Configuring NG Firewall for AWS using routed subnets: Difference between revisions

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
m (Bcarmichael moved page AWS Install to Configuring NG Firewall for AWS using routed subnets: title needs to be more descriptive to make way for other topics related to AWS deployment)
Line 1: Line 1:
=<span style="color: #000000; font-weight: 400; text-decoration: none;">Introduction</span>=
== Overview ==
<span style="color: #000000; font-weight: 400; text-decoration: none;">The following instructions will guide you through the process of using the Amazon Web Services console (UI) to install Untangle into a Virtual Private (VPC) Cloud at AWS.    </span>
Untangle NG Firewall deployment in AWS can secure Internet access for other AWS instances. This scenario is useful if you have for example [https://aws.amazon.com/workspaces Amazon Workspaces] and you need to apply Intrusion Prevention, Content Filtering, Bandwidth Control, and other next generation firewall capabilities to those instances. This type of deployment requires advanced Virtual Private Cloud (VPC) configuration to establish an internal subnet for AWS instances that routes through NG Firewall.
 
[[File:Aws_schemas_advanced.png|thumb|none|upright=1.5|alt=Diagram illustrating Untangle NG Firewall in relation to AWS instances and VPN tunnels.|Diagram illustrating Untangle NG Firewall in relation to AWS instances and VPN tunnels.]]
== Before you begin ==
<span style="color: #000000; font-weight: 400; text-decoration: none;">This document assumes you have an AWS account with a VPC created.  If not, you will need to create a VPC prior to using this document.</span>
<span style="color: #000000; font-weight: 400; text-decoration: none;">This document assumes you have an AWS account with a VPC created.  If not, you will need to create a VPC prior to using this document.</span>



Revision as of 22:35, 30 August 2018

Overview

Untangle NG Firewall deployment in AWS can secure Internet access for other AWS instances. This scenario is useful if you have for example Amazon Workspaces and you need to apply Intrusion Prevention, Content Filtering, Bandwidth Control, and other next generation firewall capabilities to those instances. This type of deployment requires advanced Virtual Private Cloud (VPC) configuration to establish an internal subnet for AWS instances that routes through NG Firewall.

Diagram illustrating Untangle NG Firewall in relation to AWS instances and VPN tunnels.
Diagram illustrating Untangle NG Firewall in relation to AWS instances and VPN tunnels.

Before you begin

This document assumes you have an AWS account with a VPC created.  If not, you will need to create a VPC prior to using this document.


VPC

To use this document, you will need to have a VPC with 2 subnets.   This document will describe the steps to create the subnets.  If you need to create a VPC, we recommend:

  1. Amazon Virtual Private Cloud Getting Started Guide:  http://docs.aws.amazon.com/AmazonVPC/latest/GettingStartedGuide/vpc-gsg.pdf
  2. Amazon Virtual Private Cloud User Guide:  http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-ug.pdf


Security group

Create one that authorizes all traffic: NGFW is by default locked down to only allow HTTPS and SSH when it is initialized.   Services → VPCs → Security → Security Groups

  1. If you wish, you can later restrict more ports in that security group, after you're done configuring NGFW.
  2. Make sure to authorize traffic from your local machine/network for access.
  3. Create and select the “Save” button


 Subnets

Create 2 subnets, one for the external NGFW interface and the other for the internal one.    Make sure the subnets are in the same VPC and within the same availability zone. Navigate to Services →  VPCs → Subnets. In this example, the VPC Network we are using is: 172.31.0.0/16


Create the External Subnet:

  1. Set the Name Tag:  e.g. Untangle - Public
  2. Set the availability zone: e.g. us-east-1a
  3. Set network address: e.g. 172.31.0.0/20
  4. Select “Yes Create” button


Create the Internal Subnet:

  1. Set the Name Tag: e.g. Untangle - Private
  2. Set the availability zone: e.g. us-east-1a
  3. Set network address: e.g. 172.31.32.0/20
  4. Select “Yes Create” button

 

Network interfaces

You will need to create two network interfaces.   Create these interfaces prior to launching the Untangle AMI.  


