We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Deploy a Barracuda F-Series Firewall in an Amazon Virtual Private Cloud

  • Last updated on

The Barracuda NextGen Firewall F 6.2 images are no longer available in the AWS marketplace. Use the newest NextGen Firewall F-Series images instead.

The Barracuda NextGen Firewall F in AWS secures and connects the services running in your AWS virtual private cloud (VPC). The firewall monitors and secures all traffic between subnets to and from the Internet. It also connects your cloud resources either to your on-premise networks with site-to-site VPN, or to your remote users with client-to-site VPN and SSL VPN. After the deployment the Instance ID is the root password set to log in via NextGen Admin. Logging in via SSH is only possible through certificate file set during the last deployment step.

aws_vpc_multitier-01.png

Before you begin

  • Keep track of your Amazon resource IDs as you create them in a separate text file. This allows you to easily copy and paste them as needed without having to look them up in the AWS web interface.
  • An Amazon AWS account is required.

Step 1. Select the AWS datacenter

  1. Log into the AWS console.
  2. In the upper right, click on the datacenter location, and select the datacenter you want to deploy to from the list.
    aws_deploy_00.png

The selected datacenter location is now displayed in the AWS console.

Step 2. Create an elastic IP

Create an elastic IP address. This is the public IP address that will be used for your firewall instance.

  1. Log into the AWS console.
  2. Click Services and select EC2.
  3. In the Network & Security section of the left menu, click on Elastic IPs.
  4. Click Allocate New Address.
    aws_deploy_01.png
  5. Click Yes, Allocate.

An unassigned elastic IP is now added to the list. Copy the Allocation ID for future use.

aws_deploy_02.png

Step 3. Create VPC with VPC wizard

Use the VPC wizard to create a VPC with one public and one private subnet. The firewall will be deployed in the public subnet. If needed, you can add additional subnets after the deployment.

  1. Log into the AWS console.
  2. Click Services and select VPC.
  3. Click Start VPC Wizard. The VPC wizard opens.
    aws_deploy_03.png
  4. Select VPC with Public and Private Subnets and click Select.
    aws_deploy_04.png
  5. On the VPC with Public and Private Subnets change the following settings:
    • IP CIDR block – Enter a /16 CIDR block that does not overlap with any of your other networks.
    • VPC Name – Enter the name. 
    • Public subnet – Enter the /24 subnet used for the firewall instance.
    • Public subnet name – Enter a name for the public subnet.
    • (optional) Availability Zone – Select which availability zone the VPC is created in. Select No Preference for AWS to assign it automatically.
    • Private subnet – Enter the /24 subnet used for the instances protected by the firewall.
    • Private subnet name – Enter a name for the private subnet.
    • Elastic IP Allocation ID – Enter the Allocation ID for the elastic IP address created in step 1.
    aws_deploy_05.png
  6. (optional) Set Enable DNS hostnames to NO to only use IP addresses to access your VPC. 
  7. Click Create VPC
    aws_deploy_06.png

The VPC is now listed in the Your VPCs list.

aws_deploy_07.png

Step 4. Delete NAT gateway

Delete the NAT gateway.

The VPC wizard automatically creates a NAT gateway instance. But since the firewall already includes this functionality, the NAT gateway instance must be deleted.

  1. Log into the AWS console.
  2. Click Services and select VPC.
  3. In the Virtual Private Cloud section of the left menu, click on NAT Gateways.
  4. (optional) Enter the VPC ID in the search bar.
  5. Select the NAT gateway created for your VPC and click Delete NAT Gateway. The Delete NAT Gateway pop-over window opens.
    aws_deploy_08.png
  6. Click Delete NAT Gateway.
    aws_deploy_09.png

The elastic IP address associated with the NAT gateway is released automatically and is now free to use for the firewall instance.

Step 5. Deploy NextGen Firewall F instance

You can deploy the NextGen Firewall F instance in two different ways from the AWS Marketplace: BYOL and hourly. The firewall instance is deployed into the public subnet and can be configured to use either a single network interface or one network interface per subnet. The number of network interfaces is limited by the instance size.

  1. Log into the AWS console.
  2. Click Services and select EC2.
  3. In the Create Instance section, click Launch Instance. The VPC wizard starts.
    aws_deploy_10.png
  4. In the left menu, click AWS Marketplace.
  5. Enter Barracuda NextGen in the Search for AWS Marketplace Product search box.
  6. Click Select next to the image type you want to deploy: BYOL or hourly.
    aws_deploy_11.png
  7. Select the Instance Type. If you are deploying a BYOL image, verify that the number of CPU cores of the instance matches your license.
  8. Click Next: Configure Instance Details.
    aws_deploy_12.png
  9. Configure the Instance Details:
    • (HA only) Number of instances – To deploy two instances to create an HA cluster, enter 2. For stand-alone deployments, deploy one instance.  
    • Network – Select the VPC created in step 2.
    • Subnet – Select the public subnet. 
    aws_deploy_13.png
  10. (optional) Add additional Network Interfaces:
    1. Click Add Device.  The device is added to the list.
    2. Select the Subnet the network interface is connected to.
    3. (optional) Enter the Primary IP address for this interface. The IP address must be in the subnet selected above.
  11. Click Next:Add Storage.
  12. (optional) Change the Volume Type as needed.
  13. Click Next: Tag Instance.
  14. Click Next: Configure Security Group.
  15. (optional) Click Add Rule and add rules for ICMP
    • Type – Select All ICMP
    • Source – Select Anywhere.
  16. (optional) Click Add Rule and add rules for HTTP
    • Type – Select HTTP
    • Source – Select Anywhere.
  17. Click Review and Launch.
  18. Click Launch. The Select and existing key pair or create a new key pair pop-over window opens.
  19. From the drop-down list, select Choose an existing key pair or Create a new key pair. The certificate is valid only for SSH logins with the root user. For NextGen Admin the Instance ID is the default password.
  20. Click the checkbox to verify that you have access to the selected key or click Download Key Pair to download a new key pair.
  21. Click Launch Instances
    aws_deploy_15.png

