: Planning Worksheet for the VM-Series in the AWS VPC
Focus
Focus

Planning Worksheet for the VM-Series in the AWS VPC

Table of Contents

Planning Worksheet for the VM-Series in the AWS VPC

For ease of deployment, plan the subnets within the VPC and the EC2 instances that you want to deploy within each subnet. Before you begin, use the following table to collate the network information required to deploy and insert the VM-Series firewall into the traffic flow in the VPC:
Configuration Item
Value
VPC CIDR
Security Groups
Subnet (public) CIDR
Subnet (private) CIDR
Subnet (public) Route Table
Subnet (private) Route Table
Security Groups
  • Rules for Management Access to the firewall (eth0/0)
  • Rules for access to the dataplane interfaces of the firewall
  • Rules for access to the interfaces assigned to the application servers.
VM-Series firewall behind ELB
EC2 Instance 1 (VM-Series firewall)
An EIP is only required for the dataplane interface that is attached to the public subnet.
Subnet:
Instance type:
Mgmt interface IP:
Mgmt interface EIP:
Dataplane interface eth1/1
  • Private IP:
  • EIP (if required):
  • Security Group:
Dataplane interface eth1/2
  • Private IP:
  • EIP (if required):
  • Security Group:
EC2 Instance 2 (Application to be secured)
Repeat these set of values for additional application(s) being deployed.
Subnet:
Instance type:
Mgmt interface IP:
Default gateway:
Dataplane interface 1
  • Private IP:
Requirements for HA
If you are deploying the VM-Series firewalls in a high availability (active/passive) configuration, you must ensure the following:
  • Create an IAM role and assign the role to the VM-Series firewall when you are deploying the instance. See IAM Roles for HA.
  • Deploy the HA peers in the same AWS availability zone.
  • The active firewall in the HA pair must have at a minimum three ENIs: two dataplane interfaces and one management interface.
The passive firewall in the HA pair, must have one ENI for management, and one ENI that functions as dataplane interface; you will configure the dataplane interface as an HA2 interface.
Do not attach additional dataplane interfaces to the passive firewall in the HA pair. On failover, the dataplane interfaces from the previously active firewall are moved —detached and then attached—to the now active (previously passive) firewall.