# AWS
**Overview**
{% hint style="info" %}
If you are deploying a CloudGuard WAF AppSec Gateway to protect an existing production website, we recommend you also read the [HOW-TO guide for this particular deployment](/how-to/protect-an-existing-production-site-with-cloudguard-wafs-gateway.md).
{% endhint %}
CloudGuard WAF can be deployed as either a single virtual machine or Auto-Scaling Group in AWS. It acts as a reverse proxy where before / after you can deploy AWS Load Balancers:
{% hint style="warning" %}
When deploying an auto-scaling group, the external load balancer is deployed automatically
{% endhint %}
## Installation
Follow these steps to deploy CloudGuard WAF in AWS using a supplied CloudFormation Template:
#### Step 1: AWS Console Log in
Log in to **AWS Console** and select the relevant region.
#### Step 2: Activate CloudGuard WAF through the AWS Marketplace (Once per Region)
Search for [CloudGuard WAF in AWS Marketplace](https://aws.amazon.com/marketplace/server/procurement?productId=d9ada83e-6d91-448f-8097-63a789504f5f). During activation, a form with a field to select one of the AWS regions, is shown. Select the region in which you wish to deploy CloudGuard WAF's Gateway.
#### Step 3: Verify required permissions
Verify that you have the required **IAM permissions:**
IAM permissions
CloudFormation::DescribeStackEvents
CloudFormation::DescribeStacks
CloudFormation::ListStacks
CloudFormation::ListStackResources
CloudFormation::CreateStack
elasticloadbalancing::DescribeLoadBalancers
elasticloadbalancing::DescribeListeners
elasticloadbalancing::DescribeTargetGroups
elasticloadbalancing::CreateTargetGroup
elasticloadbalancing::CreateListener
elasticloadbalancing::CreateLoadBalancer
elasticloadbalancing::ModifyTargetGroupAttributes
elasticloadbalancing::ModifyLoadBalancerAttributes
SNS::CreateTopic
SNS::GetTopicAttributes
SNS::Subscribe
IAM::GetRolePolicy
IAM::PutRolePolicy
IAM::CreateInstanceProfile
IAM::CreateRole
IAM::AddRoleToInstanceProfile
EC2::DescribeInternetGateways
EC2::DescribeLaunchTemplates
EC2::DescribeLaunchTemplateVersions
EC2::DescribeKeyPairs
EC2::DescribeSecurityGroups
EC2::DescribeSubnets
EC2::DescribeVpcs
EC2::DescribeAccountAttributes
EC2::CreateTags
EC2::AuthorizeSecurityGroupIngress
EC2::CreateLaunchTemplate
EC2::CreateSecurityGroup
EC2::RunInstances
CloudWatch::PutMetricAlarm
Health::DescribeEventAggregates
**If you want AutoScaling setup:**
AutoScaling::UpdateAutoScalingGroup
AutoScaling::CreateAutoScalingGroup
AutoScaling::DescribeAutoScalingGroups
AutoScaling::DescribeScalingActivities
AutoScaling::PutScalingPolicy
AutoScaling::PutNotificationConfiguration
**If you want to store certificates in AWS:**
KMS::CreateGrant
KMS::DescribeKey
#### Step 4: **Deployment using CloudFormation**
Choose one of three deployment options :
{% tabs %}
{% tab title="Single Gateway into new VPC" %}
#### Choose the correct fulfillment option in the Marketplace offer:
**VPC Network Configuration**
* **Availability Zone** - The availability zone in which to deploy the instance.
* **VPC CIDR** - If you launched the CloudFormation template to create a new VPC - The CIDR of the new VPC.
* **Public Subnet CIDR** - The Public (Frontend) subnet of the CloudGuard WAF's Gateway.
* **Private Subnet CIDR** - The Private (Backend) subnet of the CloudGuard WAF's Gateway.
**EC2 Instance Configuration**
* **Gateway Name** - EC2 name.
* **Gateway Instance type** - The machine size of the VM. Each machine size has its own compute price. See [Amazon EC2 Instance Types](https://aws.amazon.com/ec2/instance-types/).
* Minimum requirements: c5.large
* **Key name** - The EC2 Key Pair you created for this region.
* **Auto Assign Public IP** - If selected Yes, then the solution has a public IP address.
* **Enable AWS Instance Connect** - Amazon EC2 Instance Connect is a simple and secure way to connect to your instances using Secure Shell (SSH). See the [AWS EC2 User Guide](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html).
**Check Point Settings**
* **Gateway’s Password hash** – The hashed password for the Gaia Administration Portal. User is set to ‘admin’.\
Use this command to create the hash:\
`openssl passwd -1 <`*`password`*`>`.\
\
It is also possible to create a password using the SHA512 algorithm as follows:\
`openssl passwd -6 <`*`password`*`>`.
