Deploy on AWS

(see guide for prerequisites and step-by-step instructions)


For detailed information about the architecture and step-by-step instructions, see the deployment guide.

To see a complete list of automated reference deployments, see the AWS Quick Start catalog.

logo-sophos-150

This Quick Start automatically deploys an outbound web filtering proxy on the Amazon Web Services (AWS) Cloud, using the Sophos Unified Threat Management (UTM) virtual appliance. The Quick Start also uses Sophos Outbound Gateway to extend security to multiple virtual private clouds (VPCs).

Sophos UTM provides multiple security functions, including firewall, intrusion prevention (IPS), VPN, and web filtering. Sophos Outbound Gateway provides a distributed, fault-tolerant architecture to provide visibility, policy enforcement, and elastic scalability to outbound web traffic. 

The Quick Start builds a cloud environment that enables you to whitelist AWS API calls without allowing internet access. You can also use this reference deployment to enable other proxy use cases with Sophos UTM. 

The Quick Start includes AWS CloudFormation templates that automatically deploy the web proxy into your AWS account in about 20 minutes. You can customize these templates to meet your specific requirements.

  • What you'll build

    The AWS CloudFormation template sets up the virtual network and creates the networking resources and EC2 instances needed for the Sophos outbound proxy solution. The template deploys a highly available architecture that includes the following Sophos components:

    • Sophos UTM 9 virtual appliance, which helps you secure your infrastructure in AWS. Sophos UTM provides multiple security tools like Next-Gen Firewall (NGFW), Web Application Firewall (WAF), Intrusion Prevention System (IPS), and Advanced Threat Protection (ATP).
    • Sophos UTM Queen (Controller), which provides administrative control and configuration management for UTM Workers.
    • Sophos UTM Workers, which terminate the Generic Routing Encapsulation (GRE) tunnels from the Outbound Gateways and proxy the traffic to the destination based on the policy configured within the Controller.
    • Sophos Outbound Gateway (OGW), which resides within an Availability Zone where clients need to connect out through the proxy.


    To centralize the proxy service for the clients, the Queen Controller and Workers are deployed into a dedicated proxy VPC. 

    This Quick Start deploys a separate application VPC for the proxy clients. The application VPC contains the Outbound Gateway for AWS to support the connections from the clients, bastion host instances, and tester instances. You can use these instances to test the outbound web proxy functionality.

    You can extend the Quick Start architecture to include your existing VPCs and clients by adding an Outbound Gateway in other VPCs.

    For details, see the Quick Start deployment guide.
  • Deployment details

    You can build a Sophos outbound web proxy environment on AWS by following these steps:

    1. Sign up for an AWS account, if you don't already have one, at https://aws.amazon.com.
    2. In AWS Marketplace, review and accept terms for the Sophos UTM 9 Amazon Machine Image (AMI), choosing either the hourly or the BYOL version of the AMI.
    3. Launch the Quick Start. The deployment takes about 20 minutes.
    4. Configure the Sophos UTM Controller.
    5. Test outbound filtering functionality.
    6. (Optional) Configure a URL whitelist.


    The Quick Start includes parameters that you can customize. For example, you can change instance types and CIDR blocks, and customize Sophos UTM settings.

    For complete details, see the Quick Start deployment guide.

  • Cost and licenses

    You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start. You can use the Simple Monthly Calculator to view typical costs for default template settings and adjust the configuration based on your deployment. Additional cost for licensing will vary based on the consumption model (BYOL or hourly) as well as instance sizes.

    Prices are subject to change. See the pricing pages for each AWS service you will be using in this Quick Start for full details.

    This deployment supports both the Bring Your Own License (BYOL) model and the hourly model for the Sophos UTM software. If you already have a license for the Sophos UTM, you can select the BYOL option and upload your license file after deployment.

    This Quick Start launches Amazon Machine Images (AMIs) for the Sophos UTM Controller and Worker instances as well as bastion host and Linux testing instances.