Cisco Secure Email Gateway Virtual (AMI)

Request AMI Provisioning

You can use an Amazon Machine Image (AMI) to create a virtual machine instance inside EC2.



Secure Email Gateway is not available in the AWS marketplace, contact your Cisco sales representative with your AWS account details (username and region) to provision an AMI image.

Information needed for provisioning:

Info NeededExample
AWS IDYour AWS 12 digit ID
AWS Region/Availability Zoneus-east-2



AMI deployments started at AsyncOS 14.0.0-692. Versions older than 14.0.0-692 are not available for AMI.

As of AsyncOS 15.0, all AMI provisioning as provided to customers as c600v.

Once you have received notification that provisioning is complete, see AMI Image Deployment to aid you with how to deploy the AMI.

AMI Sizing

The EC2 Instance Type details for Virtual Secure Email Gateway are as shown below:

AsyncOS VersionModelEC2 Instance TypevCPUvRAMvNIC (*)Minimum Disk Size

(*) Single NIC will be presented by default, but you can create an additional interface when initiating the instance.

Below is a screengrab of Amazon EC2 deployment with the recommended instance types:

Deploying on AWS

Please see the following before starting your AMI deployment: AMI Image Deployment

The virtual appliance User Guide has been updated to include all AWS/AMI information:
Deploying Cisco Secure Email Gateway, Secure Web, and Secure Email and Web Manager Virtual Appliances on Amazon Elastic Compute Cloud on Amazon Web Services

Please see the following sections to get started:


Can a deployment utilize c5.X or m5.X instance types?
It is recommended to deploy, as shown, using the c4.X instance types based on the ESA model provided. You may deploy newer AWS instance types at your choosing.

Can additional vCPU, vRAM, and disk size be utilized after AMI deployment?
Currently, this is not advised. Cisco has noted this and is under discussion.

What versions of AsyncOS are available for AMI deployments?
Cisco reserves the right to provide AsyncOS images based on availability. Please see the Deprovisioned AsyncOS Releases for more information.

The image provisioned and made available for AMI is AsyncOS 14.0.0-692. This is the base AMI image. Customers will need to deploy and upgrade, as needed, to get an updated version of 14.x or 15.x.

Are AMI deployed ESA covered by TAC/Cisco Support?
Yes. Please see Getting Support for Virtual Appliances.

Can I migrate my existing Cisco Secure Email Gateway (ESA) configuration for use with my AMI deployment?
Yes. You will need to have like-for-like versions running. I.e., ESA 14.0.0-692 > ESA (AMI) 14.0.0-692. More information regarding migrating configuration:

Can I cluster an existing on-premises ESA or virtual ESA with my AMI deployment?
Cisco Secure Email Gateway on-premise appliances are not supported on Cisco Secure Email and Web Manager appliance deployments on AWS.

Can I cluster an existing Cloud ESA (Cisco Secure Email Cloud Gateway) with my AMI deployment?
No. Due to CES infrastructure and network security, this is not permissible.

How do licensing and feature keys work for my AMI deployment?
You can use your existing Secure Email Gateway, Secure Web, or Secure Email and Web Manager
appliance license for deployments in Amazon AWS. After you deploy and launch the instance, you can install the license. You will be required to pay only the AWS infrastructure charges.

If you are an existing customer, see the Obtain a Virtual License (VLN) topic in the Best Practices for Virtual ESA, Virtual WSA, or Virtual SMA Licenses tech notes. If you are a new customer, contact your nearest Cisco partner to obtain a license.