* **Infinity Next Agent Token** - The token copied from the profile.
Make sure you obtain the <token> from the Enforcement Profile page, Authentication section.
* **Fog Address (optional)** - Not used in production installations. The production cloud address is determined automatically.
**Advanced Settings**
* **Gateway Hostname (Optional)** - The Gaia Hostname.
* **Bootstrap Script (Optional)**
The default Security Group associated to the created VPC is defined with these ports for Inbound traffic:
* TCP Port 22 - for SSH.
* TCP Port 443 - for HTTPS.
* TCP Port 30443 - The CloudGuard WAF Gateway's Web UI.
* TCP Port 80 - for HTTP.
* To configure a single CloudGuard WAF gateway installation with SSL, refer to [Infinity Next Deployment and Configuration](https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Infinity-Next-Admin-Guide/Topics-Infinity-Next/Infinity-Next-Deployment-and-Configuration.htm?tocpath=Infinity%20Next%20Deployment%20and%20Configuration%7C_____0#How-to-Manually-Upload-Certificates).
{% endtab %}
{% tab title="Single Gateway into existing VPC" %}
#### Choose the correct fulfillment option in the Marketplace offer:
**VPC Network Configuration**
* **VPC** - Select an existing Virtual Private Network from your region.
* **Public Subnet CIDR** - Select the Public (Frontend) subnet of the CloudGuard WAF's AppSec Gateway from the available list.
* **Private Subnet CIDR** - Select the Private (Backend) subnet of the CloudGuard WAF's AppSec Gateway from the available list.
* **Internal route table (optional)** - keep empty.
**EC2 Instance Configuration**
* **Gateway Name** - EC2 name.
* **Gateway Instance type** - The machine size of the VM. Each machine size has its own compute price. See [Amazon EC2 Instance Types](https://aws.amazon.com/ec2/instance-types/).
* Minimum requirements: c5.large
* **Key name** - The EC2 Key Pair you created for this region.
* **Auto Assign Public IP** - If selected Yes, then the solution has a public IP address.
* **Enable AWS Instance Connect** - Amazon EC2 Instance Connect is a simple and secure way to connect to your instances using Secure Shell (SSH). See the [AWS EC2 User Guide](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html).
**Check Point Settings**
* **Gateway’s Password hash** – The hashed password for the Gaia Administration Portal. User is set to ‘admin’.\
Use this command to create the hash:\
`openssl passwd -1 <`*`password`*`>`.
* **Infinity Next Agent Token** - The token copied from the profile.
Make sure you obtain the <token> from the Enforcement Profile page, Authentication section.
* **Fog Address (optional)** - Not used in production installations. The production cloud address is determined automatically
**Advanced Settings**
* **Gateway Hostname (Optional)** - The Gaia Hostname
* **Bootstrap Script (Optional)**
A security group with the name suffix "\*\_PermissiveSecurityGroup" will be created and associated with the existing VPC. This security group is defined with these ports for Inbound traffic:
* TCP Port 22 - for SSH.
* TCP Port 443 - for HTTPS.
* TCP Port 30443 - The CloudGuard WAF AppSec Gateway's Web UI.
* TCP Port 80 - for HTTP.
* To configure a single CloudGuard WAF AppSec gateway installation with SSL, refer to [Infinity Next Deployment and Configuration](https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Infinity-Next-Admin-Guide/Topics-Infinity-Next/Infinity-Next-Deployment-and-Configuration.htm?tocpath=Infinity%20Next%20Deployment%20and%20Configuration%7C_____0#How-to-Manually-Upload-Certificates).
{% endtab %}
{% tab title="Auto-Scaling group into existing VPC" %}
#### Choose the correct fulfillment option in the Marketplace offer:
#### VPC Network Configuration
* **VPC** - Select an existing Virtual Private Network from your region.
* **Gateways subnets** – Select at least two subnets in your VPC.
The subnets must allow outbound traffic to the internet for communicating with CloudGuard WAF's Cloud.
**EC2 Instance Details**
* **Auto Scaling Group name** - The name of the Auto Scaling Group. This name determines the VM's hostname prefix.
* **Gateway Instance type** - The machine size of the VM. Each machine size has its own compute price. See [Amazon EC2 Instance Types](https://aws.amazon.com/ec2/instance-types/).\
Minimum requirements: **c5.large**
* **Volume encryption** - EBS encryption of the instances volumes using AWS managed KMS key. Custom KMS keys are not supported.\
If regional encryption is used then both AWS managed and Custom KMS keys are supported.
* **Allow access from** - Specifies the client IP addresses that can reach your instance. This IP address range must be in CIDR notation.
