CloudWatch high availability

Network Security provides the ability to publish CloudWatch metric data with information about the current state of the virtual appliance. With this metric data, set up and configure a CloudWatch alarm to activate high availability in your network environment.

Set up a CloudWatch alarm

Navigate to the SNS Dashboard.
Click Topics → Create topic. Create the two SNS topics described below. Learn more about SNS.
- SNS topic for instance failures: Receives the notifications for instance failures from the CloudWatch alarm.
- SNS topic for missing data: SNS topic for missing data in an instance.
Navigate to the CloudWatch Dashboard, and then click Alarms → Create Alarm. This alarm sends notifications of the instance failure to the SNS topic created in step 2.
Click Select metric.
Under Custom Namespaces, select Network Security, then select InstanceID, and then click the checkbox for the Instance ID.
Click Select metric, and then enter the following parameters.
- Statistic: Maximum
- Period: Set as the same amount of time you chose for the cloudwatch-health period in Configure additional Network Security settings.
- Conditions:
- Threshold type: Static
- Whenever InstanceHealth is...: Greater/Equal
- than...: 3
- Additional configuration:
- Datapoints to alarm: 1 out of 1
- Missing data treatment: Treat missing data as missing
Click Next.
On the Configure actions page, set up the following notifications.
- Notification action:
- Whenever this alarm state is...: in Alarm
- Select an existing SNS topic: Select the SNS topic for instance failures created in step 2.
- Notification action:
- Whenever this alarm state is...: OK
- Select an existing SNS topic: Select the SNS topic for instance failures created in step 2.
- Notification action:
- Whenever this alarm state is...: in Insufficient data
- Select an existing SNS topic: Select the SNS topic for instance missing data created in step 2.
- EC2 action:
- Whenever this alarm state is...: in Alarm
- Take this action: Reboot this instance
Click Next.
Enter a name and description for the alarm, and then click Next.
Review the alarm information entered on the Preview page, then click Create alarm.

Create a lambda function

If you created the Security VPC stack before September 5th, 2023, we recommend that you manually update the Python runtime to version 3.10 and Node.js runtime to version 20.x for your AWS Lambda functions.

To manually update Python and Node.js runtime versions in the AWS console:

Navigate to the Lambda service page.
Select your Lambda function from the list.
Scroll down to Runtime Settings and click Edit.
Select Python 3.10 and Node.js 20.x from the drop-down menu of available runtimes, and then click Save.

Use the lambda function to bypass inspection, described in the steps below. Only one lambda function is required for all instances.

Navigate to IAM Dashboard and click Policies → Create policy.
Under Select a service below, enter Lambda.
Under Manual actions, select All Lambda actions.

Click on the JSON tab, then copy and paste the following permissions.

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "LambdaLogging",
           "Effect": "Allow",
           "Action": [
               "logs:CreateLogGroup",
               "logs:CreateLogStream",
               "logs:PutLogEvents"
           ],
           "Resource": "arn:aws:logs:*:*:*"
       },
       {
           "Sid": "ReplaceRoutes",
           "Effect": "Allow",
           "Action": [
               "ec2:ReplaceRoute"
           ],

          "Resource": "*"
       }
     ]
   }

Click Review Policy, and enter the following parameters before clicking Create policy.
- Name: ec2-ReplaceRoute
- Description: Replaces routes to bypass inspection
Click Roles → Create roles, and choose Lambda for the service that will use this role.
Choose the ec2-ReplaceRoute policy for Attach permissions policies.
Enter BypassInspection_role for the role name, and click Create role.
Navigate to the Lambda Dashboard and click Create function.
On the Create function page, enter the following parameters.
- Function name: Enter a descriptive name.
- Runtime: Python 3.10
- Permissions: Select the BypassInspection_role.
Click Create function.
After you create the lambda function, make the following configuration changes.

Function code
- Code entry type: Edit code inline.
- Handler: lambda_function.change_routes
- Function code: Copy and paste the function code into the lambda function window, depending on the deployment option that you chose earlier in the deployment process. Find examples of lambda function code for each deployment option below.
Basic settings
- Memory: Upgrade as needed.
- Timeout: We recommend that you use a higher timeout value, like one minute. The timeout value you select might depend on the components in your network. For instance, if you have several workloads connected to Transit Gateways, increase the timeout value.
Navigate to the SNS Dashboard.
Click Topics, and then click on the name of the SNS topic that you created in set up a CloudWatch alarm.
Under Subscriptions, click Create subscription.
Enter the following parameters.
- Topic ARN: The ID of the SNS topic.
- Protocol: AWS Lambda
- Endpoint: The lambda function that you created.
Click Create subscription to subscribe your lambda function to your SNS topic.

Lambda function examples for bypass inspection

Use examples of lambda function code to put your Network Security instance on a CloudWatch alarm.

SNS topic for instance missing data: Contact your Trend Micro representative for this example.
HA Lambda: Contact your Trend Micro representative for this example.

Edit the code between the START OF CODE TO CHANGE and the END OF CODE TO CHANGE. Enter parameters in the code for instance IDs, route table IDs, VPC IDs, and gateway IDs.