we have a virtual ATD appliance, what are the options for High Availability / Clustering / any other redundancy solution.
in addition, is there a limit for maximum number of VM's we can upload for sandboxing?
Re: HA\Cluster options for vATD + Number of max VM's
I should check into this forum more often, my apologies.
The HA/LB options for vATD are the same as for physical appliances, the code is the same. What is different of course is the formfactor. As the vATD OVA is limited in size/resources, only a max. of 8 VMs as sandboxes is supported. That limit is also relevant for the cluster setup. As a cluster conducts a VM sync among the nodes, you cannot have differences between them. Every VM you create on the master gets synced across.
If I create a cluster with 4 nodes and I have 2 x Win7x64 + 6 x Win7x86 on my master, I end up with 8 x Win7x64 and 24 x Win7x86.
In most production setups (which which clusters are usually used), you're not likely to have that many variations of VMs. The golden rule is maximum attack surface and coverage for x86/x64 code, usually with a 3:1 ratio.
For a forensic setup with manual and/or API based submissions (e.g. from a SOAR tool), you'll usually aim for as many variations as possible (different version of Java, Office, browsers etc), but there you tend to have less need for HA or LB. So nothing stops you to setup 8 different VMs on Node1 and 8 different ones again on Node2. With the VM copy feature we have now, it'll be easy to move them around as well.
Your cluster size times number of VMs on master node = total number of sandboxes but limited to a max of 8 on the master node.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.