* To add IP addresses after the deployment:
1. Go to your deployed Stack > Resources or go to Services > EC2 > Security Groups and select the relevant Security Group.
2. Click Edit inbound rules.
3. Below the Source field, enter a list of IP addresses.
* **Key name** - The EC2 Key Pair you created for this region.
* **Enable EC2 Instance Connect** - Amazon EC2 Instance Connect is a simple and secure way to connect to your instances using Secure Shell (SSH). See the [AWS EC2 User Guide](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html).
* **Gateway’s Password hash (Optional)** – This relates to Check Point Gaia administration portal. Read the next section for further explanation.
#### **Check Point Related Settings**
* **Gateway’s Password hash (Optional, appears in EC2 instance details section)** – The hashed password for the Gaia Administration Portal. User is set to ‘admin’.
Use this command to create the hash:
`openssl passwd -1 <`*`password`*`>`.
* **Infinity Next Agent Token** - The token copied from the profile.
Make sure you obtain the <token> from the Enforcement Profile page, Authentication section.
* **Fog Address (optional)** - Not used in production installations. The production cloud address is determined automatically.
* **Specify an S3 bucket for scaling events** - This option allows defining an S3 bucket (a new or existing one) which allows scaling events to occur without the need to connect to Check Point's cloud. It is recommended to use an S3 bucket so scaling events will be not be disrupted by temporary Internet connectivity issues, for example, as the new instance must get its software and policy.
* **Specify an S3 bucket name** - If you selected "existing S3 bucket" or "new S3 bucket", you must specify the name of the S3 bucket here.
#### Auto Scaling Group Settings
* **Type of the Load Balancer** - Choose whether you want to deploy a solution with network or application load balancer.
{% hint style="warning" %}
Note - For application load balancer, in order to configure the HTTP health checks the following settings must be added to the Infinity Next profile:
Key: agent.rpmanager.nginxIncludeLines
Value: server {listen 8117; return 200;}
Key: agent.config.orchestration.healthCheckProbe.enable
Value: false\
{% endhint %}
* **Scheme of the Load Balancer** - Choose if the load balancer should be Internal or External.
* **Initial number of gateways** – The initial number of EC2 instances that is deployed together with the Auto Scaling Group.
* **Maximum number of gateways** – The maximum number of EC2 instances the Auto Scaling Group can scale to.
* **Bootstrap script (Optional)** - An optional script to run on the initial boot.
* **Administrator email address (Optional)** - An email address to notify users about scaling events.
{% endtab %}
{% endtabs %}
{% hint style="info" %}
Creating the stack in AWS takes about 6-8 minutes. When the CloudGuard WAF EC2 loads it will automatically connect to Check Point, register using the token you provided and fetch your policy. Then, either [Store Certificates in AWS](/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-in-aws.md) or [Store Certificates on the Gateway](https://app.gitbook.com/o/NmlxbSkVNQHTmh0JtAB1/s/EWA4nfgNrSRL8dA6Kap7/~/changes/h5oX1fXrzha8sEBzZWYF/getting-started/deploy-appsec-gateway-agent/deployment-as-vm-gateway/store-certificates-on-the-gateway). If successful, you will see a green notification bar in this portal with a message that your Agent/Gateway successfully connected.
{% endhint %}
Troubleshooting Tips
* After launching the CloudFormation, you can monitor AWS resources creation progress in AWS console under the 'Resources' tab of the deployed parent and nested stacks.\
In any case of provisioning failure, the created resources will be deleted, and the reason of failure can be viewed under 'Events' tab of the failed stack.
* Verify that you entered the correct Token taken from the profile page. Otherwise your AppSec Gateway will not be able to connect to Check Point cloud
* Verify that the subnet where you deploy the AppSec Gateway have outbound internet connectivity
* Verify that the chosen EC2 instance type is available in your region
* Verify that you have sufficient IAM permissions as listed above to run the CloudFormation stack
#### Step 5: SSL Certificates
Choose the desired SSL Certificates storage method:
{% content-ref url="/spaces/EWA4nfgNrSRL8dA6Kap7/pages/HnnSNdbCBaph9CD2gbQB" %}
[Store Certificates in AWS](/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-in-aws.md)
{% endcontent-ref %}
{% content-ref url="/spaces/EWA4nfgNrSRL8dA6Kap7/pages/sQRmqjD1Uo1WVzznmo8e" %}
[Store certificates on Gateway](/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-on-gateway.md)
{% endcontent-ref %}
#### Step 6: Launch the stack
To launch the Stack, select these two checkboxes:
{% hint style="warning" %}
When deploying CloudGuard WAF Gateway without assets connected to the profile, the Gateway will be deployed with the Orchestrator nano-service only.
In this case, a manual change in the LB health check configuration will need to be changed manually from port 5555 to port 8117.
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.