Create the External Interface:

  1. Description: e.g  eth0 - UT Public
  2. Subnet - select the external subnet you created:  e.g. subnet-cda5bea8 us-east-1a | Untangle - Public
  3. Security group - select the security group you created: e.g. sg-811264f0 - Untangle - Untangle
  4. Select the “Yes Create” button


Create the Internal Interface:

  1. Description: e.g  eth0 - UT Private
  2. Subnet - select the external subnet you created:  e.g. subnet-cda5bea8 us-east-1a | Untangle - Public
  3. Security group - select the security group you created: e.g. sg-811264f0 - Untangle - Untangle
  4. Select the “Yes Create” button


Once you’ve saved the private network, you’ll need to disable the Source/Dest Check - this is so Untangle can NAT.

  1. Select the Internal interface you created:
  2. Then select the “Action” button and Select Change  Source/Desc Check
  3. Set the Source/dest check to “Disabled”
  4. Select the “Save” button


Create and add Public IP to External Network Interface

  1. Select the “Allocate new Address” button and Navigate to Services → EC2 → ElasticIPs
  2. Select the “Allocate” button:
  3. Select the “Close” button
  4. Select the “Actions” button
  5. Select “Associate Address” from the “Actions” button menu
  6. Select the “Network Interfaces” radio button from Resource Type
  7. Select the Public Network Interface you created: e.g eni-f360b9e4  eth0
  8. Select the “Associate” button
  9. Public IP Address is associated with the Public Interface


Routes

Create a new route table and add a default route using the internal network interface you’ve created:

Navigate to Services → VPC → Route Tables


Select “Create Route Table”

  1. Set a Name Tag for the Route: e.g. Untangle - Private
  2. Select the VPC the Untangle is in:  e.g. vpc-79ceo5f0
  3. Add the default route and attach it to the internal network interface:
  4. Select the route table you just created
  5. Select the Routes tab and then the “Edit” button
    1. Destination:   0.0.0.0/0
    2. Target - select the internal Network Interface you created:  e.g. eni-f360b9e4
    3. Select the “Save” button.
    4. Next, select the Subnet Associations tab and select the “Edit” button:
    5. Select the internal subnet
    6. The select the “Save” button:


Create Internet Gateway

The VPC must have an Internet Gateway.   Most VPC will already have one pre-configured.  If one does not exist, create one:

  1. Navigate to Services → VPC → Internet Gateway
  2. Select “Create Internet Gateway” button
  3. Enter a Name tag: e.g. VPI -IGW
  4. Select the “Save” button


Launch the Untangle - AMI

  1. Navigate to Services → EC2 → Select the Launch Instance Button
  2. Select AWS Marketplace and search for Untangle
  3. Select the “Launch” button for the Untangle NG Firewall
  4. Select the Instance type
  5. Select the “Next: Configure Instance Details"
    1. Subnets:  Select the External Subnet you created:
      1. Select the “Add Device” Button
      2. Set eth1 to the Internal Subnet you created
    2. Select the “Next: Add Storage” Button
    3. Select the “Next: Add Tags” Button:
    4. Tags - You can add tags to help you identify the AMI / Resources
    5. Select the “Next: Configure Security Group” button:
      1. Configure Security Group:
      2. Choose the “Select existing Security Group” radio button
      3. Choose the Security group you configured:
    6. Select the “Review and Launch” button:
  6. Review your configuration - Make any adjustments if needed:
  7. Select the “Launch” button:
    1. Key Pair
    2. Select an existing key pair or create new one
    3. Select “Launch Instance” button


Check your Untangle Instance

  1. Navigate to Services → EC2 →
    1. Verify the Instance is running
    2. Make note of the Public IP
  2. Login to Untangle
    1. Point your browser at: https://<publicIP>  e.g.: https://34.22.127.3
    2. Configure Untangle


Your browser may show a message indicating that connecting to your new server needs caution. This message is simply telling you that there isn't yet a server certificate in place because the server is not yet configured. Once the Untangle setup process is complete, this warning will no longer occur when you direct a browser to your new server.