Cisco Secure Firewall Management Center Virtual Getting Started Guide

Configure the AWS Environment

Updated: February 5, 2026

Want to summarize with AI?

On this page

Overview

Create the VPC
Add the Internet Gateway
Add Subnets
Add a Route Table
Create a Security Group
Create Network Interfaces
Create Elastic IPs

Overview

Learn how to configure the required AWS components before deploying Management Center Virtual. Understand how to set up a VPC, subnets, route tables, internet gateway, security groups, network interfaces, and Elastic IP addresses to prepare a functional and accessible cloud environment.

To deploy the Firewall Management Center Virtual on AWS you need to configure an Amazon VPC with your deployment-specific requirements and settings. In most situations a setup wizard can guide you through your setup. AWS provides online documentation where you can find useful information about the services ranging from introductions to advanced features. See Getting Started with AWS for more information.

For greater control over your AWS setup, the following sections offer a guide to your VPC and EC2 configurations prior to launching instances of the Firewall Management Center Virtual:

Create the VPC

A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS cloud. You can launch your AWS resources, such as Firewall Management Center Virtual instances, into your VPC. You can configure your VPC; you can select its IP address range, create subnets, and configure route tables, network gateways, and security settings.

Before you begin

Create your AWS account.
Confirm that AMIs are available for the Firewall Management Center Virtual instances.

Procedure

	1.	Log into aws.amazon.com and choose your region. AWS is divided into multiple regions that are isolated from each other. The region is displayed in the upper right corner of your screen. Resources in one region do not appear in another region. Check periodically to make sure you are in the intended region.
	2.	Click Services > VPC.
	3.	Click VPC Dashboard > Your VPCs.
	4.	Click Create VPC.
	5.	Enter the following in the Create VPC dialog box: A user-defined Name tag to identify the VPC. A CIDR block of IP addresses. CIDR (Classless Inter-Domain Routing) notation is a compact representation of an IP address and its associated routing prefix. For example, 10.0.0.0/24. A Tenancy setting of Default to ensure that instances launched in this VPC use the tenancy attribute specified at launch.
	6.	Click Yes, Create to create your VPC.

What to do next

Add an Internet gateway to your VPC as described in the next section.

Add the Internet Gateway

You can add an Internet gateway to connect your VPC to the Internet. You can route traffic for IP addresses outside your VPC to the Internet gateway.

Before you begin

Create a VPC for your Firewall Management Center Virtual instances.

Procedure

	1.	Click Services > VPC.
	2.	Click VPC Dashboard > Internet Gateways, and then click Create Internet Gateway.
	3.	Enter a user-defined Name tag to identify the gateway and click Yes, Create to create the gateway.
	4.	Select the gateway created in the previous step.
	5.	Click Attach to VPC and select the VPC you created previously.
	6.	Click Yes, Attach to attach the gateway to your VPC. By default, the instances launched on the VPC cannot communicate with the Internet until a gateway is created and attached to the VPC.

What to do next

Add subnets to your VPC as described in the next section.

Add Subnets

You can segment the IP address range of your VPC that the Firewall Management Center Virtual instances can be attached to. You can create subnets to group instances according to security and operational needs. For the Firewall Threat Defense Virtual you need to create a subnet for management as well as subnets for traffic.

Procedure

	1.	Click Services > VPC.
	2.	Click VPC Dashboard > Subnets, and then click Create Subnet.
	3.	Enter the following in the Create Subnet dialog box: A user-defined Name tag to identify the subnet. A VPC to use for this subnet. The Availability Zone where this subnet will reside. Select No Preference to let Amazon select the zone. A CIDR block of IP addresses. The range of IP addresses in the subnet must be a subset of the range of IP addresses in the VPC. Block sizes must be between a /16 network mask and a /28 network mask. The size of the subnet can equal the size of the VPC.
	4.	Click Yes, Create to create your subnet.
	5.	Repeat for as many subnets required. Create a separate subnet for management traffic and create as many subnets as needed for data traffic.

What to do next

Add a route table to your VPC as described in the next section.

