Launching an Instance

These instructions cover how to launch a new instance of the Netgate® pfSense® Plus firewall/VPN appliance from the Amazon EC2 Management Console.

  1. Select the region for the instance to run in using the region tab at the upper right corner of the page.

  2. Select Services from the top navigation, and select Compute on the left navigation of the drop-down and then select EC2 on the main section of the drop-down.

  3. Launch a new instance by clicking on the Launch Instance button under the Resources section of the EC2 dashboard.

  4. Name the instance something like pfSense and under the Application and OS Images, choose Browse more AMIs.

  5. Type Netgate pfSense in the search box and press Enter.

  6. Click the Select button for the Netgate pfSense Plus Firewall/VPN/Router listing in the search result that corresponds to the desired type of instance. This could be either the amd64 AWS product or the arm64/Graviton AWS product depending on the needs of this deployment.

  7. Review pricing and other helpful information, then click Continue.



    There are no optional billiable services for the pfSense Plus software. Information about support can be found on the Support Resources page.

  8. Select the desired instance type for the pfSense Plus software from the drop down.

  9. Choose the desired Network and Subnet that the instance will be deployed in. Choose any other instance-specific settings that may be required in the environment. Optionally expand the Advanced Details section and set parameters as text in the User Data field. The available options are:


    Setting a value via a directive like password=abcdefg will set the password for the administrative account to the given value – abcdefg in this example. If no value is set here, a random password will be assigned in order to keep administrative access from being exposed to the Internet with a default password.


    Setting a value via a directive like mgmtnet= will restrict management access (http, https, ssh) to the given network – in this example. This will cause the firewall rules on the instance (not on access lists in AWS, but on the Netgate pfSense® Plus appliance firewall rules) to restrict management traffic for the instance to the specified source network. The default behavior is to allow management from any host.

    These directives can be set by placing them on a single line in the User Data field and separating them with colons. To specify both parameters, type a statement similar to this one:



    If a password is set using the password parameter listed above, the password is retrieved by the instance via an unencrypted HTTP request when the system is configured the first time it boots. The request is made to an Amazon Web Services-operated server on the local LAN that stores metadata about each instance running. The data for an instance is only made available to that instance, but is available to be queried from the instance without providing any authentication credentials.

    The best practice is to change the admin password via the pfSense® Plus GUI after the instance comes up to avoid any security risks associated with the unencrypted request. Otherwise it is possible to choose not to set the password at all and let a random password be set.

  10. Choose the desired Network and Subnet to which the Instance will be deployed. Scroll down to configure the network interface(s) with a Static or DHCP-assigned IP address.


    Once the Network Interface(s) are configured, select Next: Add Storage.

  11. Click Next: Add Tags to accept the Storage Device Configuration.

  12. The best practice is to set a tag that can be used to differentiate this instance from other instances by entering a value for the Name tag. Click Next: Configure Security Group after setting any desired tags.

    Press the Add Tag button. Input Name under the Key field and the desired Instance Tag Name under the Value field (e.g. Netgate Firewall/Router).

  13. Select a security group to launch the instance with. The Security group name and Description fields can be left at the default, or replaced with the desired values.

    The security group should allow at least the following traffic to start with:

    • TCP port 443 from

      HTTPS - This is the port that the management GUI listens on.

    • TCP port 22 from

      SSH - This port can be used to connect to a command prompt with an ssh client.

    • UDP port 1194 from

      OpenVPN - The OpenVPN server that is configured by default is bound to this port.

    • UDP port 500 from

      IKE for IPsec VPN.

    • UDP port 4500 from

      IPsec/NAT-T for IPsec VPN.


    If there is an existing security group that includes this access, click Select an existing security group, then select the desired group(s) to use and click Continue. Otherwise, select Create a new security group, and add rules for this access by filling in the form for each rule and clicking the Add Rule button. When all of the rules have been added, click Review and Launch.

  14. Review any AWS warnings and make note of recommendations. Scroll down to review the remaining instance details and click Launch after making any needed adjustments.

  15. Select an existing key pair or create a new key pair to connect to the instance with. Click the checkbox that indicates acknowledgment of access to the selected private key file and then click Launch Instances.


    Do NOT select the Proceed Without a Key Pair option.