We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Barracuda Web Application Firewall

Barracuda Web Application Firewall Deployment and Quick Start Guide for Amazon Web Services

  • Last updated on

The Barracuda Web Application Firewall can be deployed in One-Arm Proxy Mode on Amazon Web Services. This article explains One-Arm Proxy Mode deployment. Complete the steps in this guide to configure, launch, and license your Barracuda Web Application Firewall instance. Then log into the Barracuda Web Application Firewall to verify your configuration and change your password.

Requirements

Before you deploy the Barracuda Web Application Firewall on Amazon Web Services, ensure that you have completed the following:  

Step 1 - Create a Security Group

Create a security group with rules specifying allowed protocols, ports and source IP ranges. Multiple security groups can be created with different rules, and assigned to each instance. For more information on security groups, refer to the AWS article Amazon EC2 Security Groups.

  1. Log into the Amazon EC2 Management Console.
  2. From the EC2 dashboard, select Security Groups under NETWORK & SECURITY.
  3. Click Create Security Group.
  4. In the Create Security Group window, do the following:
    1. Enter a name to identify the security group.
    2. Specify the description for the security group.
    3. Select a VPC ID from the list and click Yes, Create.
  5. The created group appears in the security group table.
  6. Select the security group from the table, and specify the inbound and outbound traffic to be allowed for the instance.

          Create_Security_Group1.jpg

By default, the Barracuda Web Application Firewall web interface listens on port 8000 for HTTP and port 8443 for HTTPS. Make sure these ports (8000 and 8443) are allowed by the Inbound rule of the associated security group. Also, add the port(s) through which you configure the Service(s) for this instance.

Step 2 - Create a Network Interface

Create a network interface using the static IP address, for association with the Barracuda Web Application Firewall later during deployment.

  1. Log into the Amazon EC2 Management Console.
  2. From the EC2 dashboard, select Network Interfaces under NETWORK & SECURITY.
  3. Click Create Network Interface.
  4. In the Create Network Interface window, provide the following information for the network interface:
    1. Description – Enter a name for the interface.
    2. Subnet – Select a subnet from the list. Make sure to select the subnet of the VPC where you want to create the instance.
    3. Private IP – Enter the static primary private IP address. It is recommended to use the Static IP address.
    4. Security Groups – Select one or more security groups. Make sure the security group has all the required ports open.

      By default, the Barracuda Web Application Firewall web interface listens on port 8000 for HTTP and port 8443 for HTTPS. Make sure these ports (8000 and 8443) are added to the Inbound Rule of the security group associated with the Barracuda Web Application Firewall.

    5. Click Yes, Create.

Step 3 - (Optional) Assign Multiple Private IP Addresses to the Network Interface of the Instance

Multiple secondary private IP addresses can be assigned to the network interface of the Barracuda Web Application Firewall instance, depending on the selected Instance Type, and can be used to create Services on the Barracuda Web Application Firewall. To assign a secondary private IP address to the Barracuda Web Application Firewall instance, perform the following steps:

  1. Log into the Amazon EC2 Management Console.
  2. From the EC2 dashboard, select Network Interfaces under NETWORK & SECURITY.
  3. Identify the instance needing a secondary private IP address assignment and right-click on the network interface attached to the instance.
  4. Select Manage Private IP Addresses.
  5. In the Manage Private IP Addresses window, do the following:
    1. Click Assign a secondary private address.
    2. In the Address field, enter a specific IP address that is within the subnet range for the instance.
    3. (Optional) Select Allow reassignment to allow the secondary private IP address to be reassigned if it is already assigned to another network interface.
    4. Click Yes, Update, and then click Close.

You can also assign a secondary private IP address to an instance by clicking Instances in the navigation pane. In the Instances table, right-click on the instance needing a secondary private IP address assignment and select Manage Private IP Addresses. Repeat step 5 above. For more information, refer to Multiple IP Addresses.

Step 4 - Allocate and Assign an Elastic IP Address to your Instance

When an instance of your Barracuda Web Application Firewall is created, a public IP address is associated with the instance. That public IP address changes automatically when you STOP and START the Barracuda Web Application Firewall. To resolve this issue, assign a persistent public IP address to the instance using Elastic IP addressing. For more information, refer to the Amazon Web Services article Elastic IP Addresses.

