Table of contents
Topics on this page

Manually enabling HA Lambda

To minimize packet loss during an appliance upgrade, you must make sure that the appliance is out-of-line by enabling the High Availability Lambda function manually. Manually invoking HA Lambda is only possible if you are using AWS Edge deployment. Follow the steps below to manually take the appliance offline for Upgrade:

  1. Disable your Cloud Watch Alarms:
  2. Ensure you have the right credential to run AWS CLI (aws-adfs login first, if necessary)
  3. Run this command: aws cloudwatch disable-alarm-actions --alarm-names "CloudWatch Alarm Name”

  4. Verify that the "ActionsEnabled" field is false: aws cloudwatch describe-alarms --alarm-names "CloudWatch Alarm Name" | grep "ActionsEnabled"

  5. Manually invoke HA Lambda to modify routes to bypass the appliance.

Method 1: Via AWS Management Console

  1. Navigate to the AWS Lambda Functions page, and click on your HALambdaFunction to see function details.

  2. Click the orange TEST button under the Code source section to configure a test event.

  3. Select > Create new test event. The event template chosen, does not matter.

  4. Name the event "HALambdaInvoke".

  5. Delete the original template code, and paste the following code: 

    {
  "Records": [
    {
      "Sns": {
        "Message": "{\"NewStateValue\": \"ALARM\",\"Trigger\": {\"Dimensions\": [{\"value\": \"i-0000000000000000\",\"name\": \"InstanceId\"}]}}"
      }
    }
  ]
}

  6. Replace "i-0000000000000000" with your appliance instance id.

  7. Click on the orange TEST button to run the Lambda function.

  8. The log for the function can be found in the corresponding AWS CloudWatch log group. (Log group name should be the same as the Lambda function name.)

NOTE

To put the appliance back in line, repeat the steps above and replace the string "ALARM" with "OK".

Method 2: Invoke via AWS Command Line Interface

  1. Make sure you have the proper credentials to run AWS CLI command (aws-adfs login if necessary).
aws lambda invoke \
 --function-name My-HALambdaFunction-Name \
 --invocation-type Event \
 --payload '{"Records": [{"Sns": {"Message": "{\"NewStateValue\": \"ALARM\",\"Trigger\": {\"Dimensions\": [{\"value\": \"i-0000000000000000\",\"name\": \"InstanceId\"}]}}"}}]}' \
 response.json

  1. Replace "My-HALambdaFunction-Name" with your full HALambdaFunction name.

  2. Replace "i-0000000000000000" with your appliance instance id.

  3. The "response.json" is a required parameter for the command, but does not contain useful information.

  4. The log for the function can be found in the corresponding AWS CloudWatch log group. (Log group name should be the same as the Lambda function name.)

  5. Click Upgrade. Wait until Upgrade process is complete. On your Network Security Appliance page, the Version column of your appliance should show "Up to date".

  6. Re-enable CloudWatch alarms as described below:

    1. Run this command: aws cloudwatch enable-alarm-actions --alarm-names"CloudWatch Alarm Name”
    2. Verify the "ActionsEnabled" field is true: aws cloudwatch describe-alarms --alarm-names "CloudWatch Alarm Name" | grep "ActionsEnabled"

  7. To put the appliance back in line, repeat the steps above and replace the string "ALARM" with "OK".