPN user load over 70%. If load is 70% or more, approval is requested using the built-in task/approval features within SecureX orchestration prior to AWS deployment.

Overview GitHub


  • The following atomic actions must be imported before you can import this workflow:
  • The targets and account keys listed below
  • A Cisco Adaptive Security Appliance (ASA)
  • An Amazon Web Services account with EC2 permissions
  • (Optional) A Webex Teams access token and room name to post messages to

Note: You may have an old version of the Webex Teams - Post Message to Room atomic. To ensure the best experience with this workflow, be sure to import the latest version of this atomic from the GitHub_Target_Atomics repository!

Workflow Steps

  1. Attempt to locate the Webex Teams room and get its ID
  2. SSH to the target ASA and get its VPN device load
  3. Check whether or not the load is 70% or more
    • If the load is less than 70%, end the workflow
    • If the load is 70% or more:
      • Create an approval task
      • Post a message to Webex Teams indicating an approval is required
      • When a response is received, continue
      • If the request was approved, deploy a new ASAv using the AWS EC2 API and post a confirmation to Webex Teams with the new public IP address
      • If the request was denied, post a message to Webex Teams indicating the denial
      • If the request expired, post a message to Webex Teams indicating the request was not acted on


  • If you want the workflow to run on a schedule, you need to create a schedule and then add it as a trigger within the workflow
  • Set the SecureX Region local variable (default: us)
  • Set the Task Approver local variable to the email address of the person who should approve requests from this workflow
  • Update the Create deployment approval request activity with a Task Requestor and Task Owner (the approver is defined in the local variable). You can also change the due date time (default: 1 hour) and expiration time (default: 1 hour) if you want
  • Update the Create ASA instance in EC2 activity with:
    • The AMI Image ID of the AMI you want to be instantiated
    • The Security Group ID(s) you want the instance added to
    • The Keypair Name of the authentication key pair this instance should use
    • The Instance Type to create (default: m4.large)
  • See this page for information on configuring the workflow for Webex Teams


Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
ASA VPN Target Terminal Endpoint Configured for your ASA Account key for your ASA  
AWS EC2 Target AWS Endpoint Configured for your AWS account Account key for your AWS account  
Webex Teams HTTP Endpoint Protocol: HTTPS
Path: None
None Not necessary if Webex Teams activities are removed

Account Keys

Account Key Name Type Details Notes
(varies) AWS Credentials Username: Client ID
Password: Client Secret
(varies) Terminal Key-Based Credentials
Terminal Password-Based Credentials
Depends on target type