  1. Log into the Amazon EC2 Management Console.
  2. From the EC2 dashboard, select Elastic IPs under NETWORK & SECURITY.
  3. Click Allocate New Address.
  4. Click Yes, Allocate to confirm and allocate a new IP address. A random Public IP gets generated and displayed in the Allocate New Address table.
  5. In the Allocate New Address table, right click on the new IP address and select Associate.
  6. In the Associate Address window:
    1. Select the Instance and the Private IP Address of the instance from the respective lists.
      OR
    2. Select a Network Interface and the Private IP Address from the respective lists.
    3. Select the Allow Reassociation check box.
  7. Click Yes, Associate.

If you have configured multiple internal IP addresses to the interface, then follow the steps above to allocate and assign the elastic IP address to each internal IP address, so that they can be accessed by the outside world.

Step 5 - Deploy the Barracuda Web Application Firewall on Amazon Web Services

Before you proceed, it is recommended that you go through the Deployment Best Practices article.

In the Amazon VPC that you configured , launch an Amazon EC2 instance with the Barracuda Web Application Firewall AMI image. The Amazon Launch Instance  wizard guides you through the following steps:

  1. Log into the AWS Management Console and open the EC2 Management Console.
  2. From the top right corner of the page, select the region for the instance. This is important because some Amazon EC2 resources can be shared between regions.

    region.jpg

  3. Click Launch Instance.

    launch_instance.jpg

  4. On the Step 1: Choose an Amazon Machine Image (AMI) page, select AWS Marketplace and search for the Barracuda Web Application Firewall AMI. Click Select next to the Barracuda Web Application Firewall AMI.

    BWAF_AMI_Image.jpg

     

  5. On the Step 2: Choose an Instance Type page, select an instance type from the All Instance types or General purpose table. Click Next: Configure Instance Details to continue.

    instance_type.jpg

  6. On the Step 3: Configure Instance Details page:
    1. Enter the Number of instances you want to launch.
    2. Select the appropriate Network from the list to deploy the instance.
    3. Select the appropriate Subnet from the list and select the network interface under Network Interface section that was created in Step 2 - Create a Network Interface.
    4. In the Advanced Details pane, keep the default setting for all parameters and click Next: Add Storage.

      Config_instance_details.png

  7. On the Step 4: Add Storage page, the table displays the storage device settings for the instance. Modify the values if required and click Next: Tag Instance.

    add_storage.jpg

  8. On the Step 5: Tag Instance page, add/remove the tags for the instance (if required) and click Next: Configure Security Group.

    tag_instance.jpg

  9. On the Step 6: Configure Security Group page, choose Select an existing security group to select and assign the security group(s) from the existing list, or choose Create a new security group to create a new group (see Step 1 - Create a Security Group for more information). Click Review and Launch.

    By default, the Barracuda Application Firewall web interface listens on port 8000 for HTTP and port 8443 for HTTPS. Make sure these ports (8000 and 8443) are added to the Inbound Rule of the security group associated with the Barracuda Web Application Firewall.


    security_group.jpg

  10. On the Step 7: Review Instance Launch page, review your settings before launching the instance, and then click Launch.

After you click Launch, Amazon Web Services begins provisioning the Barracuda Web Application Firewall. Allow a few minutes for the Amazon Web Services Agent and the Barracuda Web Application Firewall image to boot up.

DO NOT restart the Barracuda Web Application Firewall while it is launching.

Step 6 - License the Barracuda Web Application Firewall

If you deployed the Barracuda Web Application Firewall with the Hourly/Metered option, you do not need to license the system; skip ahead to Step 7 - Verify Configuration and Change the Password.

If you deployed the Barracuda Web Application Firewall with BYOL, complete the licensing and provisioning of your system.  

  1. Log into the Amazon EC2 Management Console.
  2. From the EC2 Dashboard, select Instances under INSTANCES.

    instances.jpg
  3. In the Instances table, select the Barracuda Web Application Firewall instance you created and note the Elastic IP address.

