The Barracuda CloudGen Firewall F secures and connects the services running in your AWS virtual private cloud (VPC). The firewall monitors and secures all traffic between subnets to and from the Internet. It also connects your cloud resources either to your on-premises networks with site-to-site VPN, or to your remote users with client-to-site VPN and SSL VPN. After the deployment, the Instance ID is the root password set to log in via Barracuda Firewall Admin. Logging in via SSH is only possible through the certificate file set during the last deployment step.
Step 1. Create an IAM Role for the Firewall
Create an IAM role for your firewall instance. Verify that all the required IAM policies are attached to the role.
For step-by-step instructions, see How to Create an IAM Role for a CloudGen Firewall in AWS.
Step 2. Select the AWS Data Center
- Log into the AWS console.
- In the upper right, click on the data center location, and select the data center you want to deploy to from the list.
The selected data center location is now displayed in the AWS console.
Step 3. Create an Elastic IP
Create an elastic IP address. This is the public IP address that will be used for your firewall instance.
- Log into the AWS console.
- Click Services and select EC2.
- In the Network & Security section of the left menu, click on Elastic IPs.
- Click Allocate New Address.
- Click Yes, Allocate.
An unassigned elastic IP is now added to the list. Copy the Allocation ID for future use.
Step 4. Create VPC with VPC Wizard
Use the VPC wizard to create a VPC with one public and one private subnet. The firewall will be deployed in the public subnet. If needed, you can add additional subnets after the deployment.
- Log into the AWS console.
- Click Services and select VPC.
- Click Start VPC Wizard. The VPC wizard opens.
- Select VPC with Public and Private Subnets and click Select.
- On the VPC with Public and Private Subnets change the following settings:
- IP CIDR block – Enter a /16 CIDR block that does not overlap with any of your other networks.
- VPC Name – Enter the name.
- Public subnet – Enter the /24 subnet used for the firewall instance.
- Public subnet name – Enter a name for the public subnet.
- (optional) Availability Zone – Select which availability zone the VPC is created in. Select No Preference for AWS to assign it automatically.
- Private subnet – Enter the /24 subnet used for the instances protected by the firewall.
- Private subnet name – Enter a name for the private subnet.
- Elastic IP Allocation ID – Enter the Allocation ID for the elastic IP address created in Step 1.
- (optional) Set Enable DNS hostnames to NO to only use IP addresses to access your VPC.
- Click Create VPC.
The VPC is now listed in the Your VPCs list.
Step 5. Delete the NAT Gateway
Delete the NAT gateway.
The VPC wizard automatically creates a NAT gateway instance. But since the firewall already includes this functionality, the NAT gateway instance must be deleted.
- Log into the AWS console.
- Click Services and select VPC.
- In the Virtual Private Cloud section of the left menu, click NAT Gateways.
- (optional) Enter the VPC ID in the search bar.
- Select the NAT gateway created for your VPC and click Delete NAT Gateway. The Delete NAT Gateway pop-over window opens.
- Click Delete NAT Gateway.
The elastic IP address associated with the NAT gateway is released automatically and is now free to use for the firewall instance.
Step 6. Deploy the CloudGen Firewall F Instance
You can deploy the CloudGen Firewall F instance in two different ways from the AWS Marketplace: BYOL and hourly. The firewall instance is deployed into the public subnet and can be configured to use either a single network interface or one network interface per subnet. The number of network interfaces is limited by the instance size.
- Log into the AWS console.
- Click Services and select EC2.
- In the Create Instance section, click Launch Instance. The VPC wizard starts.
- In the left menu, click AWS Marketplace.
- Enter
Barracuda CloudGen
in the Search for AWS Marketplace Product search box.
- Click Select next to the image type you want to deploy: BYOL or hourly.
- Select the Instance Type. If you are deploying a BYOL image, verify that the number of CPU cores of the instance matches your license.
- Click Next: Configure Instance Details.
- Configure the Instance Details:
- (HA only) Number of instances – To deploy two instances to create an HA cluster, enter
2
. For stand-alone deployments, deploy one instance. - Network – Select the VPC created in Step 2.
- Subnet – Select the public subnet.
- IAM role – Select the IAM role created in Step 1.
- (HA only) Number of instances – To deploy two instances to create an HA cluster, enter
- (optional) Add additional Network Interfaces:
- Click Add Device. The device is added to the list.
- Select the Subnet the network interface is connected to.
- (optional) Enter the Primary IP address for this interface. The IP address must be in the subnet selected above.
- Click Next:Add Storage.
- (optional) Change the Volume Type as needed.
- Click Next: Tag Instance.
- Click Next: Configure Security Group.
- (optional) Click Add Rule and add rules for ICMP
- Type – Select All ICMP.
- Source – Select Anywhere.
- (optional) Click Add Rule and add rules for HTTP
- Type – Select HTTP.
