Amazon Web Services – Set up an Airwall Gateway


Required licenses
An Airwall 300v license for each virtual Airwall Gateway you are setting up.
Supported versions
Conductor v2.2.3 and later
To deploy a cloud Airwall Gateway on Amazon Web Services (AWS) you need the following:
  • An AWS access key ID and secret access key pair to create the AWS cloud provider. If you do not already have a key pair created in your AWS account, you need to create one as follows: Click your username and select My Security Credentials in the drop-down.

    For more information about access keys, see AWS Security Credentials in the AWS documentation.

    Note: If you create an access key in your AWS root account, you can only retrieve the secret key portion when you create it. If you anticipate using the same key at a later date, we recommend you create an IAM user with access to your security keys instead of relying on root access keys.
  • The address and port of your Conductor.
  • An Airwall Gateway AMI, shared to your account by Tempered Fulfillment when you purchased your AWS Airwall Gateway.

Set up an Airwall Gateway on AWS

There are three steps required to deploy an Airwall Gateway to your AWS account:
  1. Add the AWS provider to your Conductor as a cloud provider
  2. Create an Airwall Gateway deployment template
  3. Deploy one or more Airwall Gateways using the template

Set up AWS as a cloud provider

  1. In the Conductor, select the gear icon in the upper-right to access the Settings page.
  2. Select the Cloud providers tab and click + Add Cloud Providers
  3. In the Add Cloud Provider dialog, select the check-mark to the right of Amazon Web Services and click Next
  4. Enter your AWS access key, AWS secret key, and Default region

  5. The AWS route injection setting determines how new routes are added to the AWS routing table. The routes are for traffic on your protected overlay network between protected devices and the Airwall Gateway. Here are the recommended settings depending on your deployment details:
    • If you are using a Airwall Relay, or want to manage routes on your own, set to Disabled.
      Important: If your Airwall's subnet has a route table with existing or planned future routes, then do not set route injection to Individual traffic or All traffic. This removes these existing and future routes from the route table, retaining only routes created by Conductor.
    • If you want to handle traffic for devices individually, set to Individual traffic.
    • If you want one route to send all traffic to the overlay port on the Airwall Gateway, set to All traffic.
      Note: All traffic is effectively ‘full tunnel’ mode. With Individual traffic, you could add routes that send traffic around the Airwall Gateway.
  6. Click Finish
Your AWS cloud provider is displayed in the Configured Cloud Providers list.

Create an Airwall Gateway deployment template in AWS

In AWS, create an Airwall Gateway deployment template.

Add an AWS Airwall Gateway

You must Set up Amazon Web Services (AWS) as a cloud provider before you can add an Airwall Gateway in the Conductor

  1. On the Airwalls page, (or in Conductor Settings under Cloud providers tab), select New cloud Airwall, and then select Amazon Web Services Airwall.
    Create cloud Airwall menu
  2. In v2.2.8 and later, select the type of Airwall to create, and select Next.
  3. In v2.2.8 and later, if you want to use a template to create the Airwall Gateway, select the template, select Next, and then give the Airwall Gateway a descriptive name. You can then skip to the next step.
    To continue without a template and enter the information manually, just select Next.
    1. If you are filling in information manually, or want to change the template, fill in the Name and Image and network options for this Airwall Gateway. For Machine type, the default typically works. You can select a different size if needed for your purposes.
      Create an AWS Cloud Airwall dialog
    2. Under Airwall gateway image ID, pick the Airwall Gateway image you want to use. The list shows the Airwall Gateway images Tempered shared with your account.
      Note: If you are not seeing the Airwall Gateway images, check your order email.
    3. If you do not have a pre-configured virtual network, you need to create a new network. Select Create new network and fill in the form:
      • Network CIDR – Enter an available network address and subnet mask in CIDR notation.
      • Public subnet CIDR – Must be a subnet of the main network. Traffic flows between the underlay interface of the Airwall Gateway and the Public IP address object in AWS.
      • Protected subnet CIDR – Must be a subnet of the main network. Traffic must pass through theAirwall Gateway or through manually-crafted routes.

      When you’re finished entering the information, select Create network, and when processing is complete, select Back.

      Create a new network dialog
    4. Back on the Create cloud Airwall page, select the network and public and protected subnets you just created.
  4. Check the summary and if everything is correct, select Create cloud Airwall.
  5. Select Finish. It may take up to 5 minutes for Amazon Web Services to complete creating the Airwall Gateway.

You’ve completed creating an AWS cloud Airwall Gateway, and now need to configure Provision, License, and configure it. For help, see Provision and License Airwall Edge Services and Configure Airwall Edge Service Settings.