In Amazon AWS Cloud, Sophos UTM 9 VPN appliance is one of the greatly used tool for both the Site-to-Site VPN Connectivity and Remote Access VPN(SSL/IPSec). The Site-to-Site VPN Supports connectivity between AWS Regions or between AWS Region & On-Prem Network over IPSec protocol. Sophos has very good AWS Marketplace support.
So far, I have deployed at least 20-25 Sophos UTM 9 VPN deployments for various customers both the Site-to-Site VPN Tunnels or Remote Access solutions since last 3-4 years of time.
However, recently I have received an interesting e-mail from one of our customer where one of his vendor is uploading 5-7GB zip files very frequently and the upload is very slow.
So I (We) decided to do further analysis and during the course of analysis we found few interesting facts about the Sophos UTM9 and AWS EC2 Instances. So thought of sharing experiences with you.
Analysis Phase 1:
- The Instance type used for the Sophos UTM 9 is C3.8Xlarge which will have the High Networking Performance 10Gigabit Ethernet
- The Vendor who is uploading the files is taking around 10-12 times every time.
- The Vendor is using 10Gb internet pipeline from his office
- The Vendor is uploading same zip files to some other clients in less than 3 minutes of time.
Analysis Phase 2:
- In Sophos VPN Instance we have seen an average minimum 15-18 remote SSL VPN connections and 3-4 active Site-to-Site connections at all the time.
- In Sophos VPN Instance, we have not enabled any sort of Network Throttle that limit the the Network In/Out
- Instance CPU and Memory was under control which is less than 10-12%
- The Network In/Out was throttled at 128 MB/Sec (this winked my eyes)
AWS Support Help
So we decided to raise an AWS Support to understand it more why the Network In/Out was throttled at 128 MB/Sec when the instance is having 10 Gigabit Ethernet speed(High performance Networking).
AWS Support responded saying that, the instance is not enabled with the Enhanced IO Networking at the OS Level. Though the instance supports High Network Performance without Enhanced IO Networking, it won’t give you the expected Network Performance.
So far, I was under impression that instance will provide at least 50-60% of the networking speed and Enhanced IO Networking further improves the networking performance. But I was wrong.
Sophos UTM Support Help
After AWS response, we raised a support case with the Sophos UTM Support and asked them to help us how to enable the Enhanced Networking since the Sophos UTM 9 Instance is black box for everyone.
Surprisingly, Sophos responded saying that, currently they are not supporting the Enhanced IO Networking in Amazon AWS. It is in their plan of action and will be rolled out in next few quarters across all the regions. They do responded that they are supporting the HVM Instance types in Sophos UTM Autoscaling. But that left us unsure about the Enhanced IO Networking support.
So, I would advise next time when you planned to deploy the Sophos UTM 9 on Amazon AWS do an end-to-end Network IO performance test on chosen instance type. Understand limitations on both the sides of AWS and Sophos on Enhanced Networking, Latest Instance Types support and HVM Virtualization.
It would be always good to enable the Enhanced IO Networking and EBS-Optimized for all the supported instance types in your AWS environments. Please see this link for list of supported instance types for Enhanced IO support and also the process of verifying and enabling that feature.
Hope this information helps for your Sophos deployments on Amazon AWS.