Deploy Firezone on AWS with Terraform

In this guide, we'll deploy a cluster of Firezone Gateways in a private subnet on AWS that are configured to egress traffic to the internet through an AWS NAT Gateway.

Common use cases

Use this guide to give your Firezone Clients a static, public IP address for egress traffic to particular Resource(s). Here are some common use cases for this example:

• Access your AWS resources using more cost-effective, higher performance alternative to AWS Client VPN.
• Use an IP allowlist to access a third-party or partner application such as a client's DB or third-party API.
• Use an IP allowlist with your identity provider to lock down access to a public application.
• Enabling a team of remote contractors access to a regionally-locked application or service.

High availability

All Firezone Gateways deployed in this example will automatically failover and load balance for each other.

Prerequisites

1. Terraform
2. AWS account with the necessary permissions to create the resources.
3. A Firezone Site dedicated to use for this example. This Site should contain only the Firezone Gateway(s) deployed in this example and any associated Resources.
4. A Firezone Gateway token. This can be obtained by viewing your Site in the admin portal, clicking the Deploy Gateway button, and navigating to the instructions for the Terraform tab. Gateway tokens support multi-use, so only a single token is needed to provision the Firezone Gateways in this guide.

Sizing

Simply update the number of desired_capacity to deploy more or fewer Firezone Gateways. There's no limit to the number of Firezone Gateways you can deploy in a single VPC. A basic AutoScaling Group is provisioned as part of the linked module.

We've tested with t3.nano instances which still work quite well for most applications. However, you may want to consider a larger instance type if you have a high volume of traffic or lots of concurrent connections. See Gateway sizing recommendations for some general guidelines depending on your expected traffic.

Deployment

1. Download the main.tf from the example module.
2. Customize it as desired. At a minimum, you will need to set the firezone_token and change base_ami and region to match your environment.
3. Run terraform init to initialize the working directory and download the required providers.
4. Run terraform apply to deploy the Firezone Gateway(s) into your AWS project.

You can see the IP addresses assigned to the NAT Gateway in the Terraform output. These are the IP addresses that your Firezone Gateway(s) will share to egress traffic.

After a few minutes, you should see the Firezone Gateway(s) appear in the Firezone admin portal. You can now configure your Resources to use the new Firezone Gateway(s) you just provisioned.

Upgrading

To upgrade the Firezone Gateway(s) to the latest version, we recommend setting a version to deploy with the firezone_version variable. Then, whenever you want to upgrade, update this variable and run terraform apply, which will trigger a new deployment of the Firezone Gateway(s) with the new version.

This will incur a few minutes of downtime as Terraform destroys the existing Firezone Gateway(s) and deploys new ones in their place.

Output

nat_public_ip will contain the public IP address of the NAT Gateway you can use to whitelist your Firezone Gateway(s) in your third-party or partner application.

Cleanup

To clean up the resources created by this example, run terraform destroy.