Add a Route Table

You can attach a route table to the gateway you configured for your VPC. You can also associate multiple subnets with a single route table, but a subnet can be associated with only one route table at a time.

Procedure

	1.	Click Services > VPC.
	2.	Click VPC Dashboard > Route Tables, and then click Create Route Table.
	3.	Enter a user-defined Name tag to identify the route table.
	4.	Select the VPC from the drop-down list that will use this route table.
	5.	Click Yes, Create to create your route table.
	6.	Select the route table that you just created.
	7.	Click the Routes tab to display the route information in the details pane.
	8.	Click Edit, then click Add another route. In the Destination column, enter 0.0.0.0/0. In the Target column, select the Internet Gateway you created above.
	9.	Click Save.
	10.	Click the Subnet Associations tab and click Edit.
	11.	Check the box next to the subnet to be used for the Firewall Management Center Virtual's management interface and click Save.

What to do next

Create a security group as described in the next section.

Create a Security Group

You can create a security group with rules specifying allowed protocols, ports and source IP ranges. Multiple security groups can be created with different rules which you can assign to each instance. AWS has detailed documentation on Security Groups if you are not familiar with this feature.

Procedure

	1.	Click Services > EC2.
	2.	Click EC2 Dashboard > Security Groups.
	3.	Click Create Security Group.
	4.	Enter the following in the Create Security Group dialog box: A user-defined Security group name to identify the security group. A Description for this security group. The VPC associated with this security group.
	5.	Configure Security group rules: Click Create Security Group. Under the Inbound section, click Add Rule. Choose any of the following inbound ports to be opened for access by the internet from the Type drop-down list. By default, the All Traffic type is selected. SSH (22) Custom TCP (8305) HTTP (443) Note HTTPS and SSH access is required to manage the Firewall Management Center Virtual from outside AWS. You should specify the Source IP addresses accordingly. Also, if you are configuring both the Firewall Management Center Virtual and Firewall Threat Defense Virtual within the AWS VPC, you should allow the private IP management subnet access. Under the Outbound section, click Add Rule to add a rule for outbound traffic, or leave the defaults of All traffic (for Type) and Anywhere (for Destination).
	6.	Click Create security group to create your security group.

What to do next

Create network interfaces as described in the next section.

Create Network Interfaces

You can create network interfaces for the Firewall Management Center Virtual using static IP addresses. Create network interfaces (external and internal) as needed for your particular deployment.

Procedure

	1.	Click Services > EC2.
	2.	Click EC2 Dashboard > Network Interfaces.
	3.	Click Create Network Interface.
	4.	Enter the following in the Create Network Interface dialog box: A optional user-defined Description for the network interface. Select a Subnet from the drop-down list. Make sure to select the subnet of the VPC where you want to create the instance. Enter a Private IP address. It is recommended to use a static IP address rather than auto-assign. Select one or more Security groups. Make sure the security group has all the required ports open.
	5.	Click Yes, Create to create your network interface.
	6.	Select the network interface that you just created.
	7.	Right-click and select Change Source/Dest. Check.
	8.	Choose Disabled, then click Save. Repeat this for any network interfaces you create.

What to do next

Create elastic IP addresses as described in the next section.

Create Elastic IPs

When an instance is created, a public IP address is associated with the instance. That public IP address changes automatically when you STOP and START the instance. To resolve this issue, assign a persistent public IP address to the instance using Elastic IP addressing. Elastic IPs are reserved public IPs that are used for remote access to the Firewall Management Center Virtual as well as other instances. AWS has detailed documentation on Elastic IPs if you are not familiar with this feature.

Note

At a minimum, you want to create one elastic IP addresses for the Firewall Management Center Virtual and two elastic IP addresses for the Firewall Threat Defense Virtual management and diagnostic interfaces.

Procedure

	1.	Click Services > EC2.
	2.	Click EC2 Dashboard > Elastic IPs.
	3.	Click Allocate New Address. Repeat this step for as many elastic/public IPs that you require.
	4.	Click Yes, Allocate to create your elastic IP.
	5.	Repeat for as many elastic IPs required for your deployment.

What to do next

Deploy the Firewall Management Center Virtual as described in the next section.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.