Topics on this page

AWS deploy protection checklist

Use this checklist to successfully generate a deployment script to launch the Network Security virtual appliance in AWS (learn more about AWS CloudFormation) from the Deploy Protection wizard.

Start by adding your AWS account to the Network Security management interface (navigate to Network → Accounts and click Add Account). After your account is added but before you deploy the Network Security virtual appliance through the Deploy Protection wizard, complete the following checklist items.

Make sure you have AWS admin privileges before deploying a CloudFormation template in your AWS account.

Make sure you include the following components in your AWS environment:

  • Internet Gateway: Make sure the VPC where you plan to deploy the Network Security virtual appliance has an attached Internet Gateway.
  • Egress Routing: Set up egress routing to go through the Internet Gateway in at least one availability zone (AZ).
  • NAT Gateway: Place a NAT Gateway in each AZ that contains an Internet Gateway that is set up for egress routing.
  • Disabled IPv6: Disable IPv6 in the VPC where you plan to deploy the Network Security virtual appliance.
  • CIDR space: Make sure that your VPC has enough space for at least two /28 CIDRS. You need two /28 CIDRs for each AZ that contains egress routing to an Internet Gateway in your VPC.
  • Subnets: Make sure you have a public subnet with egress routing to an Internet Gateway. If the subnet is attached to the default route table, make sure the association is explicit. The subnet cannot have any implicit associations with the default route table.
  • Remove edge association: Remove any edge associations for the Internet Gateway.
  • SSH key: Create a valid SSH key pair in the same region where you plan to deploy the Network Security virtual appliance.

Enable the following ports for the network access control list (ACL):

  • Default VPC Network ACL: Enable the default VPC and public subnets to receive and send Internet traffic over port 443 (HTTPS) and ephemeral ports 1024 - 65535. Learn more about ephemeral ports.
  • Splunk (optional): To enable the Network Security virtual appliance to send log files to Splunk, enable the default VPC and public subnets to be open to the default Splunk ports. For UDP, use ports 514 or 8514, and for TCP, use ports 515 or 8515.

Create a Trend Micro Cloud One API key, see the API key help.


NOTE

The Edge protection deployment option can also be manually deployed from the AWS management console by following the manual deployment documentation steps. Learn more.