Upgrading a VPC Instance

Periodically, new releases of the Netgate® pfSense® Plus AMI are issued that may provide new functionality, bug fixes, and security updates. In most cases it is recommended to update via the pfSense® Plus GUI.


Consult the Upgrade Guide before proceeding with any upgrade.


pfSense Plus software can no longer run on AWS “.nano” size instances as they lack sufficient RAM to upgrade properly. Attempting to upgrade a “.nano” instance will fail before the upgrade is performed. Migrate the instance to a “.micro” or larger size before attempting to upgrade, or redeploy instead.

Before upgrading, back up the configuration of the existing instance by navigating to Diagnostics > Backup/Restore in the GUI. Click the Download configuration button under the Backup Configuration heading and save the config file to a local system.

Next, navigate to System > Update to perform the update.


If issues arise with the upgrade process, or there is a need to bring up a new instance alongside the existing one to execute a cutover, follow the instructions below. These instructions detail the procedure for moving an existing instance to one running the latest version.

  1. Save a backup configuration, as mentioned above, and write down the NDI located on the pfSense® Plus dashboard, of the current pfSense® Plus AMI.

  2. Bring up a new instance of the pfSense® Plus AMI running the latest version.

  3. When creating the instance, make sure the interfaces match the interfaces on the existing instance. Make sure that the new instance is in the same VPC as the existing instance and that it has the same number of interfaces attached and that the interfaces are connected to the same Subnets.

  4. Make sure any interfaces on the new instance that will communicate with private Subnets have the Source/Destination check disabled.

  5. Allocate a new Elastic IP and associate it to the WAN interface of the new instance to allow management access.

  6. Restore the backed up configuration file to the new instance. Navigate to Diagnostics > Backup/Restore in the GUI. Under the Restore Configuration heading, click the Choose File button and browse for the configuration file backed up from the existing instance earlier. Once that file is selected, click the Restore configuration button. The configuration file will be uploaded and the instance will reboot automatically.

  7. If the old instance had packages installed, navigate to Packages under the System menu in the pfSense® Plus GUI and install the same packages.

  8. If there was any external dependency on the public IP address of the existing instance, remove the Elastic IP Address from the upgraded instance and move the Elastic IP Address from the existing instance to the upgraded instance. External dependencies that might necessitate this include things like VPNs configured on external devices that rely on the existing instance Elastic IP address, or access lists on external devices that allow access to traffic from the existing instance’s IP address. There may be other reasons to keep the existing address as well (to preserve existing bookmarks to the GUI, reduce the need for updates to existing internal documentation, etc). The process for moving the old Elastic IP address to the new instance is as follows:

    • Disassociate the Elastic IP address from the new instance. In the EC2 Management Console, click on Elastic IPs under the Network & Security heading. Check the box next to the Elastic IP address assigned to the new instance and click on the Disassociate Address button.

    • Disassociate the Elastic IP address from the old instance. The procedure is the same as in the previous step, repeated for the Elastic IP address of the old instance this time.

    • Associate the Elastic IP address that was previously associated to the old instance to public interface of the new instance. In the EC2 Management Console, click on Elastic IPs. Check the box next to the Elastic IP address being moved and click the Associate Address button. Fill in the correct value for the Instance or Network Interface and select the Private IP Address of the public interface on the new instance. Click the Associate button. The management interface of the new instance should now be accessible.

  9. Move any default routes that pointed to an interface on the old instance to point to the equivalent interface on the new instance. In the VPC Management Console, click on Route Tables under the Virtual Private Cloud heading. Check the box next to a Route Table associated with the VPC that the instances is located in.

    • In the detail pane that appears at the bottom of the screen, click on the Routes tab.

    • If a route exists for with a Target that is an interface ID of an interface on the old instance, click the Edit button above the table displaying the routes.

    • Click the red X next to the row for to remove the existing route.

    • There should be a blank row with empty fields for a new route. Enter in the Destination field and the Network Interface ID of the interface on the new instance in the Target field. Click on the Save button.

    • If there were multiple private subnets in the VPC which were pointed to interfaces on the pfSense® Plus instance, repeat this process for the other Route Tables associated with the VPC.

    • The new instance should now be functioning as the old one did.