Protecting a private network in VPC¶
An instance of the Netgate® pfSense® Plus appliance can be used as a firewall for a VPC subnet. This will generally require more manual configuration than using an instance to host a remote access VPN does. See the VPC User Guide for a more detailed explanation of how to configure a VPC and a Netgate pfSense® Plus appliance instance to support this.
Connecting a local Netgate device running pfSense® Plus software¶
In addition to connecting remote devices as clients, a device running pfSense® Plus software as a firewall/router can be connected as a peer to a Netgate® appliance.
Read Configuring a Site-to-Site Static Key OpenVPN Instance in the pfSense software documentation to see the process of configuring this setup.
When implementing the configuration changes detailed in the document, the best
practice is to use the Netgate appliance instance on AWS as the “server” end of
the connection and the local Netgate device as the client “end”. Additionally,
make sure that the server is using a unique port. The default remote access
OpenVPN server is configured to use UDP port
1194. When adding a
site-to-site tunnel, the best practice is to use a port between
2000. Whichever port the site-to-site tunnel uses will need to be opened
both in the firewall rules on the Netgate appliance instance and in the Security
Group in the EC2 Management Console.
To route all traffic from a home/office network through the OpenVPN tunnel to the Netgate appliance instance, add this statement to the advanced options for the OpenVPN Client on the home/office Netgate device:
This will cause a default route to be set that sends all locally originated
traffic from the home/office network over the OpenVPN tunnel when it is
established. When using this configuration to send all traffic from a local
network through the OpenVPN tunnel, the outgoing traffic also needs NAT applied
on the Netgate appliance instance on AWS for traffic from the home/office
network to the internet. This can be accomplished by adding the CIDR block for
the home/office network to the preconfigured Alias called
This is done by navigating to Firewall > Aliases in the GUI, then clicking
on the edit icon to the right of
Networks_to_NAT. Add the new network
address and mask to the list of Networks and click the Save button. Then
click the Apply Changes button. Add the network used for the tunnel
endpoints (IPv4 Tunnel Network) to the
Networks_to_NAT alias as well
using the same procedure that was used to add the home/office network.
Connecting multiple pfSense Plus gateways to a Netgate appliance¶
Multiple home/office networks can be connected to a single Netgate appliance instance. This could be used to allow clients at different office locations to communicate without requiring tunnels between each individual location. It could also be used as a way to apply policies on traffic to/from the internet in one place and have them take effect across multiple locations.
Each site would need to have the instructions above for connecting an individual device repeated to add an OpenVPN server on the Netgate appliance instance and an OpenVPN client on the local Netgate device. Each OpenVPN Server that is configured must use a unique port and a unique network for IPv4 Tunnel Network. It is recommended to use a name that uniquely identifies each location connected in this manner in the Description field when adding an OpenVPN Server for a site in the Netgate appliance.
Detect and Recover EC2 Instance Failure¶
It is also possible to create an Amazon CloudWatch alarm that monitors an Amazon EC2 instance and automatically recovers the instance if it becomes impaired due to an underlying issue.
For more information about instance recovery, see Recover Your Instance.