    Instance_elastic_IP.png
  4. Open the browser and enter the copied Elastic IP address (from step 3) with port 8000 for HTTP. No port is required for HTTPS. For example:
    For HTTP:              http://<Public DNS>:8000 (Unsecured)
    For HTTPS:           https://<Public DNS> (Secured)

    The Barracuda Web Application Firewall is not accessible via HTTPS port when it is booting up. Therefore, use ONLY HTTP port to access the unit when booting. This displays the status of the unit i.e., System Booting. Once the boot process is complete, you will be redirected to the login page.

  5. After the boot process is complete, the Licensing page displays with the following options:

    Licensing_BWAF_Vx.PNG

    1. I Already Have a License Token – Use this option to provision your Barracuda Web Application Firewall with the license token you have already obtained from Barracuda Networks. Enter your Barracuda Networks Token and Default Domain to complete licensing, and then click Provision.
      The Barracuda Web Application Firewall connects to the Barracuda Update Server to get the required information based on your license, and then reboots automatically. Allow a few minutes for the reboot process. Once the instance is provisioned, you are redirected to the login page.
    2. I Would Like to Purchase a License – Use this option to purchase the license token for the Barracuda Web Application Firewall. Provide the required information in the form, accept the terms and conditions, and click Purchase.
      The Barracuda Web Application Firewall connects to the Barracuda Update Server to get the required information based on your license, and then reboots automatically. Allow a few minutes for the reboot process. Once the instance is provisioned, you are redirected to the login page.
    3. I Would Like to Request a Free Evaluation – Use this option to get 30 days free evaluation of the Barracuda Web Application Firewall. Provide the required information in the form, accept the terms and conditions, and click Evaluate.
      The Barracuda Web Application Firewall connects to the Barracuda Update Server to get the required information based on your license, and then reboots automatically. Allow a few minutes for the reboot process. Once the instance is provisioned, you are redirected to the login page.

Step 7 - Open Network Address Ranges on Firewall

If your Barracuda Web Application Firewall is located behind a corporate firewall, open the following Barracuda network address ranges for the ports shown in the table below on your firewall to ensure proper operation:

  • 64.235.144.0/20
  • 198.207.200.0/22
  • 209.222.80.0/21
PortDirectionTCPUDPUsage
22Out Yes No Technical Support connections
25In/OutYes No Email alerts
53Out Yes Yes Domain Name Service (DNS)
80/8000Out Yes No Virus/attack/security definition and firmware updates
123 Out No Yes Network Time Protocol (NTP)
8443OutYes No Initial VM Provisioning *
* The initial provisioning port can be disabled once the initial provisioning process is complete.

Step 8 - Verify Configuration and Change the Password

  1. Log into the Barracuda Web Application Firewall web interface as the administrator using the URL, as described in step 4 of Licensing of the Barracuda Web Application Firewall after deploying on Amazon Web Services above. Log in with:
    1. Username: admin     
    2. Password: Instance ID of your Barracuda Web Application Firewall in Amazon Web Services.
  2. Navigate to the BASIC > Administration page and enter your old password, new password, and re-enter the new password. Click Save Password.

Configuring the Service(s) on the Barracuda Web Application Firewall

You can configure the services on the BASIC > Services page.  In Amazon Web Services, the services can be created either using the System (WAN) IP address of the instance or any other IP address from the IP address pool as your System (WAN) IP address in the Virtual IP Address field. Note that configuring the VIP with an IP address from the IP address pool as your System (WAN) IP address is possible only for stand-alone instances. Also, ensure that you:

  • Assign multiple private IP addresses to the network interface of the deployed Barracuda Web Application Firewall instance. The assigned private IP addresses can be used to create the service(s) on the Barracuda Web Application Firewall. For information on how to assign multiple private IP addresses, see .
  • Allocate and assign an Elastic IP (EIP) address to each private IP address assigned to the network interface of the Barracuda Web Application Firewall instance, so that it can be accessed externally. Ensure that the corresponding ports are opened in your security group and firewall. For more information on how to assign the EIP to the private IP address, see .

If you want to cluster the Barracuda Web Application Firewall instances to load balance the traffic, ensure that the services are created using only the System (WAN) IP address. After the service is created using the System (WAN) IP address, the service will be accessible through the Public IP/DNS of the Barracuda Web Application Firewall VM. Ensure that the corresponding ports are opened in your security group and firewall.

For more information on services, see Step 2: Configuring a Service. For detailed instructions on how to add a service, click the Help button.

Last updated on