Skip to content

Amazon VPC

Amazon Virtual Private Cloud (VPC) is a cloud computing service that allows you to create virtual networks for your Amazon Web Service (AWS) resources. You can connect Amazon VPC to Sophos Firewall by importing the connection information using your Amazon security credentials or a VPC configuration file.

Prerequisites

Before you connect Amazon VPC to Sophos Firewall, you must set up an AWS site-to-site VPN connection on the Amazon VPC console. See Set up an AWS site-to-site VPN connection.

Note

When configuring the AWS site-to-site VPN connection, you must configure Local IPv4 Network Cidr and Remote IPv4 Network Cidr as 0.0.0.0/0 to establish BGP peering.

Note

If you've configured BGP on Sophos Firewall, go to Routing > BGP > Global configuration and note the Local AS value. You must enter this value for BGP ASN on the Create Customer Gateway page in AWS.

Amazon VPC connection setup

After creating the AWS site-to-site VPN connection, you must import the settings into Sophos Firewall. This is a one-time action. If you change the AWS site-to-site VPN connection settings, you must import the settings again to update the connections in the firewall.

There are two ways you can add Amazon VPC connections:

  • Import connections from AWS using your security credentials.
  • Import connections from a VPC configuration file.

To add an Amazon VPC connection using AWS security credentials, do as follows:

  1. Go to Site-to-site VPN > Amazon VPC.
  2. Choose Use AWS security credentials.

    Note

    This must be an AWS Identity and Access Management (IAM) user with appropriate permissions to access AWS site-to-site VPN settings.

  3. Enter your access key and secret key.

  4. Click Import.

    Use AWS security credentials

Warning

The configuration file is only an example and may not match your intended site-to-site VPN connection settings. You must change the example configuration file to take advantage of additional security algorithms, Diffie-Hellman groups, private certificates, and IPv6 traffic. You must also ensure that the tunnel_outside_address values in the VPC configuration file match the IP address of the WAN interface on the firewall.

To add an Amazon VPC connection using a VPC configuration file, do as follows:

  1. Download the sample VPN configuration file from the Amazon VPC console. See How do I download AWS Site-to-Site VPN example configuration files.
  2. When prompted, choose the following settings and click Download:

    Setting Value
    Vendor Sophos
    Platform Sophos Firewall
    Software v19+
    Ike Version Choose ikev1 or ikev2

    Click Download

    Note

    If you want to use static routing, you must select Generic for Vendor and manually configure the IPsec profiles and connections using the settings in the VPC configuration file. Sophos Firewall only supports dynamic routing when you choose Sophos as the vendor. See the following:

  3. Sign in to Sophos Firewall.

  4. Go to Site-to-site VPN > Amazon VPC.
  5. Choose Use VPC configuration file.
  6. Click Browse.
  7. Choose the configuration file and click Open.
  8. Click Import.

    Use VPC configuration file

Sophos Firewall automatically creates the IPsec profiles, BGP settings, and XFRM interfaces using the settings imported from AWS.

Next steps

  • Click IPsec profiles to review the custom profiles created for the VPC connection.
  • Go to Network > Interfaces to review the XFRM interfaces created for the VPC connection.
  • Go to Routing > BGP > Networks and click Add to add the local network subnets. See Add BGP network.
  • Create a firewall rule to allow traffic between AWS VPC and your network resources. See Add a firewall rule.
  • Go to Administration > Device Access and turn on dynamic routing for the VPN zone.

Amazon VPC connections

The connections appear in Amazon VPC connections and are automatically activated. You can manage the connections as follows:

  • Click Show additional properties to choose additional connection properties to show in the list.
  • Click filter Filter button to filter the list of connections.
  • Activate, deactivate, and view the status of VPC connections. See Connection status.
  • Click delete Delete button to remove a connection from the list. You can also select a connection and click Delete.

Amazon VPC Connections

More Information

Back to top