Configure VPN from VMC to WatchGuardTM Firebox Cloud – Part 2

Phase 2 – Deploy the instance of the Firebox

In Part 1 of this post we deployed a new transit VPC with a subnet and a route table configured accordingly.

Now it’s time to deploy a WatchGuard FW cloud EC2 instance in the transit VPC. From the EC2 dashboard, you can create a new EC2 instance for Firebox Cloud.

To launch this instance of Firebox Cloud:

  • Select Services > EC2.
  • In the EC2 Dashboard, Click Launch instance,
  • Select AWS Marketplace and type ‘firebox’ in the search window. Select the Watchguard Firebox Cloud (Hourly) AMI.
  • You will get the pricing details and Click Continue
  • Select the smallest available instance with free tier t2.micro instance type and click Next: Configure Instance details
  • The configure Instance Details step opens.
  • From the Network drop-down list, select your transit VPC :
  • From the Subnet drop-down list, select the public subnet to use for eth0.
    The subnet you select appears in the Network Interfaces section for eth0.
  • To add a second interface, in the Network interfaces section, click Add Device.
    Eth1 is added to the list of network interfaces.
  • Click Next: Add Storage
  • Use the default storage size (5 GB). 
  • Click Next: Add Tags
  1. Click Next: Configure Security Group. By default, the instance uses a security group that functions as a basic firewall. This security group restricts following ports: HTTPS (TCP 8080), SSH, TCP 4118 (WatchGuard Firewalls may allow remote management using WSM (WatchGuard System Manager) over ports 4117, 4118 TCP).
  1. Click Review and Launch.
    The configured information for your instance appears.
  2. Click Launch.
    The key pair settings dialog box opens.

Phase 3 – Finish configuring the instance of the Firebox

Once the firewall is deployed, from the EC2 Dashboard, Click on the instance option and you see a list of all instances. The new instance should appear as here:

Disable Source/Destination Checks

By default, each EC2 instance completes source/destination checks. For the networks on your VPC to successfully use your instance of Firebox Cloud for NAT, you must disable the source/destination check for the network interfaces assigned to the instance of Firebox Cloud.

To disable source/destination checks for the public interface:

  • From the EC2 Management Console, select Instances > Instances.
  • Select the instance of Firebox Cloud.
  • Select Actions > Networking > Change Source/Dest. Check. The confirmation message includes the public interface for this instance.
  • Click Yes, Disable.
    The source and destination checks are disabled for the public & private interface.

Configure VPN from VMC to WatchGuardTM Firebox Cloud – Part 1

When I look back I realise I have been working at VMWare for about 9 months and I have spent my time dealing with a high number of requests, questions and issues with my customers.

On of the most demanding one is around integrating VMC on AWS with a Firewall in a transit VPC for security purpose or because the number of VPNs needed to be established was above the maximum limit supported (16 currently).

One of my customer recently was asking me if it was possible to create a VPN from VMC to a WatchguardTM Firewall. So I decided I would give it a try.

The objective of this guide to help configure a IPSEC route-based VPN from VMC on AWS to a WatchguardTM Firebox Cloud firewall hosted in a transit VPC. I will also show how to set up a route-based VPN from the WatchguardTM firewall to an AWS VGW in order to connect it to another native VPC.

Network Architecture diagram

Transit VPC with VPNs attachment to VMC and a native VPC
Transit VPC with VPNs attachment to VMC and a native VPC

AWS Deployment phase

Phase 1 -Configure an AWS transit VPC

First, you need to configure an AWS VPC with at least two subnets. A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud.

You can use the VPC Wizard to create a VPC with public and private subnets or create it manually. You can launch your AWS resources, such as Amazon EC2 instances, into your VPC.

If you choose the wizard, you will have to terminate the NAT instance that was automatically created for the VPC by the VPC Wizard because the instance of Firebox Cloud will complete NAT functions for subnets in this VPC.

I will be using the manual method:

Create a new VPC

When you create a VPC, you must specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block. Choose a CIDR block for your VPC:

Now you will have to Create a public subnet with a CIDR block equivalent to a subset of the VPC CIDR range:

Choose a CIDR block for your public subnet like

Create a private subnet from the VPC CIDR range in the same zone as the public subnet (CIDR block of private subnet cannot overlap with public subnet):

Choose a CIDR block for your private subnet like

We will now deploy an AWS Internet Gateway (IGW) from the VPC Dashboard. From the VPC Dashboard, Click Internet Gateways menu on the left:

Attach the new IGW to the transit VPC by clicking on the attach to VPC button and from the Actions drop-down menu, select the transit VPC and Click Attach.

The IGW is seen as attached to the VPC that was created:

Next, we will create a route table for the Transit VPC: from the VPC Dashboard, select Route Tables menu and Create Route table as shown:

The route table must be associated with your transit VPC as highlighted above. Once you provide a name for the route table and select the Transit VPC from drop-down menu, Click Create.

Next step is to create a default route for the new transit VPC route table. Select the Routes tab and Click Edit.

Add a destination that point to the IGW previously created.

Next, from the same window, select the subnet associations tab and select the Edit Button and Select the public subnet created earlier. Once done, click Save.

Next you are going to Create a native “spoke” VPC (this is a VPC attach to the firebox through a VPN where we will run some EC2 instances to test access to the SDDC):

This is the end of this Part 1.

In Part 2 we are going to deploy the Watchguard VM in the transit VPC.