aws-transit-vpc
aws-transit-vpc copied to clipboard
PaloAltoNetworks
SQS FIFO queues only available in 4 regions
In the initializeTransitAccount.json cloudformation template the SQS setup requests to create a FIFO queue which limits the available regions you can deploy this stack to only the following regions US East (N. Virginia), US East (Ohio), US West (Oregon), and EU (Ireland). Removing the fifoqueue = true and contentbaseddeduplication = true allowed us to continue in Sydney (AP-Southeast-2).
The reason we chose FIFO queues is to serialize messages. It is possible (maybe likely) that when you start deploying/deleting spoke VPCs at scale messages might be picked up out of order and it could cause issues with the solution.
I would love to get feedback based on your testing.
We have the same problem in Frankfurt. We have removed the 2 "true" statements but the paloaltos instances are not booted up. Did you do any extra steps to fix it? Thanks,
This may not work as we rely on FIFO queues to make sure the messages get serialized and so we don’t get messages out of order.
So that is why we mention that the solution is supported only where FIFO queues are supported.
Thanks,
/narayan From: SergiMajo [email protected] Reply-To: PaloAltoNetworks/aws-transit-vpc [email protected] Date: Tuesday, April 3, 2018 at 7:59 AM To: PaloAltoNetworks/aws-transit-vpc [email protected] Cc: Narayan Iyengar [email protected], Comment [email protected] Subject: Re: [PaloAltoNetworks/aws-transit-vpc] SQS FIFO queues only available in 4 regions (#3)
We have the same problem in Frankfurt. We have removed the 2 "true" statements but the paloaltos instances are not booted up. Did you do any extra steps to fix it? Thanks,
— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_3-23issuecomment-2D378280951&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=XlVc1-jhYvss_ogjktknLkFiaKXlbsZKtawB650o0yY&s=pDtX_q8N-GF3tPEGiO1s5I8zqHMbP4d1IVvb0Omt45I&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcaQvgYScsR0tmWwlqOeMzY7Inlf-5Fdks5tk45WgaJpZM4SepLu&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=XlVc1-jhYvss_ogjktknLkFiaKXlbsZKtawB650o0yY&s=xG-RJvSH4F31rFImXZ0sMeEtY13_TcCpR68Gug4IZLc&e=.
@SergiMajo There was a few other commands that needed to be removed as well inrelation to the SQS queues also the name it tries to generate as part of the stack was invalid.
Here is what I changed on my side when I was still using this stack to launch the transit vpc
Delete: "FifoQueue" : true, "ContentBasedDeduplication" : true,
Fix QueueNames invalid character by replacing "." with "-": "QueueName": {"Fn::Join": ["-", [{ "Ref": "AWS::StackName" }, "PriorityQueue.fifo"]]}, to "QueueName": {"Fn::Join": ["-", [{ "Ref": "AWS::StackName" }, "PriorityQueue-fifo"]]}, (note I stopped using this solution and only took parts out of the paGrp CFT to build 2x palo's rather than having the auto-vpn solution provided with this stack)
&
"QueueName": {"Fn::Join": ["-", [{ "Ref": "AWS::StackName" }, "NormalQueue.fifo"]]}, to "QueueName": {"Fn::Join": ["-", [{ "Ref": "AWS::StackName" }, "NormalQueue-fifo"]]},
Beyond this I stopped testing most of the solution and instead just used the paGrpCft.json to provision 2x Palo's in an existing VPC without using the autovpn function so cannot comment on how it works without FIFO queues etc.
Thank you very much. The name thing had it too, instead of.fifo it simply removed the.fifo because it gave a mistake that it only accepted alphanumeric characters, what's wrong with me is the VPN.
thank you!
Can you log into your firewall with username and password? If you cannot then bootstrapping wasn't successful. Please check your bootstrap files and make sure they are not corrupted
-- Thanks, /narayan
From: SergiMajo [email protected] Sent: Wednesday, April 4, 2018 1:59:18 AM To: PaloAltoNetworks/aws-transit-vpc Cc: Narayan Iyengar; Comment Subject: Re: [PaloAltoNetworks/aws-transit-vpc] SQS FIFO queues only available in 4 regions (#3)
Thank you very much. The name thing had it too, instead of.fifo it simply removed the.fifo because it gave a mistake that it only accepted alphanumeric characters, what's wrong with me is the VPN.
thank you!
— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_3-23issuecomment-2D378530728&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=_ZtnCDGh3DGlYckQffcqXMmGGh3PBao3TofQiCyfKF4&s=bNoDE3oHCRzzdZqUFVVAOOS-mm8PLFtpL0rdONjfcaM&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcaX-5F21QbvFyR3Wz6G-5F5ld-5F6QnWG3Wks5tlItmgaJpZM4SepLu&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=_ZtnCDGh3DGlYckQffcqXMmGGh3PBao3TofQiCyfKF4&s=nVF6RwrcgF_9kZxnO_zCWXAKWsN5q8vyXwayrb8VdAI&e=.
I'm trying to deploy in Frankfurt and i get SQS invalid attribute.
CREATE_FAILED | AWS::SQS::Queue | SQSPriorityFifoQueue | Unknown Attribute FifoQueue CREATE_FAILED | AWS::SQS::Queue | SQSNormalFifoQueue | Unknown Attribute FifoQueue.
I tried changing NormalQueue.fifo to NormalQueue-fifo but get error, ".fifo" extension is required.
Can someone please explain this? Thank you.
I have a path to deploy it in any region. Basically this patch creates FIFO queues at eu-west-1 region and all of the rest infrastructure goes to the region selected
