Preparing a VPC

Using a Netgate appliance instance to protect VPC subnets requires the following:

  • One internet-facing subnet, to which the Netgate appliance instance will have its primary/WAN interface connected.

  • One or more private subnets, to which the Netgate appliance instance will have its secondary/LAN interface (and possibly additional optional interfaces) connected.

  • Separate routing tables for the internet-facing subnet and the private subnet(s).

  • If all of these are already in place with an existing VPC, feel free to skip ahead to Launching an Instance.

These instructions will demonstrate how to create a single private subnet and set it up behind an instance of the Netgate® pfSense® Plus Firewall/VPN/Router appliance. In the Amazon VPC Management Console, create a new VPC, subnets, and routing table(s).

  1. Go to Your VPCs view in the menu on the left side of the VPC Management Console under the Virtual Private Clouds grouping. Click the Create VPC button.

    ../_images/aws-vpc-guide-1.jpg
  2. Enter a CIDR block to use in the box that pops up. If connecting to hosts in the VPC using a VPN from hosts at other sites in an organization’s infrastructure, be sure to select address space that does not conflict with the private address space used elsewhere by the organization. Make sure the block is large enough to contain all subnets to include within it, optionally providing for future expansion. e.g. To use a /24 for an internet-facing subnet and a /24 for a private network, the minimum CIDR block must be at least a /23 to hold those two subnets. The maximum size block is a /16. For the purposes of this example, use 10.2.0.0/16. Leave the value of Tenancy set to Default. Click on the Yes, Create button.

    ../_images/aws-vpc-guide-2.jpg
  3. To create the subnets required, go to the Subnets view in the menu on the left side of the VPC Management Console. Click the Create Subnet button. Select the newly created VPC and choose the desired availability zone. Enter the subnet to use for the internet-facing hosts in the CIDR Block field. This subnet will be the one to which the WAN interface of the Netgate appliance instance is attached and could include any other hosts or appliances that should be available directly from the Internet and not protected behind the Netgate appliance. This subnet must be a block that is within the address space assigned to the VPC. For this example, use 10.2.0.0/24. Click on the Yes, Create button.

    ../_images/aws-vpc-guide-3.jpg
  4. Create the private subnet. Still in the Subnets view of the VPC Management Console, click the Create Subnet button. In the box that pops up, select the appropriate VPC and the same Availability Zone assigned to the public subnet. Enter the subnet to use for the private network in the CIDR Block field. This network should be a subnet of the address space assigned to the VPC and should be distinct from the the public subnet. For this example, use 10.2.1.0/24. Click on the Yes, Create button.

    ../_images/aws-vpc-guide-4.jpg
  5. Both new subnets will start out set to use a default route table automatically created for the VPC by AWS. The private subnet can continue to use that default table. Create a new route table for the public subnet to override this behavior. Go to the Route Tables view in the menu on the left side of the VPC Management Console. The single existing route table should be displayed. Click on the Create Route Table button. Select the VPC and click on the Yes, Create button.

    ../_images/aws-vpc-guide-5.jpg
  6. Associate the public subnet (10.2.0.0/24 in this example) with the newly created routing table. Go to the Subnets view on the left hand side of the VPC Management Console. Check the checkbox next to the public subnet and scroll down to look at the Details tab for that subnet. At the top of the Details tab will be listed the CIDR block, VPC, and Availability Zone. Under those items, the Route Table will be listed and will have a link labeled replace next to it. Click the replace link. Select the route table in the box that pops up and click on the Yes, Replace button.

    ../_images/aws-vpc-guide-6.jpg
  7. To send traffic from the public subnet to the Internet, the VPC will need a default route to an Internet Gateway. To create this gateway, go to the Internet Gateways view in the menu on the left hand side of the VPC Management Console. Click on the Create Internet Gateway button. Click the Yes, Create button on the box that pops up. Click the checkbox next to the new Internet Gateway and then click the Attach to VPC button. Select the VPC and click on the Yes, Attach button.

    ../_images/aws-vpc-guide-7.jpg
  8. The route table for the public subnet will need to be updated so that it has a default route to the Internet Gateway. Go to the Route Tables view on the left hand side of the VPC Management Console. Check the checkbox next to the route table for the public subnet. Under the Routes tab for that route table, there should only be listed a single route for the CIDR block of the VPC (10.2.0.0/16 in this example) that has a target of local. There is a row underneath this route with a text box in the Destination field and a pop up menu for the Target field. Enter 0.0.0.0/0 for the Destination and select the Internet Gateway (should be formatted like igw-XXXXXXXX) for the target. Click on the Add button that appears at the right side of the row. Click the Yes, Add button on the box that pops up.

    ../_images/aws-vpc-guide-8.jpg

There are a few more VPC configuration changes that will be required later, but the next step is to launch a Netgate appliance instance.