You can use an Amazon Machine Image (AMI) to create a virtual machine instance inside EC2. AMIs for Secure Web Appliance and Secure Email and Web Manager are available in the AWS marketplace.
Secure Email Gateway is not available in the AWS marketplace, contact your Cisco sales representative with your AWS account details (username and region) to provision an AMI image.
Information needed for provisioning:
|AWS ID||Your AWS 12 digit ID|
|AWS Region/Availability Zone||us-east-2|
|ESA model||C100V or C300v or C600v|
AMI deployments start at AsyncOS 14.0.0-692. Versions older than 14.0.0-692 are not available for AMI.
Once you have received notification that provisioning is complete, see AMI Image Deployment to aid you with how to deploy the AMI.
The EC2 Instance Type details for Virtual Secure Email Gateway are as shown below:
|AsyncOS Version||Model||EC2 Instance Type||vCPU||vRAM||vNIC (*)||Minimum Disk Size|
(*) Single NIC will be presented by default but the customer is allowed to create an additional interface at the time of initiating the instance.
Below is a screengrab of Amazon EC2 deployment with the recommended instance types:
Please see the following prior to starting your AMI deployment: AMI Image Deployment
The virtual appliance User Guide has been updated to include all AWS/AMI information:
Deploying Cisco Secure Email Gateway, Secure Web, and Secure Email and Web Manager Virtual Appliances on Amazon Elastic Compute Cloud on Amazon Web Services
Please see the following sections to get started:
- Cisco Secure Email Gateway, Secure Web, and Secure Email and Web Manager Virtual Appliance AMIs
- Deploying on AWS
Can a deployment utilize c5.X or m5.X instance types?
It is recommended to deploy as shown, using the c4.X instance types, based on the ESA model provided.
After AMI deployment, can additional vCPU, vRAM, and disk size be utilized?
Currently, this is not advised. Cisco has this noted and this is under discussion.
What versions of AsyncOS are available for AMI deployments?
The image that is provisioned and made available for AMI is AsyncOS 14.0.0-692. This is the base AMI image. Customers will need to deploy and then upgrade, as needed, to get an updated version of 14.x.
Are AMI deployed ESA covered by TAC/Cisco Support?
Yes. Please see Getting Support for Virtual Appliances.
Can I migrate my existing Cisco Secure Email Gateway (ESA) configuration for use with my AMI deployment?
Yes. You will need to have like-for-like versions running. I.e., ESA 14.0.0-692 > ESA (AMI) 14.0.0-692. More information regarding migrating configuration:
- How to Load or Migrate ESA Configuration on a Replacement ESA
- Migrating a Configuration from an Older HW Model (Cx70) to a New HW Model (Cx95)
Can I cluster an existing on-premises ESA or virtual ESA with my AMI deployment?
Cisco Secure Email Gateway on-premise appliances are not supported on Cisco Secure Email and Web Manager appliance deployments on AWS.
Can I cluster an existing Cloud ESA (Cisco Secure Email Cloud Gateway) with my AMI deployment?
No. Due to CES infrastructure and network security, this is not permissible.
How do licensing and feature keys work for my AMI deployment?
You can use your existing Secure Email Gateway, Secure Web, or Secure Email and Web Manager
appliance license for deployments in Amazon AWS. After you deploy and launch the instance, you can install the license. You will be required to pay only the AWS infrastructure charges.
If you are an existing customer, see the Obtain a Virtual License (VLN) topic in the Best Practices for Virtual ESA, Virtual WSA, or Virtual SMA Licenses tech notes. If you are a new customer, contact your nearest Cisco partner to obtain a license.
Updated about 1 month ago