CloudFormation Deployment¶
This document covers deploying a pfSense® Plus software instance on AWS using CloudFormation templates from the AWS Marketplace.
AWS CloudFormation is the native infrastructure-as-code service for Amazon Web Services. Deploying pfSense Plus software through CloudFormation provides a workflow that many AWS users already rely on for managing infrastructure.
Prerequisites¶
Before deploying this AWS CloudFormation template through the AWS Marketplace, ensure the following requirements are in place:
- AWS Account and Permissions
This deployment requires an active AWS account, and the account must be logged in with a user or role which has permissions to launch EC2 instances, create Elastic IPs, security groups, network interfaces, and deploy CloudFormation stacks.
- VPC and Subnets
This deployment requires an existing VPC with at least one public subnet and one private subnet in the same AWS region as the EC2 instance.
The deployed instance uses the public subnet for the WAN interface, and the private subnet is for the LAN interface.
- EC2 Key Pair
A valid EC2 key pair must exist in the target AWS Region to allow SSH access to the instance.
- Network Access Requirements
Determine the CIDR ranges which will be allowed to reach the management interfaces, SSH over TCP port
22and HTTPS over TCP port443. These are configurable parameters in the template.- Optional User Data
If desired, set an initial
adminaccount password and restrict management network access using the UserData parameter, for example:password=abcdefg:mgmtnet=10.0.1.0/24
Provisioned Resources¶
This CloudFormation stack deploys a single pfSense Plus EC2 instance along with the networking components the instance requires to operate on AWS. It provisions the following resources:
One pfSense Plus EC2 instance using the Marketplace AMI specified in the template.
Two Elastic Network Interfaces (ENIs)
A primary ENI for the public subnet (WAN).
A secondary ENI in the private subnet (LAN).
Security group allowing SSH (TCP/22), HTTPS (TCP/443), and VPN-related ports for IPsec (UDP/500, UDP/4500) and OpenVPN (UDP/1194).
Elastic IP address associated with the WAN interface.
UserData initialization (optional) to configure the admin password and the management access network.
AWS Marketplace Deployment¶
Navigate to the pfSense Plus software product page on AWS Marketplace.
Tip
If the expected options are not visible, ensure the account is logged in and has proper permissions as described in Prerequisites.
Click Continue to Subscribe.
Accept the terms to enable the AMI for use in the current AWS account.
Click Continue to Configuration.
Choose the AWS Region in which to deploy the instance.
Click Continue to Launch
Select Launch with CloudFormation in the Launch section
Configure the CloudFormation Deployment
The template will be selected automatically and will continue to the stack configuration.
Warning
Do not modify the AMI parameter.
Enter required parameters:
Stack Name
VPC ID
Public subnet ID (WAN)
Private subnet ID (LAN)
EC2 Key Pair
Optional UserData
Allowed CIDR ranges for SSH and HTTPS
Note
The selected subnets must be in the same Availability Zone
Review the instance type and network settings before proceeding.
Review and Launch the Stack.
Verify all parameters and create the AWS CloudFormation stack.
Monitor Stack Creation
Wait for the stack status to reach
CREATE_COMPLETE.Access the pfSense Plus software instance
Once deployed, use the assigned Elastic IP, which is visible in the Outputs section or EC2 console, to access the pfSense software web interface over HTTPS.
Note
If the
adminaccount password was not set using the UserData parameter of the CloudFormation template, AWS will generate a random password. To retrieve this randomized password, select the EC2 instance, then click Actions, Monitor, and Troubleshoot-Get system log.