Secure Access Cloud performs periodic health checks for all external components, such as, but not limited to:
- Secure Access Cloud Connectors deployed at customers' data centers
- Resources at customers' data centers configured for access via Secure Access Cloud
- Identity Providers integrated with Secure Access Cloud
- IaaS Accounts integrated with Secure Access Cloud
For each of the above types of "external" entities, Secure Access Cloud is maintaining a dedicated Online/Offline state, as well as sends notifications to relevant administrators.
Below describes a health-check and notification/alerting cycle for various involved elements.
Each connector send its status to the system every 30 seconds. The moment a connector disconnects from the Secure Access Cloud PoD requests start getting routed through other connectors.
A connector that has not sent any status in 3 minutes is considered offline, and is shown as such in the administration portal and responses to Management API calls.
Note that a disabled connector (disabling can be done via administration portal or Management API) still sends a status every 30 seconds so it won't be considered offline but 'disabled'.
There is no dedicated notification for connectors, only for sites.
The site status is defined by the status of its connectors. If all connectors are offline then the Site will be considered offline. (Disabled connectors are not impacting the offline status, the site having disabled but "live" connectors will still be considered offline).
If no connectors exist then the Site is considered as not-configured.
If at least 1 connector is online then the Site is considered online.
A notification is sent upon a status change from offline to online and visa versa.
3. Web / SSH / RDP Application
Application health is checked by 1 minute. Only if a health-check fails 3 consecutive times, the resource will be considered unavailable (The status will be shown in the administrator portal and will appear in responses for Management API calls).
Additionally, as the Secure Access Cloud service receives a new functionality, certain types of applications might not be supported by older versions of connectors. If a Site has applications that are not supported by the current connectors on the site (a new feature that requires a newer connector) then the application will show up as unavailable.
A notification will be sent only if the the application was previously healthy for a period of at least 10 minutes and then becomes unhealthy according to the above logic.
4. Identity Provider
Periodic scheduled calls to an API of an Identity Provider allows Secure Access Cloud to inform administrators proactively upon failure to communicate to an IDP. Main reasons for possible failure could be:
- Service interruptions of an Identity Provider
- Expiration or cancellation of API tokens
A notification is being sent upon a failed health-check and upon a successful one following failed ones.
5. IaaS CSP Account
IaaS (such as Amazon Web Services) integration status check is done on-demand, meaning, status is not checked periodically but rather only when the settings page is accessed in the Admin Portal.
This check consists of the following (in case of AWS):
- Checking that connection to EC2 can be established using the given role.
- Querying for the Regions
- Querying for Instances info per Region
- Querying for VPC info per Region
None at the moment.