reference deployment

Cisco Secure Firewall Cloud Native on AWS

Provision, run, and scale containerized Cisco security services

This Quick Start deploys Cisco Secure Firewall Cloud Native to the Amazon Web Services (AWS) Cloud. This deployment extends Cisco security to the cloud using Amazon Elastic Kubernetes Service (Amazon EKS), which runs the Kubernetes management infrastructure that automates tasks such as patching, node provisioning, and updates. 

This Quick Start is for organizations with remote workers and multitenant environments. For more information, refer to Cisco Secure Firewall Cloud Native.

Cisco logo

This Quick Start was developed by Cisco in collaboration with AWS. Cisco is an AWS Partner.

  •  What you'll build
  •  How to deploy
  •  Cost and licenses
  •  What you'll build
  • This Quick Start sets up the following:

    • A highly available architecture that spans two Availability Zones.*
    • A virtual private cloud (VPC) configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*
    • Amazon Route 53 for virtual private network (VPN) load balancing and Cloud Native Firewall (CNFW) health monitoring.
    • Amazon EKS for Kubernetes orchestration of the Cisco Secure Firewall cluster, including the Redirector, Control Point, and Enforcement Point.
    • Amazon Elastic File Service (Amazon EFS) for elastic file systems for the Control Point and Enforcement Point.
    • Amazon ElastiCache for Redis to store information on VPN sessions. The Redirector pod uses this information for load balancing and recovery.
    • In the public subnets:
      • Secure Firewall Cloud Native Redirector for load balancing of remote access VPN traffic.
      • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.*
      • Secure Firewall Cloud Native Control Point in an Auto Scaling group for configuration validation, licensing, and route management.
      • Secure Firewall Cloud Native Enforcement Point for termination of VPN sessions and forwarding of traffic.
      • CNFW Elastic Network Interfaces (ENI) in an Auto Scaling group.
    • In the private subnets:
      • CNFW ENIs in an Auto Scaling group.

    *  The template that deploys the Quick Start into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

  •  How to deploy
  • To deploy this Quick Start, follow the instructions in the deployment guide, which includes these steps. The stack takes about 50 minutes to launch.

    1. Sign in to your AWS account. If you don't have an account, sign up at
    2. Subscribe to Cisco Secure Firewall Cloud Native BYOL on AWS Marketplace.
    3. Launch the Quick Start. Choose the Region from the top toolbar before creating the stack. You can choose from the following options:
    4. Test the deployment.
    5. Complete postdeployment steps.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.  

  •  Cost and licenses
  • This Quick Start requires a Cisco Secure Firewall Cluster license to deploy more than one Cloud Native Firewall Cluster enforcement point limited to 100 Kbps. To obtain a license, refer to Cisco Software Central. This Quick Start also requires a subscription to Cisco Secure Firewall Cloud Native BYOL on AWS Marketplace.

    You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start reference deployment. There is no additional cost for using this Quick Start.

    The AWS CloudFormation templates for this Quick Start include configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy the Quick Start, create AWS Cost and Usage Reports to track costs associated with the Quick Start. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information about the report, see What are AWS Cost and Usage Reports?