CloudGen Firewalls deployed in Amazon AWS, Microsoft Azure, or Google Cloud public clouds are not restricted to a capacity. Performance is limited only by the performance and number of CPU cores of the virtual instance used. To use any service (Firewall, VPN, etc...), you must have an active Energize Updates subscription. In addition to the services and features included with the Energize Updates subscription, the BYOL licensing model allows you to optionally add Malware Protection, Advanced Threat Protection, Advanced Remote Access, and Premium Support.
Public Cloud License Sizes
Capacity (Protected IPs)
Number of Supported CPU Cores
Level 2 (VFC2)
Level 4 (VFC4)
Level 6 (VFC6)
Level 8 (VFC8)
* Number of protected FW IPs, SSL VPN users, VPN users, and proxy users (AV + Web Filter)
There are two types of images available for CloudGen Firewalls in the public cloud:
- Bring Your Own License (BYOL) – Licenses purchased directly from Barracuda Networks. Only the instance cost is billed by the cloud vendor.
- Pay As You Go (PAYG) – Available in two types: hourly and volume based (metered). Volume based PAYG images are currently only available in AWS. The firewall license cost is included in the cloud vendor bill.
General License Information
Public Cloud Licenses include the following features:
CloudGen Firewall Feature
|-||Level 2||Level 4||Level 6||Level 8||-|
|VPN (site-to-site and client-to-site)||Yes||Yes||Yes||Yes||Yes|
Network Access Control for VPN
|Malware Protection (1)||Optional||Optional||Optional||Optional||No|
|Advanced Threat Protection (1)||Optional||Optional||Optional||Optional||No|
|Advanced Remote Access||Optional||Optional||Optional||Optional||Yes|
|Premium Support (2)||Optional||Optional||Optional||Optional||No|
(1) Including FTP, mail, and web protocols
(2) Premium Support ensures that an organization's network is running at its peak performance by providing the highest level of 24x7 technical support for mission-critical environments. For more information please visit https://www.barracuda.com/support/premium.
Bring Your Own License (BYOL)
To license a BYOL image, you must purchase a license from Barracuda Networks. Upon activation, the license is bound to the unique ID generated by the public cloud provider. DNS resolution and access to the Barracuda licensing servers are required to be able to download the license after activation. In Azure, the unique ID is a 128-bit identifier generated for each new Azure VM. These IDs do not change if the VM is stopped or moved within the datacenter. It will change, however, if a snapshot is used to create a new instance. The Host ID column of the CONTROL > Licensing page shows the UUID of the BYOL license that must match with the UUID in the HOST IDs section. To be able to use the services on the virtual server, a valid Energize Updates subscription is required.
After the license expires, the firewall enters a 14-day grace period during which you have time to renew your licenses. When the grace periods ends, the behavior depends on if the firewall is managed by a Control Center or is a stand-alone. The configuration of stand-alone firewalls is read-only, but the services remain active. If the firewall is managed by a Control Center, all services are shut down.
Pay-As-You-Go License (PAYG)
PAYG licenses are available in two types: hourly and volume based. Volume-based (metered) licenses are currently available only in AWS. For the license to be generated, DNS resolution and access to the Barracuda licensing servers on first boot is required. PAYG licenses include the following services:
- Forwarding Firewall
- VPN service
- All services included in the Advanced Remote Access subscription
- Mail Gateway (no longer available in releases 8.x and higher)
- HTTP Proxy
- SSH Proxy (no longer available in releases 8.x and higher)
- DHCP Relay
- FTP Gateway (no longer available in releases 8.x and higher)
- Dynamic Routing
- (If managed by a Control Center) Distributed Firewall
There are two types of PAYG licenses:
- PAYG (hourly) – The hourly instance price includes the firewall license. Some restrictions may apply. Both firewall license and instance cost are billed via the cloud vendor.
- PAYG (volume based) – The firewall license is determined by how much data is processed by the firewall. The hourly instance price is added to the cost. Both firewall license and instance cost are billed via the cloud vendor.
Automatic Licensing Creation During First Boot
The license is generated on first boot and bound to the unique ID generated by the public cloud provider. For the license to be generated, DNS resolution and access to the Barracuda licensing servers on first boot are required. The unique ID for the respective cloud vendor is used as the identifier for each new PAYG firewall. These IDs do not change if the VM is stopped or moved within the data center. They will change, however, if a snapshot is used to create a new instance, invalidating the license. The Host ID column of the CONTROL > Licensing page shows the UUID of the PAYG license that must match with the UUID in the HOST IDs section. If used in a high availability cluster, you must export the license of the secondary firewall and import it on the primary one before the HA sync.
Volume Based Billing
Firewalls using volume based or metered billing are billed based on the amount of traffic handled by the firewall. This includes all incoming, outbound, and forwarding traffic. In some scenarios such as VPN and HTTP Proxy, traffic is counted twice. For example, the VPN tunnel traffic is added to the traffic going through the VPN tunnel, resulting in every MB of VPN traffic being counted double.
To properly report the billing information to the AWS Marketplace, the instance must be deployed with an IAM role that includes access to the AWS Marketplace Metering API. Traffic is reported once per hour. If the reporting fails, the firewall license is set to grace mode. The firewall remains fully functional in grace mode. Every hour the firewall attempts to report the metering information. Data that could not be reported is added to the next hour's report. If reporting fails for 3 hours, the firewall switches to grace-expired mode. In grace-expired mode, the firewall configuration is locked, and only export-restricted ciphers are allowed. When reporting resumes, the firewall license is enabled again to resume normal operations.
The reported data volume is calculated by the firewall as follows:
- There is no data cap, or minimum usage.
- Any traffic matching an access rule with an allow policy (Pass, App Redirect, Map, Dst NAT) is counted, both in the Host and the Forwarding Firewall. Traffic such as VPN traffic which matches both host and forwarding access rules, is counted each time, effectively doubling the billed volume for this type of traffic.
- Traffic blocked by the firewall is not counted.
- Management traffic of the firewall, such as pattern, or definition updates, as well as update packages downloaded by the firewall is billed.
Switching to Other License Types
It is not possible to switch a volume based or hourly PAYG instance to BYOL licenses by entering the license token of the BYOL license. To switch from PAYG to BYOL licenses, the firewall instance must be redeployed.