reference deployment

Cisco ISE on AWS

Virtualized network-access-control appliance

This Partner Solution deploys Cisco Identity Services Engine (ISE) on the Amazon Web Services (AWS) Cloud. It's for organizations that want a common policy engine that enables endpoint access control and network device administration. This Partner Solution extends Cisco ISE policies in your home network to remote deployments using AWS best practices for security and high availability.

Cisco logo

This Partner Solution was developed by Cisco in collaboration with AWS. Cisco is an AWS Partner.

  •  What you'll build
  • The Partner Solution sets up the following:

    • A highly available architecture that spans two Availability Zones.*
    • A virtual private cloud (VPC) configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*
    • In the public subnets, managed NAT gateways to allow outbound internet access for resources in the private subnets.*
    • In the private subnets:*
      • One Cisco ISE primary and one Cisco ISE secondary node deployed to Amazon Elastic Compute Cloud (Amazon EC2) instances.
      • A Network Load Balancer attached to the private subnets. The load balancer distributes Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access-Control System Plus (TACACS+) requests among Cisco ISE nodes.
    • Amazon Route 53 for Domain Name Service (DNS) resolution between Cisco ISE instances. 
    • AWS Lambda for health checks, deployment, and failover of Cisco ISE instances.
    • AWS Step Functions for state machines to deploy and manage failover of Cisco ISE instances.
    • AWS Systems Manager to store state information about Cisco ISE instances.
    • Amazon CloudWatch for logging and generating events about Cisco ISE instances.
    • Amazon EventBridge for rules to invoke Step Functions state machines.
    • Amazon Simple Notification Service (Amazon SNS) to manage subscriptions to deployment, health check, and failover email notifications.

    * The template that deploys the Partner Solution into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

  •  How to deploy
  • To deploy this Partner Solution, follow the instructions in the deployment guide, which includes these steps.

    1. Sign in to your AWS account. If you don't already have an AWS account, sign up at
    2. In the AWS Marketplace, subscribe to the Cisco Identity Services Engine (ISE) AMI.
    3. Launch the Partner Solution. Before you create the stack, choose the AWS Region from the top toolbar. The stack takes 60–90 minutes to deploy. Choose one of the following options:
    4. Confirm the SNS topic subscription, enable maintenance mode, and change the administrator password in the Cisco ISE console.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on this solution.  

  •  Cost and licenses
  • This Partner Solution requires a subscription to the Amazon Machine Image (AMI) for Cisco Identity Services Engine (ISE), available on AWS Marketplace.

    You are responsible for the cost of the AWS services and any third-party licenses used while running this solution. There is no additional cost for using the solution.

    This solution includes configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, refer to the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy a solution, create AWS Cost and Usage Reports to track associated costs. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, refer to What are AWS Cost and Usage Reports?