Barracuda Web Application Firewall Deployment and Quick Start Guide for Amazon Web Services

The Barracuda Web Application Firewall for AWS can be deployed in One-Arm Proxy Mode on Amazon Web Services. This article explains One-Arm Proxy Mode deployment. Complete the steps in this guide to configure, launch, and license your Barracuda Web Application Firewall instance. Then log into the Barracuda Web Application Firewall to verify your configuration and change your password.

Requirements

Before you deploy the Barracuda Web Application Firewall on Amazon Web Services, ensure that you have completed the following:

Step 1 - Create a Security Group

Create a security group with rules specifying allowed protocols, ports and source IP ranges. Multiple security groups can be created with different rules, and assigned to each instance. For more information on security groups, refer to the AWS article Amazon EC2 Security Groups.

  1. Log into the Amazon EC2 Management Console.
  2. From the EC2 dashboard, select Security Groups under Network & Security.
  3. Click Create security group.
  4. In the Create security group window, do the following:
    1. Enter a name to identify the security group.
    2. Specify the description for the security group.
    3. Select a VPC ID from the list.

    By default, the Barracuda Web Application Firewall web interface listens on port 8000 for HTTP and port 8443 for HTTPS. Make sure these ports (8000 and 8443) are allowed by the Inbound rule of the associated security group. Also, add the port(s) through which you configure the Service(s) for this instance.

    Step 2 (Optional) - Allocate and Assign an Elastic IP Address to Your Instance

    When an instance of your Barracuda Web Application Firewall is created, a public IP address is associated with the instance. That public IP address changes automatically when you STOP and START the Barracuda Web Application Firewall. To resolve this issue, assign a persistent public IP address to the instance using Elastic IP addressing. For more information, refer to the Amazon Web Services article Elastic IP Addresses.

    1. Log into the Amazon EC2 Management Console.
    2. From the EC2 dashboard, select Elastic IPs under Network & Security.
    3. Click Allocate Elastic IP Address.
    4. On the Allocate Elastic IP address page, keep the default settings and click Allocate to allocate a new IP address. A random Public IP gets generated and displayed in the Elastic IP addresses table.
    5. In the Elastic IP addresses table, click on the new allocated IP address.
    6. On the IP address page, click Associate Elastic IP address.
    7. On the Associate Elastic IP address page:
      1. Select Instance and the Private IP Address of the instance from the respective lists.
        OR
      2. Select Network Interface and the Private IP Address from the respective lists.
      3. Select the Allow the Elastic IP address to be reassociated check box.

      If you have configured multiple internal IP addresses to the interface, then follow the steps above to allocate and assign the elastic IP address to each internal IP address, so that they can be accessed by the outside world.

      Step 3 - Deploy the Barracuda Web Application Firewall on Amazon Web Services

      Before you proceed, it is recommended that you go through the Deployment Best Practices article.

      In the Amazon VPC that you configured, launch an Amazon EC2 instance with the Barracuda Web Application Firewall AMI image. The Amazon Launch Instance wizard guides you through the following steps:

      1. Log into the AWS Management Console and open the EC2 Management Console.
      2. From the top right corner of the page, select the region for the instance. This is important because some Amazon EC2 resources can be shared between regions.

      Select_the_region.png

    8. Select Instances under Instances.
    9. On the Instances page, click Launch Instances.

      Launch_Instance.png

    10. On the Launch an instance page, do the following:
      1. Name and tags
        1. Name: Specify a name for the instance.
      2. Application and OS Images (Amazon Machine Image)
        1. Click Browsemore AMIs.

          Browse-AMIs.png

          On the Choose an Amazon Machine Image (AMI) page:

            Select AWS Marketplace AMIs and search for the Barracuda Web Application Firewall AMI. Click Select next to the Barracuda Web Application Firewall AMI.

          Choose_an_AMI.png

          Go through the overview and product details and click Continue.

          Barracuda_WAF_BYOL.png

        2. Click Confirm Changes when prompted.
      3. The selected AMI appears on the Launch an instance page.

        WAF_AMI.png

    11. Instance type
      1. Select an instance type from the drop-down list.
    12. Key pair (login)
      1. Select the existing key pair or create a new key pair.
    13. Network Settings
      1. VPC: Select the VPC from the drop-down list.
      2. Subnet: Select a subnet from the drop-down list. Make sure to select the subnet of the VPC where you want to create the instance.
      3. Firewall (security groups): Click Select existing security group to select and assign the security group(s) from the existing list, or choose Create security group to create a new group.
    14. Configure Storage
      1. The storage device settings for the instance is displayed. Modify the values if required.
    15. Advanced details
      1. Keep the default setting for all parameters.
  5. Review your settings under Summary and click Launch instance.

