Professional Documents
Culture Documents
Configuring Sonicos For Amazon VPC Technote
Configuring Sonicos For Amazon VPC Technote
Configuring Sonicos For Amazon VPC Technote
Network Security
SonicOS
Contents
Overview........................................................................................................................................................................ 1
System or Network Requirements / Prerequisites ........................................................................................................ 3
Deployment Considerations .......................................................................................................................................... 3
Configuring Amazon VPC with a Policy-Based VPN .................................................................................................... 4
Configuring Amazon VPC with a Dynamic Route-Based VPN ................................................................................... 19
Configuring the VPC for Deployment in Elastic Compute Cloud ................................................................................ 36
Glossary of Terms ....................................................................................................................................................... 43
Overview
This TechNote describes how to connect a Dell SonicWALL firewall to the Amazon Virtual Private Cloud (VPC) via
a static policy-based VPN or dynamic route-based VPN.
SonicOS for Amazon VPC is a Network Security feature that enables network administrators to configure a Dell
SonicWALL Security Appliance firewall in a VPC on Amazon Web Services (AWS), providing an easy-to-use cloud
computing platform that is suitable for individuals and organizations of all sizes.
Two VPN types are supported by SonicOS, depending on the SonicOS release and, in some cases, platforms:
VPN Type
Version of SonicOS
5.8.1.8 and higher 5.8 releases
TechNote
The following graphic shows a typical topology for connecting a Dell SonicWALL firewall to an AWS VPC. Amazon
VPC offers failover capability to customers by providing two tunnels for each instance of a VPN the customer
creates.
TechNote
System or Network Requirements / Prerequisites
SonicOS configuration for Amazon Virtual Private Cloud (VPC) is supported on the following versions of SonicOS:
SonicOS configuration for Amazon Virtual Private Cloud (VPC) is supported on the following Dell SonicWALL
products running SonicOS 5.8 or 5.9:
SonicOS configuration for Amazon Virtual Private Cloud (VPC) is supported on the following Dell SonicWALL
products running SonicOS 6.1 or 6.2:
NSA 2600
NSA 3600
NSA 4600
NSA 5600
NSA 6600
SuperMassive 9200
SuperMassive 9400
SuperMassive 9600
Deployment Considerations
No special license is needed, but you must have a current support contract for SonicOS 5.8.1.8.
The SonicWALL firewall for Amazon VPC is not supported on the NSA 2400MX.
The SonicWALL firewall for Amazon VPC does not support a secondary customer VPN gateway on a
secondary WAN interface, in the same VPC. VPNs are deployed on one interface only in a single VPC.
The SonicWALL firewall for Amazon VPC cannot be deployed behind a NAT device. Amazon does not
support NAT traversal.
Some platforms may require an expanded license for BGP support, required for a dynamic route-based
VPN.
TechNote
Configuring Amazon VPC with a Policy-Based VPN
To configure a policy-based VPN between the Dell SonicWALL firewall and the Amazon Virtual Private Cloud
(VPC), perform the following tasks:
TechNote
2. Go to Services > VPC.
TechNote
3. In the left column, click Your VPCs.
TechNote
Creating the Subnet
7. In the left column, click Subnets.
TechNote
Creating the Virtual Private Gateway
11. In the left column, click Virtual Private Gateways.
TechNote
Attaching the Virtual Private Gateway to the VPC
14. Select the Virtual Private Gateway you just created.
TechNote
Creating a Customer Gateway
18. In the left column, click Customer Gateways.
10
TechNote
To create a VPN:
23. In the left column, click Route Tables.
11
TechNote
29. In the Virtual Private Gateway list, select the appropriate Virtual Private Gateway.
30. In the Customer Gateway list, select the appropriate Customer Gateway.
31. Select the Use static routing option.
32. In the IP Prefix box, enter the prefix of the interface on the protected subnet of the SonicWALL appliance.
For example, 192.168.0.0/16.
33. Click the Yes, Create button.
34. Click the Static Routes tab to add more subnets.
To download the configuration text file to configure the Dell SonicWALL appliance connection to the AWS VPC:
35. In the left column, click VPN Connections.
12
TechNote
36. Select the appropriate VPN connection.
37. Click Download Configuration.
Open the text file you just downloaded from AWS. This text file contains the tunnel interface VPN policy
configuration for the firewall. You can configure the VPN policy on your Dell SonicWALL Security Appliance by
using the values from the text file.
13
TechNote
SonicOS Configuration Tasks
To connect a firewall to your AWS VPC, a matching VPN policy must be configured on the Dell SonicWALL Security
Appliance. A tunnel interface is created by configuring a VPN policy of type Tunnel Interface on a physical
interface from the firewall to the remote AWS gateway.
14
TechNote
3. Click the General tab.
15
TechNote
9. Click the Proposals tab.
16
TechNote
15. Click the Advanced tab.
16. Select the Enable Keep Alive option (box should be checked).
17. In the VPN Policy bound to list, select the appropriate interface (the WAN interface on the SonicWALL
Security Appliance). For example, Interface X1.
18. Click OK.
17
TechNote
Configuring a Static Route
To configure a static route:
19. In the SonicOS management interface on your Dell SonicWALL appliance, go to Network > Routing.
20. Under Route Policies, click the Add button.
18
TechNote
Configuring Amazon VPC with a Dynamic Route-Based VPN
Note: Dynamic route-based VPNs are supported on Dell SonicWALL NSA 2400 and higher platforms running
SonicOS 5.9. SonicOS for Amazon VPC is not supported on the NSA 2400MX. For all other platforms and versions
of SonicOS, see Configuring Amazon VPC with a Policy-Based VPN on page 4.
