For ease of deployment, plan the subnets within the VPC and the EC2 instances that you want to deploy within each subnet. Before you begin, use the following table to collate the network information required to deploy and insert the VM-Series firewall into the traffic flow in the VPC:
Subnet (public) CIDR
Subnet (private) CIDR
Subnet (public) Route Table
Subnet (private) Route Table
Rules for Management Access to the firewall (eth0/0)
Rules for access to the dataplane interfaces of the firewall
Rules for access to the interfaces assigned to the application servers.
VM-Series firewall behind ELB
EC2 Instance 1 (VM-Series firewall)
An EIP is only required for the dataplane interface that is attached to the public subnet.
If you are deploying the VM-Series firewalls in a high availability (active/passive) configuration, you must ensure the following:
Create an IAM role and assign the role to the VM-Series firewall when you are deploying the instance. See
IAM Roles for HA.
Deploy the HA peers in the same AWS availability zone.
The active firewall in the HA pair must have at a minimum three ENIs: two dataplane interfaces and one management interface.
The passive firewall in the HA pair, must have one ENI for management, and one ENI that functions as dataplane interface; you will configure the dataplane interface as an HA2 interface.
Do not attach additional dataplane interfaces to the passive firewall in the HA pair. On failover, the dataplane interfaces from the previously active firewall are moved —detached and then attached—to the now active (previously passive) firewall.