Deploying NG Firewall in Amazon AWS
- 1 Overview
- 2 Before you begin
- 3 Getting Started
- 3.1 Step 1: Select an instance type
- 3.2 Step 2: Add a subscription
- 3.3 Step 3: Prepare your Virtual Private Cloud (VPC)
- 3.4 Step 4: Launch the Untangle NG Firewall Instance
- 3.5 Step 5: Allocate a static IPv4 Address
- 3.6 Step 6: Connect to your instance
- 3.7 Step 7: Configure Untangle NG Firewall for AWS
- 4 Next Steps
Untangle NG Firewall supports deployment via Amazon Web Services (AWS). Untangle NG Firewall for AWS is a 64-bit Amazon Machine Image (AMI) that is launched and managed from the AWS Management Console. This deployment option is useful for example in decentralized network environments that need to route through a remote gateway to enforce policy management, reporting, content filtering, and other types of network security.
Before you begin
You need a valid AWS account before you can deploy NG Firewall in AWS. If you do not have an AWS account you can register here.
Step 1: Select an instance type
Before launching Untangle NG Firewall for AWS, it is necessary to determine the type of licensing model and infrastructure that is appropriate for your intended usage.
Untangle NG Firewall for AWS is available as either a Pay-As-You-Go (PAYG) subscription or Bring-Your-Own-License (BYOL). The PAYG option combines the cost of software licensing and infrastructure into one monthly bill. The BYOL option enables you to deploy an unlicensed version of Untangle NG Firewall for AWS.
Both licensing options require the selection of AWS infrastructure in the form of an instance type. The available instance types and their associated costs are outlined in the Pricing Information section of the AWS Marketplace Overview page. Refer to the following links:
AWS instances are available in different sizes to accommodate the performance requirements of your deployment. The table below provides general guidance to help you identify which instance type to choose based on your intended usage.
|Instance Type||Specifications||Max devices (suggested)|
|Small|| 1 vCPU core
2 GB memory
|Up to 50 devices|
|Medium|| 2 vCPU cores
4 GB memory
|Up to 150 devices|
|Large|| 2 vCPU cores
8 GB memory
|Up to 500 devices|
|Extra Large|| 4 vCPU cores
16 GB memory
|Up to 5000 devices|
Step 2: Add a subscriptionAWS Management Console. Add the subscription by clicking Continue to Subscribe from the AWS Marketplace overview page of the corresponding licensing option.
Step 3: Prepare your Virtual Private Cloud (VPC)
A VPC is the virtual networking environment where your AWS instances reside. The quickest way to deploy Untangle NG Firewall for AWS is to launch the instance into the default VPC. In the default VPC configuration AWS automatically configures the required components including the gateway, subnets, and routing.
|For advanced scenarios involving custom VPCs and routing via network interfaces, refer to Configuring NG Firewall for AWS using routed subnets.|
Step 4: Launch the Untangle NG Firewall Instance
To launch Untangle NG Firewall into your VPC:
- Click Launch Instance from the EC2 Dashboard in the EC2 Management Console.
- Click AWS Marketplace from the menu on the left and search for “Untangle”.
- Locate the license option you previously subscribed to and click Select.
- Review the product and pricing details and click Continue.
- Select the instance type that suits your needs and click Next: Configure Instance Details.
- If necessary, adjust the settings of your instance. For simple deployment, make sure the Network matches your default VPC and click Next: Add Storage.
- If necessary, increase the storage Size and click Next: Add Tags.
- If necessary, assign a tag to help you identify and manage this instance. Click Next: Configure Security Group.
- Select Create new security group and assign it a name and description. Set the Type to “All traffic” and Source to “Anywhere”. Click Next: Review and Launch.
- Create a new key pair and download the private key, or choose an existing key pair if one exists. This is necessary in case you need to access the system via SSH.
- Review the summary of your instance and click Launch.
|The default storage size is sufficient for light usage. Increase the storage size if you expect more than 50 hosts or if you wish to retain reporting data beyond the default value of seven days. Refer to the Performance Guide for tips to reduce the system requirements.|
Step 5: Allocate a static IPv4 Address
AWS maps Internet routable IPv4 addresses to your instances dynamically from a pool of addresses. This means that the Internet routable IPv4 address assigned to your instance might change after a reboot or lease expiration. To ensure that your instance maintains the same IPv4 address, you can allocate an Elastic IP Address.
- Navigate to the Elastic IPs area of the EC2 Management Console.
- Click Allocate new address and continue through the prompts.
- Once the IPv4 address is allocated, select it from the list and click Actions → Associate address.
- In the Associate address screen, select your Untangle NG Firewall instance and click Associate.
Step 6: Connect to your instance
To connect to your instance:
- Review the status of your Untangle NG Firewall appliance in the Instances area of the EC2 Management Console.
- Confirm the Instance State is “running”.
- Take note of your Instance ID and Public DNS address.
- Open a new browser window and connect via HTTPS to your Public DNS address.
- Accept the self-signed SSL certificate and proceed to the URL.
- At the Untangle NG Firewall login prompt enter the Instance ID as the password and click Login.
Step 7: Configure Untangle NG Firewall for AWS
After you log in to your Untangle NG Firewall for the first time, select the language and proceed with the initial configuration provided by the Setup Wizard.
|For PAYG instances, you must authenticate prior to accessing the setup wizard. The default user is admin and your password is the Instance ID.|
- On the first step of the wizard, configure a new administrative password, notification email address, install type, and timezone. Click Network Cards to proceed.
- On the Identify Network Cards step, choose Continue anyway. Click Internet Connection to proceed.
- On the Configure the Internet Connection step, confirm the Auto (DHCP) selection for the Configuration type and review the Status. Click Auto Upgrades to proceed.
- On the Configure Automatic Upgrade Settings step, review the automatic upgrades and Untangle Cloud connection options. We recommend enabling both options. Click Finish to complete the wizard.
- If you selected Connect to Untangle Cloud in the final step of the setup wizard, follow the prompts to log in or set up your Command Center account to add the new appliance to your organization.
|To simplify the VPC deployment, Untangle NG Firewall for AWS requires only a single network interface. The internal network interfaces associate to each VPN tunnel or connection.|
Components such as location services, notifications, and VPN profiles require knowledge of the Internet routable IP address that associates to the external interface of your instance. In AWS, instances use privately routable IP addresses and do not attach directly to the Internet. Therefore you must configure the Untangle NG Firewall with an Internet hostname that resolves to your Internet routable IP address or Elastic IP.
- From the Untangle NG Firewall web administration navigate to Config → Network.
- In the Hostname field, set the unqualified part of your Public DNS.
- In the Domain Name field, set the qualified part of your Public DNS.
- Select the Use Hostname option.
|You can set the Internet hostname using your own domain name. In this case configure your DNS with an Address Record (A) type that points to the Elastic IP address of your instance.|
After you complete the setup wizard you can begin the VPN configuration of Untangle NG Firewall for AWS. The VPN server enables remote hosts and networks to create a secure tunnel that routes traffic through the NG Firewall to access the Internet.
- From the Untangle NG Firewall web administration navigate to Apps → OpenVPN.
- In the Status tab, toggle OpenVPN is enabled.
- In the Server tab, check Server Enabled.
- In the Server tab → Remote Clients tab, click Add to create a new profile.
- Assign the parameter of the profile. See OpenVPN for additional information.
|For VPN tunnels with other vendors that do not support OpenVPN, use IPsec. See IPsec VPN for additional information and configuration details.|
After performing the initial configuration you are ready to fine tune your policies and set up VPN tunnels at remote sites. Here are some related topics to get your started: