Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  How to install MXHA in AWS

    Posted 03-25-2023 06:57

    Hi,

    We deployed 2 AVM150 Imperva MX in AWS and require to install high availability.

    When i input the command (impctl server ha install), it require mandatory parameters --elb-name.

    And after i input a network load balancer (listener TCP1234, Healthcheck TCP 50007, Target on the 2 MX instance) name, it give the error message "Cannot find Load Balancer"

    I nestat on the MX server and I can see the MX does not have port 1234 or 50007.

    Can anyone advise on how to install MXHA (impctl server ha install) on 2 MX server (BYOL) on AWS?

    Thanks in advance,

    Thomas


    #DatabaseActivityMonitoring

    ------------------------------
    Thomas Lim
    IT Consultant
    NCS Pte. Ltd.
    Singapore
    ------------------------------


  • 2.  RE: How to install MXHA in AWS

    Posted 03-27-2023 09:32

    Hi Thomas,

    If the high availability template for the MX is used when deploying then all should go smoothly.

    If you're in a situation where you cannot redeploy, you may be able to adjust the Security Group to allow for the appropriate ports. 

    https://cloud-template-tool-app-security.imperva.com/ 



    ------------------------------
    Jaired Anderson
    Imperva
    ------------------------------



  • 3.  RE: How to install MXHA in AWS

    Posted 03-27-2023 11:24
    Edited by Thomas Lim 03-27-2023 11:28

    Hi Jaired,

    Yes, but I am using Imperva DAM 14.10.1.10 Cloud Formation Tool

    And I noticed everytime the stacks will stop at MxWaitCondition. 

    Causing the CFT deploy MX to not running and the ha status is not running. Below is the "impctl show log" right after the CFT deployment

    Please enlighten me how can I resolve this issues.

    Thanks,

    Thomas



    ------------------------------
    Thomas Lim
    IT Consultant
    NCS Pte. Ltd.
    Singapore
    ------------------------------



  • 4.  RE: How to install MXHA in AWS

    Posted 03-28-2023 09:37

    Hi Thomas,

    Two questions:

    1. Are you entering the DNS name of the ELB into the Cloud Template?
    2. Do the subnets in which the MXs are deployed both have a route to a NAT-GW for outbound internet access?

    Thanks.



    ------------------------------
    Jaired Anderson
    Imperva
    ------------------------------



  • 5.  RE: How to install MXHA in AWS

    Posted 03-28-2023 10:21

    Hi Jaired,

    1. No, currently only testing on the MX. During the selection of DAM products, I only select DAM MXHA (BYOL)
    2. Yes I have created a internet gateways for the vpc that hold the Imperva MX. 

    While I look at the "impctl show logs" on the MX, it said Secure password not sync with the Database password. Isnt CFT have a password length settings to the Secure password when user enter the password? However, the MX show the following logs. I feel something is wrong here. This have happens everytime and causing the MX to "not running" when I SSH in. 



    ------------------------------
    Thomas Lim
    IT Consultant
    NCS Pte. Ltd.
    Singapore
    ------------------------------



  • 6.  RE: How to install MXHA in AWS

    Posted 03-29-2023 11:04

    Hi Thomas,

    If you deploy a single MX, (with the single MX template) does it succeed?

    It's been my experience with AWS deployments that every single step must succeed or the deployment will be in a "limbo" state. For example, it might be failing the HA deployment because it cannot find the ELB.   

    Please see: https://docs.imperva.com/bundle/v14.7-waf-on-amazon-aws-byol-installation-guide/page/58647.htm

    If the DNS name for the ELB is not entered into the template, the MX will not be able to find it. 



    ------------------------------
    Jaired Anderson
    Imperva
    ------------------------------



  • 7.  RE: How to install MXHA in AWS

    Posted 03-29-2023 11:19

    Hi Jaired,

    Single MX deployment works without issue.

    Yes wondering if community have experience any issues deploying MXHA in AWS too.

    The CFT didnt ask for the DNS name of the ELB. The CFT will create the ELB. I think the statement is for gateway registering to MX



    ------------------------------
    Thomas Lim
    IT Consultant
    NCS Pte. Ltd.
    Singapore
    ------------------------------



  • 8.  RE: How to install MXHA in AWS

    Posted 03-31-2023 11:21

    Hi Thomas,

    I am attempting to deploy this in my AWS lab. In the meantime, I would suggest opening a ticket with Support. 

    https://www.imperva.com/support/technical-support/ 



    ------------------------------
    Jaired Anderson
    Imperva
    ------------------------------



  • 9.  RE: How to install MXHA in AWS

    Posted 03-31-2023 12:16

    Hi Thomas,

    I was able to successfully deploy via the MXHA template in my AWS Lab.

    The first deployment initially failed due to a wait condition.

    Note that the roleback will fail because the MX's are configured with Termination protection. 

    After further examination of my environment, I determined that I didn't have a proper outbound config and routing table applied. (for IGW and NATGW)


    I corrected the routing table and redeployed successfully.



    The password I set for the test deployment for all accounts is 8 characters, upper and lowercase, number present, special character present. 

    I recommend comparing your password against the criteria defined at: https://docs.imperva.com/bundle/v14.7-waf-management-server-manager-user-guide/page/6782.htm 



    ------------------------------
    Jaired Anderson
    Imperva
    ------------------------------