Create a Forcepoint FlexEdge Secure SD-WAN instance using Manual Launch

Configure and launch an instance of the Forcepoint FlexEdge Secure SD-WAN AMI using Manual Launch.

CAUTION:
If required for regulatory compliance, or in environments with stricter security requirements, we recommend using dedicated instances when you deploy Forcepoint FlexEdge Secure SD-WAN in AWS.

We recommend using the following instance types depending on the Forcepoint FlexEdge Secure SD-WAN product:

Forcepoint FlexEdge Secure SD-WAN product EC2 instance type
FlexEdge Secure SD-WAN 2 CPU M4.large
FlexEdge Secure SD-WAN 4 CPU M4.xlarge or C4.xlarge
FlexEdge Secure SD-WAN 8 CPU M4.2xlarge or C4.2xlarge
FlexEdge Secure SD-WAN 16 CPU C4.4xlarge

For information about VM size and network performance, see the Amazon documentation at https://aws.amazon.com/ec2/instance-types/. Enabling some Forcepoint FlexEdge Secure SD-WAN features, such as inspection, might decrease the network throughput.

Forcepoint FlexEdge Secure SD-WAN is designed to receive and manage all traffic on all ports. Use a security group that allows connections on all ports for inbound and outbound for the instance in which Secure SD-WAN is running.

Steps

  1. In the AWS Marketplace, start the launch for the Forcepoint FlexEdge Secure SD-WAN AMI.
  2. Click the Manual Launch tab.
  3. Select an instance type that meets your performance needs.
    The AMI automatically restricts the instance types so that only compatible instance types are available.
  4. Add one or more interfaces and map ENIs to the interfaces.
    1. To add an interface, click Add Device.
      Note: The wizard only allows you to add two interfaces. If you need to add more interfaces, use the command line tools.
      Add all required interfaces while creating the instance. If you add interfaces later, a reboot is required before the interfaces become available.
    2. From the Network Interface drop-down list for eth0, select the ENI for the control interface.
    3. From the Network Interface drop-down list for the other interfaces, select the ENI to connect to each interface.
  5. If you want to transfer the initial configuration file to the instance, add the initial configuration as user data.

    We recommend transferring the engine's initial configuration as user data when you launch the Forcepoint FlexEdge Secure SD-WAN instance. When you provide user data, the engine automatically makes initial contact with the Management Server when it starts. After it is launched, the Forcepoint FlexEdge Secure SD-WAN instance automatically appears in the Management Client.



    1. In the User Data options, select As Text.
    2. In the Save or Upload Initial Configuration dialog box in the Management Client, click Copy to Clipboard.
    3. In the EC2 Management Console, paste the text that you copied from the Save or Upload Initial Configuration dialog box into the User Data field.
  6. Click Review and Launch.
  7. On the Review Instance Launch page, select an existing key pair or create a new key pair for SSH connections to the Secure SD-WAN engine.
    Note: The key is the only allowed authentication method for SSH connections to the engine command line.

    If the default security group is too limited for your environment, you can select a different security group or change the rules. You can also configure the Secure SD-WAN Engine to restrict access.

Result

When the Secure SD-WAN Engine installation is complete and the engine is ready to process traffic, the status of the Secure SD-WAN Engine element changes in the Management Client to Online. The connection state is Connected, indicating that the Management Server can connect to the node.

You can also check the status of the Secure SD-WAN Engine in the AWS console. To check the status, select Actions > Instance Settings > Get system log. The system log shows the following information:
Management server contact successful
Sg-auto-contact done