CloudFormation Console (Auto Scaling)

The CloudFormation Console allows customers to deploy Sophos UTM using a Sophos created CloudFormation template. This template uses different AWS Resources such as ELBClosed, CloudWatch, Auto Scaling, and S3Closed to deploy and manage Sophos UTM. You can follow the steps listed in this section for access to CloudFormation templates or download the templates at

To use the CloudFormation Console, follow these steps:

  1. In Amazon Marketplace, click on one of the Sophos UTM (Auto Scaling) search results and click Continue.

  2. Select CloudFormation Console as your delivery method.

  3. Select a Version (we recommend the latest) and a Region.

  4. Click Accept Software Terms.

    After accepting the Software Terms, you should see a page with Next Steps indicating that an email has been sent to confirm subscription.

  5. After your subscription has been confirmed, click Return to Product Page and select Launch with CloudFormation Console.

    In the CloudFormation Console, you’ll be presented with the Create stack menu with the prepopulated S3 template URL.

  6. Click Next.

  7. Enter the parameter values for the CloudFormation template:

    Stack Details
    Stack name: A unique and descriptive name for the CloudFormation stack


    • awsAMI: Set to autodetect for the latest AMI
    • awsAvailabilityZone1: Choose an AZ for the UTM controller and first UTM worker
    • awsAvailabilityZone2: Choose an AZ for the second UTM worker
    • awsKeyName: EC2 Key Pair for SSHClosed access
    • awsNetworkPrefix: Choose between PAYGClosed or BYOLClosed
    • awsTrustedNetwork: Specify a network that can access your VPC on these ports (we recommend only trusted networks should be configured for SSH and port 8080 access)
    • basicAdminEmail: Email address that will receive UTM and SNS notifications (this information is not sent to Sophos)
    • basicAdminPassword: Admin account password that will be used to access the UTM WebGUI (this information is not sent to Sophos)
    • basicCity: Used for configuring the self-signed Certificate Authority (this information is not transmitted to Sophos)
    • basicCountry: Used for configuring the self-signed Certificate Authority (this information is not transmitted to Sophos)
    • basicHostname: Used for configuring the self-signed Certificate Authority (this information is not transmitted to Sophos)
    • optionalExistingElasticIP: Elastic IP address assigned to UTM (if left empty a new Elastic IP will be allocated automatically)
    • optionalExistingS3Bucket: S3 bucket to store and restore backups (if left empty a new bucket will be created automatically)
    • optionalLicensePool: S3 bucket where UTM license is stored (only applicable to BYOL)

    Tags (optional)

    • Key: Arbitrary key that can be used to identify your stack for purposes such as cost allocation
    • Value: Arbitrary value for the key

    Permissions (optional)
    IAM Role: an existing IAM service role that CloudFormation can assume

    Advanced (optional)

    Note – For more information on advanced options refer to

  8. Click Next.

  9. On the Review page, review the values for parameter.

    This will take you to the CloudFormation management console where you can watch the Status and Events of the CloudFormation stack creation. Stack creation time may vary but typically takes anywhere from six to ten minutes to complete. Once the Status reads CREATE_COMPLETE, you can review the information in the Outputs tab.

  10. Under Capabilities, select I acknowledge that AWS CloudFormation might create IAM resources and click Create.