SMA 8200v Azure/AWS Deployment Guidelines
09/07/2020 
8 
6499
DESCRIPTION:
Accessing Azure and AWS Images
- Azure
The SMA1000 8200v image is available from the Azure Marketplace:
- Go to the Azure Marketplace at https://azuremarketplace.microsoft.com
- Search for SMA 8200v in the Search bar.
After obtaining the image, installation can proceed as outlined in the SMA and CMS on Azure Getting Started Guide.
- AWS
On AWS the SMA 8200v AMI is available as a public Shared AMI.
. The steps needed to launch a new instance of this AMI from the EC2 Console are as follows:- Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
- In the navigation pane, choose AMIs.
- In the first filter, choose Public images. Then enter the search string "SMA 8200v" in the Search bar.
- There should be two Public images found: "SonicWall SMA 8200v Virtual Appliance 12.4.0-xxxxx" and "SonicWall SMA 8200v Virtual Appliance 12.4.0-xxxxx (tiny)". Use the full image for most purposes, including full scale trials and production deployments. Use the "(tiny)" image only for very small trials and demos. It is sharply constrained in order to be compatible with AWS free tier accounts.
- Select the desired image and choose Launch.
From this point installation can proceed as outlined in the SMA and CMS on AWS Getting Started Guide.
Choosing Cloud Instance Types
The following recommendations are intended as guidelines to instance type selection, derived from extensive lab-based testing and analysis. It is extremely important to keep in mind that inherent differences in deployment-specific usage patterns may necessitate use of larger, or smaller, instance types than these general-purpose recommendations.
Azure
| Expected User Count | Recommended Instance Type | Specs |
| up to 500 | F2 | 2 core, 4GB RAM |
| up to 2000 | F4s_v2 | 4 core, 8GB RAM |
| up to 5000 | F8s_v2 | 8 core, 16GB RAM |
AWS
| Expected User Count | Recommended Instance Type | Specs |
| up to 600 | c5.large* | 2 vCPU, 4GB RAM |
| up to 1000 | c5.xlarge | 4 vCPU, 8GB RAM |
| up to 3000 | c5.2xlarge | 8 vCPU, 16GB RAM |
NOTE: * c5 usage and performance numbers are valid ONLY with the April HF AMI (available by the end of April 2020).
Specifying Tunnel Address Pools
In traditional datacenter deployments the most commonly used method for managing tunnel client addressing is "Routed address pool (Dynamic)", a DHCP-driven model. However, DHCP restrictions enforced by both AWS and Azure within their virtual infrastructures cause this model to be impractical to use in those environments. This leaves two primary alternatives for use in cloud deployments - "Routed address pools (Static)" and "Translated address pools (Source NAT)". For most cloud deployments the first option, Static pools, is the recommended method.
Routed address pool (Static)
Static address pools allow for every tunnel client to have an independent and distinct IP address, and this type of supports very large pool sizes in order to maximize the number of tunnels that a particular instance will support. As when running in ESXi and HyperV deployments this is expected to support up to 5000 concurrent clients in most cases.
For compatibility with Azure and AWS environments this type of addressing will require additional configuration within the specific cloud environment as outlined here:
- Azure
Please perform the following in the Azure management portal:- IP forwarding must be manually enabled on the appliance's virtual network interface.
- A route table must be created and attached to the appliance's subnet, and a route must be added with an address prefix equal to the static IP pool range, and the next hop set to the appliance's private IP address.
- AWS
Please perform the following in the AWS management portal:- Disable Src/Dest Check on the appliance's ENI adapter.
- Create a VPC for the tunnel IP pool. The CIDR range must not overlap with the VPC the appliance is in.
- Create a VPC peering connection between the appliance's VPC and the tunnel pool VPC.
- Add a route to appliance VPC's route table with the destination set to the static IP pool CIDR and the target as the appliance's ENI adapter.
Note that there is an AWS-imposed pricing caveat to be aware of - the required VPC peering connection has a data transfer charge of $0.01/GB for data transfer in both directions.
Translated address pool (Source NAT)
While convenient to set up and manage, Source NAT pools have several attributes that limit suitability except in very specific situations.
Due to inherent NAT limitations (source port exhaustion) the number of individual user tunnels that can be managed is limited to approximately 500 or fewer per SMA appliance. Deployments that expect to scale beyond this number will need to be designed as a GTO cluster with the count of managed nodes derived from the expected user count. It is recommended to target a 250-300 max tunnels per appliance in order to leave a safe margin.
There may be applications that do not run well in NAT environments.
On both AWS and Azure the NAT IP address must be explicitly added to the appliance's virtual network interface as follows:
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Network Security ManagerModern Security Management for today’s security landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Email SecurityProtect against today’s advanced email threats
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
