Configuring AWS HA for External S-TAPs

Include External S-TAPs in your existing Amazon AWS high availability (HA), or failover, configuration.

If your site uses Amazon AWS that is configured for high availability (HA), or failover, Guardium® recommends that you include External S-TAPs in your existing HA configuration. Include External S-TAPs in your existing failover scenario by integrating with either Elastic Load Balancer, Route 53, or both. To integrate External S-TAPs in your failover scenario, you can:
  • Add multiple External S-TAP® instances behind your load balancer for active-active failover.
  • Use your DNS server to deploy active-passive failover for External S-TAP instances.
Note: Guardium assumes that your site is already using HA configuration with Amazon AWS. For more information about using an HA configuration with Amazon, see the Amazon Route 53 Developer Guide (and other Amazon and AWS documentation). Because your configuration is based on your specific requirements, Guardium can provide only general guidance for how to configure HA and failover for your site.


To use External S-TAPs in an HA environment, the following applications must be deployed inside your AWS service, along with any web services:
  • Amazon EC2 and Relational Database Service (RDS).
  • AWS Identity and Access Management (IAM): Assign appropriate roles to run Lambda functions.
  • Amazon Route 53: Provides domain registration, DNS routing, and health checking.
  • Amazon CloudWatch: Monitors services and provides actionable insights and alerts.
  • Health Check (AWS ELB): Monitors registered instances to ensure that the load balancer sends requests only to healthy instances.
  • Amazon Simple Notification Service (SNS): Provides messaging services between CloudWatch Alarm and Lambda functions.
  • Amazon Lambda: A serverless platform that the failover mechanism uses to provide a trigger point to maintain firewall rules.
  • AWS Elastic Load Balancing (ELB): Automatically distributes traffic between multiple External S-TAP instances for load balancing and active-active failover. ELB also acts as the entry for the External S-TAP micro service.

Configuring failover for External S-TAP

The following instructions assume that you are familiar with Amazon AWS for HA and failover for other applications.

  1. In Route 53, register for a domain name and create health check rules as needed, including checks to monitor CloudWatch alarms.
    • Health check constantly monitors traffic through the External S-TAP.
    • If the failure rate for a health check rule exceeds the configured threshold, health check triggers an alarm or events.
  2. Configure SNS and CloudWatch as needed. When an alarm is triggered, CloudWatch alarms and SNS notifications update the DNS record and the access control list rules. In addition, you can set SNS to notify IT or other personnel. In Route53, you can configure CloudWatch to monitor the health checks.
  3. In the EC2 Management Console, create and configure a Security Group specifically for the External S-TAP. To provide flexibility in managing firewall rules, Guardium recommends that you also create security groups for the load balancer, PostgreSQL client, and PostgreSQL server domains.
  4. Route 53 reroutes the DNS servers when a server fails. The DNS server updates the record according to the status of the alarm. Configure Route 53 to:
    • Create a policy record to route the entry domain to a different domain based on the status of the CloudWatch alarm.
    • In your DNS, find or create the following domains:
      • A domain for the load balancer. For failover, specify this domain as the primary domain. The endpoint for this domain is available from AWS > Amazon RDS > Databases > <your_dbaas>.
      • An entry domain of the policy record. Specify this domain as the secondary domain. The DNS name can be found from Amazon EC2 Management Console > Load Balancing > Load Balancers.
      • The DNS of the service endpoint in RDS. The domain name depends on your configuration. For instance, the name might be found in the Amazon Route 53 dashboard under Hosted Zones > Policy Records as the Policy Record DNS Name for the External S-TAP traffic policy.
  5. In AWS Lambda, create functions to update the access control list rules. Make sure that your Lambda functions have an IAM rule that has sufficient permissions.

After you add an External S-TAP to your HA configuration, CloudWatch monitors the External S-TAP along with your other applications.