Preparing your VPC¶
In order to use a Netgate appliance instance to protect your VPC subnets, you will need the following:
One internet-facing subnet, which the Netgate appliance instance will have it’s primary/WAN interface connected to.
One or more private subnets, which the Netgate appliance instance will have it’s secondary/LAN interface (and possibly additional optional interfaces) connected to.
Separate routing tables for the internet-facing subnet and the private subnet(s)
If you already have all of these in place with an existing VPC, feel free to skip ahead to Launching an Instance.
These instructions will demonstrate how to create a single private subnet and set it up behind an instance of the pfSense® Certified firewall and VPN appliance from Netgate. In the Amazon VPC Management Console, create a new VPC, subnets, and routing table(s).
Go to Your VPCs view in the menu on the left side of the VPC Management Console under the Virtual Private Clouds grouping. Click the Create VPC button.
Enter a CIDR block to use in the box that pops up. If you will connect to hosts in your VPC using a VPN from hosts at other sites in your infrastructure, be sure to select address space that does not conflict with the private address space used elsewhere by your organization. Make sure the block you choose is large enough to contain all subnets you may want to include within it. E.g. if you plan to use a /24 for your internet-facing subnet and a /24 for your private network, the CIDR block you select here will need to be at least a /23 to hold those 2 subnets. The maximum size block you can select is a /16. For the purposes of this example, we will use
10.2.0.0/16. Leave the value of Tenancy set to Default. Click on the Yes, Create button.
To create the subnets required, go to the Subnets view in the menu on the left side of the VPC Management Console. Click the Create Subnet button. Select the VPC you just created and choose the availability zone you desire. Enter the subnet you wish to use for the internet-facing hosts in the CIDR Block field. This subnet will be the one that the WAN interface of the Netgate appliance instance is attached to and could include any other hosts or appliances that you wish to be available directly from the Internet and not protected behind the Netgate appliance. The subnet you select here must be a block that is within the address space you assigned to the VPC. For this example, we will use
10.2.0.0/24. Click on the Yes, Create button.
Create the private subnet. Still in the Subnets view of the VPC Management Console, click the Create Subnet button. In the box that pops up, select the appropriate VPC and the same Availability Zone that you assigned to your public subnet. Enter the subnet you wish to use for your private network in the CIDR Block field. This network should be a subnet of the address space you assigned to the VPC and should be distinct from the subnet you assigned to the public subnet. For this example, we will use 10.2.1.0/24. Click on the Yes, Create button.
Both subnets that you created will have been created to use a default route table that was created for the VPC. The private subnet can continue to use that default table. A new route table will need to be created for the public subnet. Go to the Route Tables view in the menu on the left side of the VPC Management Console. The single existing route table should be displayed. Click on the Create Route Table button. Select the VPC and click on the Yes, Create button.
Associate the public subnet (10.2.0.0/24 in our examples) with the routing table that was just created. Go to the Subnets view on the left hand side of the VPC Management Console. Check the checkbox next to the public subnet and scroll down to look at the Details tab for that subnet. At the top of the Details tab will be listed the CIDR block, VPC, and Availability Zone. Under those items, the Route Table will be listed and will have a link labeled replace next to it. Click on the link. Select the route table in the box that pops up and click on the Yes, Replace button.
In order to send traffic from the public subnet to the Internet, we will need to add a default route to an Internet Gateway. We must first create one. Go to the Internet Gateways view in the menu on the left hand side of the VPC Management Console. Click on the Create Internet Gateway button. Click the Yes, Create button on the box that pops up. Click the checkbox next to the new Internet Gateway and then click the Attach to VPC button. Select the VPC and click on the Yes, Attach button.
The route table for the public subnet will need to be updated so that it has a default route to the Internet Gateway. Go to the Route Tables view on the left hand side of the VPC Management Console. Check the checkbox next to the route table for the public subnet. Under the Routes tab for that route table, there should only be listed a single route for the CIDR block of the VPC (10.2.0.0/16 in our example) that has a target of local. There is a row underneath this route with a text box in the Destination field and a pop up menu for the Target field. Enter
0.0.0.0/0for the Destination and select the Internet Gateway (should be formatted like igw-XXXXXXXX) for the target. Click on the Add button that appears at the right side of the row. Click the Yes, Add button on the box that pops up.
There are a few more VPC configuration changes that will be required later, but next you must launch a Netgate appliance instance.