Phase 2 – Deploy the instance of the Firebox
In Part 1 of this post we deployed a new transit VPC with a subnet and a route table configured accordingly.
Now it’s time to deploy a WatchGuard FW cloud EC2 instance in the transit VPC. From the EC2 dashboard, you can create a new EC2 instance for Firebox Cloud.
To launch this instance of Firebox Cloud:
- Select Services > EC2.
- In the EC2 Dashboard, Click Launch instance,
- Select AWS Marketplace and type ‘firebox’ in the search window. Select the Watchguard Firebox Cloud (Hourly) AMI.
- You will get the pricing details and Click Continue
- Select the smallest available instance with free tier t2.micro instance type and click Next: Configure Instance details
- The configure Instance Details step opens.
- From the Network drop-down list, select your transit VPC :
- From the Subnet drop-down list, select the public subnet to use for eth0.
The subnet you select appears in the Network Interfaces section for eth0.
- To add a second interface, in the Network interfaces section, click Add Device.
Eth1 is added to the list of network interfaces.
- Click Next: Add Storage
- Use the default storage size (5 GB).
- Click Next: Add Tags
- Click Next: Configure Security Group. By default, the instance uses a security group that functions as a basic firewall. This security group restricts following ports: HTTPS (TCP 8080), SSH, TCP 4118 (WatchGuard Firewalls may allow remote management using WSM (WatchGuard System Manager) over ports 4117, 4118 TCP).
- Click Review and Launch.
The configured information for your instance appears.
- Click Launch.
The key pair settings dialog box opens.
Phase 3 – Finish configuring the instance of the Firebox
Once the firewall is deployed, from the EC2 Dashboard, Click on the instance option and you see a list of all instances. The new instance should appear as here:
Disable Source/Destination Checks
By default, each EC2 instance completes source/destination checks. For the networks on your VPC to successfully use your instance of Firebox Cloud for NAT, you must disable the source/destination check for the network interfaces assigned to the instance of Firebox Cloud.
To disable source/destination checks for the public interface:
- From the EC2 Management Console, select Instances > Instances.
- Select the instance of Firebox Cloud.
- Select Actions > Networking > Change Source/Dest. Check. The confirmation message includes the public interface for this instance.
- Click Yes, Disable.
The source and destination checks are disabled for the public & private interface.