    Summary.png

After you click Launch instance, Amazon Web Services begins provisioning the Barracuda Web Application Firewall. Allow a few minutes for the Amazon Web Services Agent and the Barracuda Web Application Firewall image to boot up.

DO NOT restart the Barracuda Web Application Firewall while it is launching!

Step 4 - License the Barracuda Web Application Firewall

If you deployed the Barracuda Web Application Firewall with the Hourly/Metered option, you do not need to license the system; skip ahead to Step 7 - Verify Configuration and Change the Password.

If you deployed the Barracuda Web Application Firewall with BYOL, complete the licensing and provisioning of your system.

Instance_Details.png

  1. Log into the Amazon EC2 Management Console.
  2. From the EC2 Dashboard, select Instances under Instances.
  3. In the Instances table, select the Barracuda Web Application Firewall instance you created and note the Public IPv4 address.
  4. Open the browser and enter the copied Elastic IP address (from step 3) with port 8000 for HTTP. No port is required for HTTPS. For example:
    For HTTP: http://:8000 (Unsecured)
    For HTTPS: https:// (Secured)

The Barracuda Web Application Firewall is not accessible via HTTPS port when it is booting up. Therefore, use ONLY HTTP port to access the unit when booting. This displays the status of the unit i.e., System Booting. Once the boot process is complete, you will be redirected to the login page.

Licensing_BWAF_Vx.PNG

  1. I Already Have a License Token – Use this option to provision your Barracuda Web Application Firewall with the license token you have already obtained from Barracuda Networks. Enter your Barracuda Networks Token and Default Domain to complete licensing, and then click Provision.
    The Barracuda Web Application Firewall connects to the Barracuda Update Server to get the required information based on your license, and then reboots automatically. Allow a few minutes for the reboot process. Once the instance is provisioned, you are redirected to the login page.
  2. I Would Like to Purchase a License – Use this option to purchase the license token for the Barracuda Web Application Firewall. Provide the required information in the form, accept the terms and conditions, and click Purchase.
    The Barracuda Web Application Firewall connects to the Barracuda Update Server to get the required information based on your license, and then reboots automatically. Allow a few minutes for the reboot process. Once the instance is provisioned, you are redirected to the login page.
  3. I Would Like to Request a Free Evaluation – Use this option to get 30 days free evaluation of the Barracuda Web Application Firewall. Provide the required information in the form, accept the terms and conditions, and click Evaluate.
    The Barracuda Web Application Firewall connects to the Barracuda Update Server to get the required information based on your license, and then reboots automatically. Allow a few minutes for the reboot process. Once the instance is provisioned, you are redirected to the login page.

Step 5 - Open Network Address Ranges on Firewall

For more information on the list of Open Network Address ranges required for the firewall, refer to the Prepare for the Installation article.

Step 6 - Verify Configuration and Change the Password

  1. Log into the Barracuda Web Application Firewall web interface as the administrator using the URL, as described in step 4 of Licensing of the Barracuda Web Application Firewall after deploying on Amazon Web Services above. Log in with:
    1. Username:admin
    2. Password: Instance ID of your Barracuda Web Application Firewall in Amazon Web Services.

    Configuring the Service(s) on the Barracuda Web Application Firewall

    You can configure the services on the BASIC > Services page. In Amazon Web Services, the services can be created either using the System (WAN) IP address of the instance or any other IP address from the IP address pool as your System (WAN) IP address in the Virtual IP Address field. Note that configuring the VIP with an IP address from the IP address pool as your System (WAN) IP address is possible only for stand-alone instances. Also, ensure that you:

    If you want to cluster the Barracuda Web Application Firewall instances to load balance the traffic, ensure that the services are created using only the System (WAN) IP address. After the service is created using the System (WAN) IP address, the service will be accessible through the Public IP/DNS of the Barracuda Web Application Firewall VM. Ensure that the corresponding ports are opened in your security group and firewall.

    For more information on services, see Step 2: Configuring a Service. For detailed instructions on how to add a service, click the Help button.