Deploy a Conductor on Amazon Web Services (AWS)

You can deploy an Airwall Conductor on AWS and manage physical, virtual, and cloud Airwall Edge Services, and Airwall Agents. Use the following steps to deploy a Conductor on the AWS platform.

Note: Click the print icon printer icon in the top right to print or download this topic.


To get started, you need to have:
  • Access to a Amazon Web Services (AWS) account. If you do not have an account, you can create a free AWS Free Tier account and upgrade it to a full account later.
  • Billing information set up on your AWS account. You cannot create a project until you are able to link your billing information to your newly created project.
  • A Conductor license voucher if you want to start the Conductor and verify it is set up correctly. Fulfillment will provide this to you in an email after your purchase is complete.
  • The Amazon Machine Image (AMI) ID that you received from Tempered Fulfillment when you purchased your AWS Conductor.

Log in to AWS

From a Web browser, navigate to and log in to your account to get to the AWS Management Console, pictured below:

Create a Launch Instance

When you sign up for Amazon Web Services (AWS), your AWS account is automatically signed up for all services in AWS, including Amazon EC2. You add the Tempered Conductor as an EC2 instance, so make sure you have the AMI ID that you received from Tempered Fulfillment when you purchased your AWS Conductor.

To create an instance:

  1. On the top bar of the AWS Management Console, select Services and then select EC2 to access the EC2 Dashboard.

  2. In the Create Instance section, click Launch Instance.

  3. Click Launch Instance to start the instance setup wizard.

Step 1: Choose an Amazon Machine Image (AMI)

The AMI is a custom template used to create a Conductor as a virtual machine in AWS. It contains the Conductor's root volume, permissions, and device mappings necessary to deploy the Conductor to your account.
  1. On the Choose AMI tab, click My AMIs on the left.
  2. Under Ownership, check the Shared with me box. You should see the Conductor image listed in the right pane.

  3. Click the Select button on the right to continue.

Step 2: Choose an Instance Type

The Amazon EC2 instance type identifies the combination of memory, networking capacity, CPU, and storage required by an application. For the Conductor we recommend a minimum machine type of t2.medium.
  1. On the Choose Instance Type tab, select your desired instance type and click Next: Configure Instance Details.
    Important: DO NOT select the Review and Launch button, as this option will use the default settings for this instance type. You will need to make changes for the Conductor to operate correctly.

  2. Click Next: Configure Instance Details to continue.

Step 3: Configure Instance Details

Your new instance requires that you to make a few changes to ensure the Conductor has access to resources needed for proper operation. Make the following changes as outlined below.
  1. On the Configure Instance tab, do the following:
    1. Select your desired VPC from the Network drop-down.
    2. Select your region from the Subnet drop-down.
    3. Select Enable termination protection (recommended)

    You can leave all other settings as is.

  2. Click Next: Add Storage to continue.

Step 4: Add Storage

The Conductor AMI supplied by Tempered is relatively small in size. The configuration information and storage, however, requires a second hard disk, which you set up as part of the instructions below.
  1. On the Add Storage tab, click Add New Volume.
    Note: The volume must be a minimum of 32 GB. This size should be sufficient for normal operation; however, you can resize your volume later should you require additional space. See Modifying the Size, Performance, or Type of an EBS Volume in the AWS documentation for more information.
  2. Change the following information on the new volume:
    1. Select /dev/sdf from the Device drop-down.
      Important: We recommend you use /dev/sdf for your second volume. Do not select /dev/sdb, /dev/sdc, or /dev/sdd as the Conductor will not function correctly. Other partitions may work but are not currently supported.
    2. Enter the value 32 in the Size (GiB) field.
    3. Check Delete on Termination.

    You can leave all other settings as is.

  3. Click Next: Add Tags to continue.

Step 5: Add Tags

Tagging your Conductor instance can help you identify it if you have a large number of instances deployed to your account. While not required, we recommend you add a tag so you can find it quickly.
  1. On the Add Tags tab, click Add Tag and enter the following:
    1. Enter Name in the Key column.
    2. Enter a name for your Conductor in the Value column.

  2. Click Next: Configure Security Group to continue.

Step 6: Configure Security Group

Configuring a security group is synonymous with configuring firewall rules. You need to add three rules: ICMP to allow Airwall Edge Services to validate their link to the Conductor, HTTPS to allow for Conductor management, and a custom rule to allow Airwall Edge Services to communicate with the Conductor on port 8096.
  1. In the Assign a security group section, select the Create a new security group radio button.
  2. In the Security group name field, enter a name for your security group.
  3. In the Description field, enter a description for your security group, or leave the default.
  4. Add three rules to your security group:
    1. Click Add Rule, select All ICMP – IPv4 from the Type drop-down, select Anywhere from the Source drop-down, and enter ICMP in the Description column.
    2. Click Add Rule, select HTTPS from the Type drop-down, select Anywhere from the Source drop-down, and enter SSL in the Description column.
    3. Click Add Rule, select Custom TCP Rule from the Type drop-down, enter 8096 in the Port Range column, select Anywhere from the Source drop-down, and enter MAP in the Description column.

  5. Click Review and Launch to continue.
    Note: If you receive a Boot from General Purpose (SSD) dialog, select the Continue with Magnetic as the boot volume for this instance radio button and then click Next.

Step 7: Review

  1. Review your setup information and if everything is correct, click Launch.

  2. In the Select an existing key pair or create a new key pair dialog, create a new key pair or enter one of your existing key pairs.
    Note: This keypair is required to complete the wizard, but is never used since SSH is not enabled on Conductors.
  3. Click Launch Instance.

Verify, Configure, Provision, and License a Cloud Conductor

At this point the Conductor instance is running in your cloud provider.
To verify, paste your Conductor IP into a browser window. It should show you the Initial Conductor Configuration page. To log in, configure, and license your Conductor, see Log in and Configure the Conductor.
Note: In v2.2.8 and earlier, it shows the Provisioning page. See License and Provision a Conductor (v2.2.8 and earlier).

It may take several minutes for the Conductor to become available after it starts, so if you attempt to access it and your browser appears to stop responding, please try again in a few minutes.

Here are the default passwords for cloud Conductors. You are prompted to change the password as soon as you log in:
  • Alibaba Cloud – Tnw-<instanceID>
  • Amazon Web Services – Tnw-<instanceID>
  • Microsoft Azure – Tnw-<privateIpOfPublicNic>
  • Google Cloud – Tnw-<instanceID>
Note: In Microsoft Azure, if you do not see a password on the Azure Outputs page next to conductorPassword, it is likely you are not using the Managed image.
Note: When running the Conductor for the first time, you may receive notifications indicating the connection is not private. Once you have finished configuring the Conductor, you can install a custom certificate on the Conductor that prevents these notifications in the future.
For more information, see:

Additional Information

Once your Conductor is installed, you can configure and manage it as you would a physical Conductor. See Configure a Conductor. For additional help, you can search Airwall help by using the search bar at the top of the page or the navigation links to the left.