Public Cloud Licensing

CloudGen Firewalls deployed in Amazon AWS, Microsoft Azure, or Google Cloud public clouds are not restricted to a capacity. Performance is limited only by the performance and number of CPU cores of the virtual instance used. To use any service (Firewall, VPN, etc...), you must have an active Energize Updates subscription. In addition to the services and features included with the Energize Updates subscription, the BYOL licensing model allows you to optionally add Malware Protection, Advanced Threat Protection, Advanced Remote Access, and Premium Support. For more information, see Base Licensing and Subscriptions in the CloudGen Firewall documentation.

There are two types of images available for CloudGen Firewalls in the public cloud:

• Bring Your Own License (BYOL) – Licenses purchased directly from Barracuda Networks. Only the instance cost is billed by the cloud vendor.
• Pay As You Go (PAYG) – The license is billed hourly. The firewall license cost is included in the cloud vendor bill.

Bring Your Own License (BYOL)

CloudGen Firewalls models VFC1-VFC48 deployed in Amazon AWS, Microsoft Azure, or Google Compute public clouds are only restricted by total number of cores, without any further capacity limits. Performance is limited only by the performance and number of CPU cores of the virtual instance used. To use any service (Firewall, VPN, etc...), you must have an active Energize Updates subscription. In addition to the services and features included with the Energize Updates subscription on other firewall models, the public cloud SSL VPN and NAC is also included for public cloud firewall BYOL licenses. And also in addition to the services and features included with the Energize Updates subscription on other firewall models, the SSL VPN browser portal and the Barracuda Network Access Client Windows Personal Firewall and Windows Health Check (via Access Control Service) are also included for public cloud firewall BYOL licenses.

To license a BYOL image, you must purchase a license from Barracuda Networks. BYOL licenses include the following services:

• Firewall
• Application Control
• IPS
• VPN (site-to-site and client-to-site)
• SSL Inspection
• WAN Compression
• Network Access Control for VPN client-to-site connections
• Energize Updates

Optional:

• Malware Protection (1)
• Advanced Threat Protection (1)
• Advanced Remote Access
• Premium Support (2)
• Firewall Insights

(1) Including FTP, mail, and web protocols
(2) Premium Support ensures that an organization's network is running at its peak performance by providing the highest level of 24x7 technical support for mission-critical environments. For more information please visit https://www.barracuda.com/support/premium.

Upon activation, the license is bound to the unique ID generated by the public cloud provider. DNS resolution and access to the Barracuda licensing servers are required to be able to download the license after activation. In Azure, the unique ID is a 128-bit identifier generated for each new Azure VM. These IDs do not change if the VM is stopped or moved within the datacenter. It will change, however, if a snapshot is used to create a new instance. The Host ID column of the CONTROL > Licensing page shows the UUID of the BYOL license that must match with the UUID in the HOST IDs section. To be able to use the services on the virtual server, a valid Energize Updates subscription is required. 

After the license expires, the firewall enters a 14-day grace period during which you have time to renew your licenses. When the grace periods ends, the behavior depends on if the firewall is managed by a Control Center or is a stand-alone. The configuration of stand-alone firewalls is read-only, but the services remain active. If the firewall is managed by a Control Center, all services are shut down.

Public Cloud License Sizes - Bring Your Own License (BYOL)

Pay-As-You-Go License (PAYG)

PAYG licenses are billed hourly. The hourly instance price includes the firewall license. Some restrictions may apply. Both firewall license and instance cost are billed via the cloud vendor. For the license to be generated, DNS resolution and access to the Barracuda licensing servers on first boot is required. PAYG licenses include the following services:

• Forwarding Firewall
• VPN service
• All services included in the Advanced Remote Access subscription
• Mail Gateway (no longer available in releases 8.x and higher)
• HTTP Proxy
• SSH Proxy (no longer available in releases 8.x and higher)
• DNS
• SNMP
• DHCP
• DHCP Relay
• FTP Gateway (no longer available in releases 8.x and higher)
• Dynamic Routing
• (If managed by a Control Center) Distributed Firewall

Public Cloud License Sizes - Pay As You Go (PAYG)

* Number of protected FW IPs, SSL VPN users, VPN users, and proxy users (AV + Web Filter)

Automatic Licensing Creation During First Boot

The license is generated on first boot and bound to the unique ID generated by the public cloud provider. For the license to be generated, DNS resolution and access to the Barracuda licensing servers on first boot are required. The unique ID for the respective cloud vendor is used as the identifier for each new PAYG firewall. These IDs do not change if the VM is stopped or moved within the data center. They will change, however, if a snapshot is used to create a new instance, invalidating the license. The Host ID column of the CONTROL > Licensing page shows the UUID of the PAYG license that must match with the UUID in the HOST IDs section. If used in a high availability cluster, you must export the license of the secondary firewall and import it on the primary one before the HA sync.

Switching to Other License Types

It is not possible to switch a PAYG instance to BYOL licenses by entering the license token of the BYOL license. To switch from PAYG to BYOL licenses, the firewall instance must be redeployed.

For information on how to install and activate licenses on Barracuda CloudGen Firewall models deployed in the public cloud, see the Licensing section in the CloudGen Firewall documentation.