Planning Worksheet for the VM-Series in the AWS VPC
For ease of deployment, plan the subnets within the
VPC and the EC2 instances that you want to deploy within each subnet. Before
you begin, use the following table to collate the network information
required to deploy and insert the VM-Series firewall into the traffic
flow in the VPC:
firewall interfaces must be assigned an IPv4 address when deployed
in a public cloud environment. IPv6 addresses are not supported.
Subnet (public) CIDR
Subnet (private) CIDR
Subnet (public) Route Table
Subnet (private) Route Table
Management Access to the firewall (eth0/0)
Rules for access to the dataplane interfaces of the firewall
Rules for access to the interfaces assigned to the application servers.
VM-Series firewall behind ELB
EC2 Instance 1 (VM-Series firewall)
EIP is only required for the dataplane interface that is attached to
the public subnet.
Mgmt interface EIP:
EIP (if required):
Dataplane interface eth1/2
EIP (if required):
EC2 Instance 2 (Application to be secured)
these set of values for additional application(s) being deployed.
Requirements for HA
If you are deploying the VM-Series firewalls
in a high availability (active/passive) configuration, you must ensure
Create an IAM role and assign the role
to the VM-Series firewall when you are deploying the instance. See IAM Roles for HA.
Deploy the HA peers in the same AWS availability zone.
The active firewall in the HA pair must have at a minimum
three ENIs: two dataplane interfaces and one management interface.
passive firewall in the HA pair, must have one ENI for management,
and one ENI that functions as dataplane interface; you will configure
the dataplane interface as an HA2 interface.
Do not attach
additional dataplane interfaces to the passive firewall in the HA
pair. On failover, the dataplane interfaces from the previously
active firewall are moved —detached and then attached—to the now
active (previously passive) firewall.