On the Launch Status page, locate and copy the Instance IDs. This is the default password used to log in via NextGen Admin.

aws_deploy_16.png

Step 6. Disable Source/Destination check for the network interfaces

For the interfaces to be allowed to forward traffic with a destination IP address that is different from the IP addresses assigned to the network interfaces, you must disable the source/destination check for each network interface.

  1. Log into the AWS console.
  2. Click Services and select EC2.
  3. In the Network & Security section of the left menu, click on Network Interfaces.
  4. (optional) Filter the list using the Instance ID.
  5. For each interface, disable the source/destination check:
    1. Right-click on the network interface, and select Change Source/Dest. Check.
      aws_deploy_17.png
    2. Set the Source/dest. check to Disabled.
    3. Click Save.

The source/destination check is now disabled for all network interfaces connected to the firewall instance. 

Step 7. Associate the elastic IP with the firewall

Use the Elastic IP (EIP) as the public IP address for the firewall network interface connected to the public subnet.

  1. Log into the AWS console.
  2. Click Services and select EC2.
  3. In the Network & Security section of the left menu, click on Network Interfaces.
  4. (optional) Filter the list using the Instance ID.
  5. Locate the network interface connected to the public subnet, and copy the Network interface ID.
    aws_deploy_19.png
  6. In the Network & Security section of the left menu, click on Elastic IPs.
  7. Right-click the EIP created in step 2, and click Associate Address.
    aws_deploy_20.png
  8. Enter the Network Interface ID, and click Associate.

aws_deploy_21.png

Traffic to the EIP is now automatically forwarded to the network interface attached to the public subnet of the VPC.

Step 8. Routing tables

Adjust the routing table for the private subnets to use the firewall instance as the default gateway. Instances will always use the first IP address of the subnet as the default gateway. The AWS cloud fabric then internally reroutes the traffic to the configured network interface or instance.The route table attached to the public subnet does not need to be changed.

  1. Log into the AWS console.
  2. Click Services and select VPC
  3. In the Virtual Private Cloud section of the left menu, click on Route Tables.
  4. (optional) Filter the list using the VPC ID.
  5. Select the route table that is not associated with the public subnet.
    aws_deploy_22.png
  6. In the lower half of the page, click on the Subnet Associations tab.
  7. Click Edit.
    aws_deploy_23.png
  8. Select the private subnet and click Save.

    If you are deploying with multiple network interfaces, you must create a route table for each private network. If you are using one network interface, associate all private subnets with this route table.

    aws_deploy_24.png

  9. Click on the Routes tab.
  10. Click Edit.
    aws_deploy_25.png
  11. Depending on whether you are using single or multiple network interfaces:
    1. Single NIC – Enter the Instance ID of the firewall in the Target column of the route with the Destination 0.0.0.0/0.
    2. Multiple NICs – Enter the network interface ID of the network interface associated with this subnet in the Target column of the route with the Destination 0.0.0.0/0.
  12. Click Save:

You now have a default route with the Status active and the target set to the correct firewall network interface. 

aws_deploy_26.png

Step 9. Security Groups

Create a security group for the private networks that allow all traffic from the security group assigned to the firewall.

  1. Log into the AWS console.
  2. Click Services and select VPC
  3. In the Security section of the left menu, click on Security Groups.
  4. Locate the security group created during the firewall deployment, and copy the Group ID.
    aws_deploy_27.png
  5. Click Create Security Group.
    • Group name – Enter a name for the security group.
    • Description – Enter a description for the security group. 
    • VPC Select the VPC you created in step 3 from the list.
  6. Click Yes, Create.
  7. In the lower half of the page, click on the Inbound Rules tab.
  8. Click Edit.
  9. Create a rule to allow traffic from the firewall security group:
    • Type – Select All Traffic
    • Protocol – Select ALL
    • Source – Enter the group ID of the security group assigned to your firewall.
  10. Click Save.
    aws_deploy_28.png

When deploying Instances to one of the private subnets, use this security group. This will allow traffic to and from the firewall.

Step 10. (optional) Network ACLs

The Network ACLs created by the VPC wizard are configured by default to allow traffic through. If required, go Network ACLs to edit the network ACL assigned to your VPC.

Step 11. Log in via NextGen Admin

Use NextGen Admin to log into your firewall.

  1. Launch NextGen Admin.
  2. Log into the firewall:
    • Select Firewall
    • IP Address / Name – Enter the elastic IP. 
    • Username – Enter root.
    • Password – Enter the Instance ID of the firewall instance created in step 5.
  3. Click Sign in.
    aws_deploy_29.png

Next Steps

Last updated on