reference deployment
Cisco ASAv RA-VPN on AWS
A scalable remote-access VPN that uses adaptive security
This Partner Solution deploys a scalable Cisco Remote Access Virtual Private Network (RA-VPN) to the Amazon Web Services (AWS) Cloud. This Partner Solution is for users who want to deploy or learn about Cisco AnyConnect RA-VPN services on Cisco Adaptive Security Virtual Appliance (ASAv) firewalls using the AWS Cloud architecture.
As companies address the ever-increasing demand for secure remote connectivity, the need for a stable and scalable RA-VPN has increased. For many organizations, investing in additional hardware appliances to scale up a network’s infrastructure may not meet timeline objectives or available budget requirements. Cloud-based architectures provide computing environments that are highly scalable and flexible in terms of both costs and resources.
This Partner Solution was developed by Cisco in collaboration with AWS. Cisco is an AWS Partner.
AWS Service Catalog administrators can add this architecture to their own catalog.
-
What you'll build
-
How to deploy
-
Costs and licenses
-
What you'll build
-
The Partner Solution sets up the following:
- A highly available architecture that spans two or more Availability Zones (up to four, depending on the number of ASAvs).
- An Amazon Route 53–hosted zone, including associated records with a weighted policy for Domain Name System (DNS)–based load balancing.
- An internet gateway for connecting users to the AWS Cloud.
- ASAv instances (up to four) with zero-day configuration. This sets up the AnyConnect client VPN, elastic network interfaces, and options to accept RA-VPN clients. ASAv instances are spread across Availability Zones for redundancy and to maintain a fixed one-to-one ratio of ASAvs to Availability Zones.
- A virtual private cloud (VPC) to provide you with your own virtual network.
- In the VPC, a public route table, VPC route table, and AWS Transit Gateway route table.
- A private route table in each Availability Zone.
- In the public subnets:
- Elastic network interfaces with associated IP addresses.
- Cisco ASAv instances.
- In the private subnets:
- An elastic network interface with a private IP address for the management subnet.
- An elastic network interface with a private IP address for the private subnet.
- An elastic network interface with a private IP address for the AWS Transit Gateway subnet.
- AWS Transit Gateway to extend connectivity to on-premises resources that use either an AWS Site-to-Site VPN or an AWS Direct Connect gateway.
- AWS Direct Connect for private connectivity between AWS and your data center, office, or colocation environment.
-
How to deploy
-
To deploy this Partner Solution, follow the instructions in the deployment guide, which includes these steps.
- If you don't already have an AWS account, sign up at https://aws.amazon.com, and sign in to your account.
- Subscribe to the Cisco RA-VPN AMI.
- Launch the Partner Solution. The stack takes about 20 minutes to deploy. Before you create the stack, choose the AWS Region from the top toolbar.
- Test the deployment.
Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on this solution.
-
Costs and licenses
-
This Partner Solution requires an RA-VPN license from Cisco. The Cisco ASAv virtual firewall provides the following licensing options:
- Option 1: Use AWS pay-as-you-go licensing, which is based on hourly billing. This is the default option for this Partner Solution.
- Option 2: Use Amazon’s Bring Your Own License model in conjunction with Cisco’s Smart Licensing.
To use this Partner Solution in a production environment, refer to Cisco Adaptive Security Virtual Appliance (ASAv)—Standard Package. Ensure that you subscribe to the image using the correct Region. If you want to use option 2, you must use the correct Amazon Machine Image (AMI). For more information, refer to Deploy the ASAv on the AWS Cloud.
You are responsible for the cost of the AWS services and any third-party licenses used while running this solution. There is no additional cost for using the solution.
This solution includes configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, refer to the pricing pages for each AWS service you use. Prices are subject to change.
Tip: After you deploy a solution, create AWS Cost and Usage Reports to track associated costs. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, refer to What are AWS Cost and Usage Reports?
