reference deployment

Cisco Duo Network Gateway on AWS

Access websites, web applications, and SSH servers without VPN credentials

With Cisco Duo Network Gateway, users can securely access internal web applications from any device, using any browser, from anywhere in the world, without having to install or configure remote access software on their device. Using Secure Shell (SSH), users can remotely connect to configured hosts through Duo Network Gateway after installing Duo’s connectivity tool, providing server access without a virtual private network (VPN).

This Quick Start deploys Duo Network Gateway on the Amazon Web Services (AWS) Cloud in high-availability mode with scaling based on CPU load in just a matter of minutes. It addresses common scalability, high-availability, and security requirements when adding Duo authentication to web applications and SSH connections on the AWS Cloud.

Cisco logo

This Quick Start was developed by Duo Security in collaboration with AWS. Duo Security is a wholly owned subsidiary of Cisco. Cisco is an AWS Partner.

AWS Service Catalog administrators can add this architecture to their own catalog.  

  •  What you'll build
  • This Quick Start sets up the following:

    • A highly available architecture that spans two Availability Zones.*
    • A virtual private cloud (VPC) configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*
    • In the public subnets, managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.*
    • In the private subnets:
      • Duo Network Gateway portal servers for providing end users access to the product interface.
      • A Duo Network Gateway admin server for completing configuration tasks.
      • An Amazon ElastiCache for Redis instance with a Redis replication group for storing the configuration for Duo Network Gateway.
    • Elastic Load Balancing for accepting incoming traffic for the Duo Network Gateway admin server and then distributing that traffic to the Duo Network Gateway portal servers using an AWS Auto Scaling group. 
    • An Amazon Route 53 public hosted zone to route traffic for the Duo Network Gateway domain and its subdomains.
    • SSL/TSL certificates in AWS Certificate Manager (ACM) for the Duo Network Gateway portal server and admin server load balancers.
    • AWS Systems Manager to manage access to the Duo Network Gateway portal and admin servers.
    • An optional Amazon Simple Storage Service (Amazon S3) bucket for Duo Network Gateway portal server scripted deployment.

    *The template that deploys the Quick Start into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

  •  How to deploy
  • To deploy Duo Network Gateway, follow the instructions in the deployment guide. The deployment process takes 15 minutes and includes these steps:

    1. If you don't already have an AWS account, sign up at, and sign in to your account. 
    2. Launch the Quick Start, choosing from the following options:

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on this solution.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services used while running this Quick Start. There is no additional cost for using the Quick Start.

    The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of the settings, such as the instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy the Quick Start, we recommend that you enable the AWS Cost and Usage Report. This report delivers billing metrics to an S3 bucket in your account. It provides cost estimates based on usage throughout each month and aggregates the data at the end of the month. For more information about the report, see What are AWS Cost and Usage Reports?