- Source – Select Anywhere.
- Click Review and Launch.
- Click Launch. The Select and existing key pair or create a new key pair pop-over window opens.
- From the drop-down list, select Choose an existing key pair or Create a new key pair. The certificate is valid only for SSH logins with the root user. For Barracuda Firewall Admin, the Instance ID is the default password.
- Select the check box to verify that you have access to the selected key, or click Download Key Pair to download a new key pair.
- Click Launch Instances.
On the Launch Status page, locate and copy the Instance IDs. This is the default password used to log in via Barracuda Firewall Admin.
Step 7. Disable Source/Destination Check for the Network Interface
For the interface to be allowed to forward traffic with a destination IP address that is different from the IP addresses assigned to the network interfaces, you must disable the source/destination check.
- Log into the AWS console.
- Click Services and select EC2.
- In the Network & Security section of the left menu, click Network Interfaces.
- (optional) Filter the list using the Instance ID.
- Right-click on the network interface, and select Change Source/Dest. Check.
- Set the Source/dest. check to Disabled.
- Click Save.
The source/destination check is now disabled for the network interface connected to the firewall instance.
Step 8. Associate the Elastic IP with the Firewall
Use the Elastic IP (EIP) as the public IP address for the firewall network interface connected to the public subnet.
- Log into the AWS console.
- Click Services and select EC2.
- In the Network & Security section of the left menu, click Network Interfaces.
- (optional) Filter the list using the Instance ID.
- Locate the network interface connected to the public subnet, and copy the Network interface ID.
- In the Network & Security section of the left menu, click Elastic IPs.
- Right-click the EIP created in Step 2, and click Associate Address.
- Enter the Network Interface ID, and click Associate.
Traffic to the EIP is now automatically forwarded to the network interface attached to the public subnet of the VPC.
Step 9. Adjust the Routing Tables
Adjust the routing table for the private subnets to use the firewall instance as the default gateway. Instances will always use the first IP address of the subnet as the default gateway. The AWS cloud fabric then internally reroutes the traffic to the configured network interface or instance.The route table attached to the public subnet does not need to be changed.
- Log into the AWS console.
- Click Services and select VPC
- In the Virtual Private Cloud section of the left menu, click Route Tables.
- (optional) Filter the list using the VPC ID.
- Select the route table that is not associated with the public subnet.
- In the lower half of the page, click on the Subnet Associations tab.
- Click Edit.
Select the private subnet and click Save.
- Click on the Routes tab.
- Click Edit.
- Depending on whether you are using single or multiple network interfaces:
- Single NIC – Enter the Instance ID of the firewall in the Target column of the route with the Destination 0.0.0.0/0.
- Multiple NICs – Enter the network interface ID of the network interface associated with this subnet in the Target column of the route with the Destination 0.0.0.0/0.
- Click Save:
You now have a default route with the Status active and the target set to the correct firewall network interface.
Step 10. Create a Security Group
Create a security group for the private networks that allow all traffic from the security group assigned to the firewall.
- Log into the AWS console.
- Click Services and select VPC
- In the Security section of the left menu, click Security Groups.
- Locate the security group created during the firewall deployment, and copy the Group ID.
- Click Create Security Group.
- Group name – Enter a name for the security group.
- Description – Enter a description for the security group.
- VPC – Select the VPC you created in Step 3 from the list.
- Click Yes, Create.
- In the lower half of the page, click on the Inbound Rules tab.
- Click Edit.
- Create a rule to allow traffic from the firewall security group:
- Type – Select All Traffic.
- Protocol – Select ALL.
- Source – Enter the group ID of the security group assigned to your firewall.
- Click Save.
When deploying Instances to one of the private subnets, use this security group. This will allow traffic to and from the firewall.
Step 11. (optional) Edit the Network ACLs
The Network ACLs created by the VPC wizard are configured by default to allow traffic through. If required, go Network ACLs to edit the network ACL assigned to your VPC.
Step 12. Log in via Barracuda Firewall Admin
Use Barracuda Firewall Admin to log into your firewall.
- Launch Barracuda Firewall Admin.
- Log into the firewall:
- Select Firewall.
- IP Address / Name – Enter the elastic IP.
- Username – Enter
root
. - Password – Enter the Instance ID of the firewall instance created in Step 5.
- Click Sign in.
- Renew your password.
- The window for selecting how to manage the firewall is displayed.
- Click Manage via Barracuda Firewall Admin.
Next Steps
- (BYOL only) License and activate the firewall. For more information, see How to Activate and License a Stand-Alone Virtual or Public Cloud Firewall or Control Center.
- (optional) Re-enable SSH logins via password by setting Force Key Authentication to No in the Advanced View of the CONFIGURATION > Configuration Tree > Box > Advanced Configuration > SSH > Advanced Setup page.