How to deploy NG Firewall in Amazon Web Services


NG Firewall supports deployment via Amazon Web Services (AWS). NG Firewall for AWS is a 64-bit Amazon Machine Image (AMI) that is launched and managed from the AWS Management Console. This deployment option is useful for example in decentralized network environments that need to route through a remote gateway to enforce policy management, reporting, content filtering, and other types of network security.

Before you begin

You need a valid AWS account before you can deploy NG Firewall in AWS. If you do not have an AWS account you can register here.

Getting Started

Step 1: Select an instance type

Before launching NG Firewall for AWS, it is necessary to determine the type of licensing model and infrastructure that is appropriate for your intended usage.


NG Firewall for AWS is available as either a Pay-As-You-Go (PAYG) subscription or Bring-Your-Own-License (BYOL). The PAYG option combines the cost of software licensing and infrastructure into one monthly bill. The BYOL option enables you to deploy an unlicensed version of NG Firewall for AWS.

Both licensing options require the selection of AWS infrastructure in the form of an instance type. The available instance types and their associated costs are outlined in the Pricing Information section of the AWS Marketplace Overview page. Refer to the following links:


AWS instances are available in different sizes to accommodate the performance requirements of your deployment. The table below provides general guidance to help you identify which instance type to choose based on your intended usage.

Instance type Specifications Max devices (suggested)
Small 1 vCPU core2 GB memory Up to 50 devices
Medium 2 vCPU cores4 GB memory Up to 150 devices
Large 2 vCPU cores8 GB memory Up to 500 devices
Extra Large 4 vCPU cores16 GB memory Up to 5000 devices


Step 2: Prepare your Virtual Private Cloud (VPC)

A VPC is the virtual networking environment where your AWS instances reside. The quickest way to deploy NG Firewall for AWS is to launch the instance into the default VPC. In the default VPC configuration AWS automatically configures the required components including the gateway, subnets, and routing.

NOTE: For advanced scenarios involving custom VPCs and routing via network interfaces, refer to Configuring NG Firewall for AWS using routed subnets 

Step 3: Add a subscription

After you choose a licensing option and instance type, you can add the subscription to your AWS account. To add the subscription:

  1. Navigate to the Untangle NG Firewall marketplace listing.
  2. Select either PAYG or BYOL.
  3. Click Continue to Subscribe
  4. Click Continue to configuration.
  5. Select your Fulfillment option, Software version, and Region.
  6. Click Continue to launchaws-mkplce-launch.png
  7. Beneath Choose action, select Launch through EC2.
  8. Click Launch.


Step 4: Configure the NG Firewall Instance

After you launch the instance from the marketplace using the Launch through EC2 option, AWS directs you to the instance configuration wizard in the EC2 Management Console.

  1. Confirm the instance type that suits your needs and click Next: Configure Instance Details.
  2. If necessary, adjust the settings of your instance. For simple deployment, make sure the Network matches your default VPC and click Next: Add Storage
  3. If necessary, increase the storage Size and click Next: Add Tags.
  4. If necessary, assign a tag to help you identify and manage this instance. Click Next: Configure Security Group.
  5. Select Create new security group and assign it a name and description. Set the Type to “All traffic” and Source to “Anywhere”. Click Next: Review and Launch
  6. Review the summary of your instance and click Launch.

Note regarding Storage: The default storage size is 8 GiB, which is sufficient for light usage. Increase the storage size in the Add Storage step if you expect more than 50 hosts or if you wish to retain reporting data beyond the default value of seven days. Refer to the Performance Guide for tips to reduce the system requirements.

Note regarding Security Groups:

For AWS deployments, the SSH, HTTP, and HTTPS services are permitted by default. Once your appliance is configured and connected to ETM Dashboard, you may choose to disable these access rules to prevent brute force authentication attempts via these services.

Step 5: Allocate a static IPv4 Address

AWS maps Internet routable IPv4 addresses to your instances dynamically from a pool of addresses. This means that the Internet routable IPv4 address assigned to your instance might change after a reboot or lease expiration. To ensure that your instance maintains the same IPv4 address, you can allocate an Elastic IP Address

  1. Navigate to the Elastic IPs area of the EC2 Management Console.
  2. Click Allocate new address and continue through the prompts.
  3. Once the IPv4 address is allocated, select it from the list and click Actions → Associate address.

  1. In the Associate address screen, select your Untangle NG Firewall instance and click Associate.

Step 6: Connect to your instance

To connect to your instance:

  1. Review the status of your NG Firewall appliance in the Instances area of the EC2 Management Console.

  1. Confirm the Instance State is “running”.
  2. Take note of your Instance ID and Public DNS address.
  3. Open a new browser window and connect via HTTPS to your Public DNS address.
  4. Accept the self-signed SSL certificate and proceed to the URL.
  5. At the NG Firewall login prompt enter the Instance ID as the password and click Login.

NOTE: For PAYG instances, you must authenticate prior to accessing the setup wizard. The default user is admin and your password is the Instance ID.

Step 7: Configure NG Firewall for AWS

After you log in to your NG Firewall for the first time, select the language and proceed with the initial configuration provided by the Setup Wizard.

Setup Wizard

  1. On the first step of the wizard, configure a new administrative password, notification email address, install type, and timezone. Click Network Cards to proceed.

  1. On the Identify Network Cards step, choose Continue anyway. Click Internet Connection to proceed.

NOTE: To simplify the VPC deployment, NG Firewall for AWS requires only a single network interface. The internal network interfaces associate to each VPN tunnel or connection.

  1. On the Configure the Internet Connection step, confirm the Auto (DHCP) selection for the Configuration type and review the Status. Click Auto Upgrades to proceed.

  1. On the Configure Automatic Upgrade Settings step, review the automatic upgrades and Cloud connection options. We recommend enabling both options. Click Finish to complete the wizard.

  1. If you selected Connect to Cloud in the final step of the setup wizard, follow the prompts to log in or set up your ETM Dashboard account to add the new appliance to your organization.

Internet Hostname

Components such as location services, notifications, and VPN profiles require knowledge of the Internet routable IP address that associates to the external interface of your instance. In AWS, instances use privately routable IP addresses and do not attach directly to the Internet. Therefore you must configure the NG Firewall with an Internet hostname that resolves to your Internet routable IP address or Elastic IP.

  1. From the NG Firewall web administration navigate to ConfigNetwork.
  2. In the Hostname field, set the unqualified part of your Public DNS.
  3. In the Domain Name field, set the qualified part of your Public DNS.
  4. Select the Use Hostname option.

NOTE: You can set the Internet hostname using your own domain name. In this case configure your DNS with an Address Record (A) type that points to the Elastic IP address of your instance.

VPN Server

After you complete the setup wizard you can begin the VPN configuration of NG Firewall for AWS. The VPN server enables remote hosts and networks to create a secure tunnel that routes traffic through the NG Firewall to access the Internet.

  1. From the NG Firewall web administration navigate to Apps > OpenVPN.
  2. In the Status tab, toggle OpenVPN is enabled.

  1. In the Server tab, check Server Enabled.
  2. In the Server tab > Remote Clients tab, click Add to create a new profile.
  3. Assign the parameter of the profile. See OpenVPN for additional information.

Next steps

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.

Powered by Zendesk