To configure a dynamic route-based VPN between the Dell SonicWALL Firewall and the Amazon Virtual Private
Cloud (VPC), perform the following tasks:
19
TechNote
2. Go to Services > VPC.
20
TechNote
3. In the left column, click Your VPCs.
21
TechNote
Creating the Subnet
7. In the left column, click Subnets.
22
TechNote
Creating the Virtual Private Gateway
11. In the left column, click Virtual Private Gateways.
23
TechNote
Attaching the Virtual Private Gateway to the VPC
14. Select the Virtual Private Gateway you just created.
24
TechNote
Creating a Customer Gateway
18. In the left column, click Customer Gateways.
25
TechNote
To create a VPN:
24. In the left column, click Route Tables.
26
TechNote
30. In the Virtual Private Gateway list, select the appropriate Virtual Private Gateway.
31. In the Customer Gateway list, select the appropriate Customer Gateway.
32. In the IP Prefix box, enter the prefix of the interface on the protected subnet of the SonicWALL appliance.
For example, 192.168.0.0/16.
33. Click the Dynamic Routes tab to add more subnets.
To download the configuration text file to configure the Dell SonicWALL appliance connection to the AWS VPC:
34. In the left column, click VPN Connections.
27
TechNote
35. Select the appropriate VPN connection.
36. Click Download Configuration.
Open the text file you just downloaded from AWS. This text file contains the tunnel interface VPN policy
configuration for the firewall. You can configure the VPN policy on your Dell SonicWALL Security Appliance by
using the values from the text file.
28
TechNote
SonicOS Configuration Tasks
To connect a firewall to your AWS VPC, a matching VPN policy must be configured on the Dell SonicWALL Security
Appliance. A tunnel interface is created by configuring a VPN policy of type Tunnel Interface on a physical
interface from the firewall to the remote AWS gateway.
Note: VPC requires a customer gateway to configure 2 route based VPN tunnels for each instance of dynamic
route based VPNs at VPC. So there needs to be 2 tunnel interface VPNs and 2 tunnel interfaces, each with its own
BGP configuration.
29
TechNote
3. Click the General tab.
30
TechNote
9. Click the Proposals tab.
31
TechNote
15. Click the Advanced tab.
16. Select the Enable Keep Alive option (box should be checked).
17. In the VPN Policy bound to list, select the appropriate interface (the WAN interface on the SonicWALL
Security Appliance). For example, Interface X1.
18. Click OK.
32
TechNote
Configure Routing
19. In the SonicOS management interface, navigate to the Network > Interfaces page.
20. Click the Add Interface drop-down menu, then select Tunnel Interface.
Zone VPN
33
TechNote
23. Navigate to the Network > Routing page.
Note: 65011 is the BGP ASN, 192.168.168.0/24 is the network you want to publish to Amazon VPC,
169.254.253.5 is the tunnel interface IP address provided by Amazon, 7224 is the BGP ASN provided by
Amazon.
34
TechNote
28. After the firewall learns the route from the Amazon VPC, navigate to the Firewall > Access Rules page in
the SonicOS management interface.
29. Add a following firewall rule:
Note: This is an example, please change the options accordingly to match your deployment.
35
TechNote
Configuring the VPC for Deployment in Elastic Compute Cloud
This section provides the steps for creating the VPC instance and deploying the VPC on an AWS virtual server for
Elastic Compute Cloud (EC2).
To configure your EC2 settings:
1. Go to Services > EC2.
2. Click Instances.
36
TechNote
3. Click Launch Instance.
4. Select the Classic Wizard option, and Click the Continue button.
37
TechNote
5. Under the Quick Start tab, choose one of the Amazon Machine Images (AMIs) and click Select.
(Select whichever system you like from the list of AMIs. For example, Amazon Linux AMI.)
6. In the Number of Instances box, enter the number of instances you want.
7. In the Instance Type list, select Medium.
8. Select the Launch Instances option.
Configuring SonicOS for Amazon VPC
P/N 232-001156-00 Rev D
38
TechNote
9. Select the VPC option.
10. In the Subnet list, select the appropriate subnet.
11. Click the Continue button.
12. In the IP Address box, enter the IP address of your VPC instance. For example, if the subnet IP address is
10.0.1.0/24, the IP address for the VPC instance could be 10.0.1.7.
13. Click the Continue button.
14. In the Storage Device Configuration dialog, click the Continue button.
39
TechNote
Note: A metadata tag consists of a case-sensitive key/value pair, which is used to simplify the administration
of your EC2 infrastructure.
15. In the Key Name box, enter a key name for the key/value pair tag.
16. In the Value box, enter a value for the key/value pair tag.
17. Click the Continue button.
18. In the name box, enter a name for your key pair.
19. Click Create & Download your key pair.
20. Click the Continue button.
21. Save the key pair to your PC.
40
TechNote
22. Select the Choose one or more of your existing Security Groups option.
41
TechNote
25. Click the Launch button.
Follow the steps given in the AWS Getting Started Guide, Step 8: Update Your Amazon EC2 Security
Group: http://docs.amazonwebservices.com/gettingstarted/latest/computebasics/getting-started-securitygroup.html
42
TechNote
Glossary of Terms
The following abbreviations are used in this document:
_________________
Last updated: 1/30/2015
43