A VPC is logical network on the Amazon Cloud. It is only virtual and we will create physical subnets in a later step. If you already have a VPC, you can continue to use that too, but please make changes according to this guide.
First, create a new VPC which will be the home of two new subnets. The example uses the 172.16.0.0/16 subnet for the entire VPC.
Create a public subnet within the new VPC. The purpose of this subnet is to connect IPFire to the Internet. The RED interface will be connected to this subnet and connect to the Internet using the Internet Gateway that is created in the next step.
Here, you need to select the availability zone in which IPFire and your other instances will be running later.
Create an internal subnet which should be larger than the public subnet. It is important to select the same availability zone that was used for the public subnet.
Your subnets should now look like this:
To be able to connect you new VPC to the Internet, you need an Internet Gateway. Since there is no settings, it can just be created and being attached to the VPC.
An Internet Gateway is a virtual router that will connect the subnet with its private IP range to the public Internet translating any IP addresses to public ones.
We need to create a new security group that will allow full access. This is required so that internal instances can reach the firewall.
Create a new network interface in the internal subnet. This will later become the GREEN interface of the IPFire instance and is needed now so that routes can be created in the next step.
You can pick an IP address for the GREEN interface or have one assigned automatically.
After the network interface has been created, the Source/Destination check needs to be disabled.
Route tables are required to steer traffic into the right direction. For each of the new subnets, we will need one new route tables. Each instance on AWS will send traffic to the nodes first which will use the route tables to send traffic to the right instance.
After the route tables have been created, the Internet Gateway needs to be attached to the public route table as shown:
The internal subnet will not get connected to the Internet Gateway. Instead, all traffic will be sent to the GREEN interface of the IPFire instance.
As a final step, the route tables have to be assigned to the subnets as shown:
An Elastic IP address can be assigned to an instance and will never change during the lifetime. Otherwise an instance will usually receive a new public IP address when rebooted.
Therefore it is recommended to allocate an elastic IP address to avoid any problems problems with services that require a static IP address like VPNs.