Using Sophos UTM to Connect Two VPCs Together

This post is based on Connecting Multiple VPCs with Astaro Security Gateway. VPCs are isolated from each other even they are under the same AWS account in the same region. In order to tie them together, you will  need to establish a VPN connection between each other. One way to do it is to use Sophos UTM (previously known as Astaro Security Gateway). I will walk through how to do it in the following few steps:

  1. Create the First VPC
  2. Launch a Sophos UTM Instance
  3. Create the Second VPC
  4. Setup the Sophos UTM Instance

Create the First VPC

The easiest way to create a VPC is to use the Start VPC Wizard. You can find the Start VPC Wizard button in the VPC Dashboard.

VPC Dashboard

Once you click it, it will bring up a wizard below. Select VPC with a Single Public Subnet Only and click Continue.

VPC Wizard

By the default, the wizard will set the IP CIDR block to and the subnet to For my demonstration, I will use and respectively. You can leave everything alone and click Create VPC button.  The VPC should get created right away.

Launch Sophos UTM Instance

In the EC2 Dashboard, click Launch Instances button. It will bring up a Create a New Instance wizard.

EC2 Dashboard

Select AWS Marketplace option and type Sophos. Then click GO. It will return 2 results for Sophos.

AWS Marketplace

You will want to use the first one Sophos UTM 9 BYOL. The features that are required to connect multiple VPCs are all included in Essential Firewall Edition. You can request a license from Astaro’s License Key Registration form. You don’t have to apply the license key right away. You have 30 days before the evaluation period expires. Make sure you apply the license prior to it. Once the evaluation period expires, the web interface to administrate the Sophos UTM will be disabled. You will not be able to log in or make any changes.


Click Sophos UTM 9 BYOL link. It will get you more details about Sophos UTM 9. In the For region option, select the region you want to launch it. In my demonstration, it will be US West (Northern California) where the first VPC is created. Then click Continue button to proceed to the next screen.

Sophos Continue

The Region should have set to the region you have selected in the previous screen. If not, select your desired region. You can change the EC2 Instance Type to Standard Micro (t1.micro) to keep the cost minimum. You will need to select VPC and Subnet to reflect yours. Leave everything else alone and click Launch with 1-Click button to create the instance. It will take 15-30 minutes to provision the instance.

Launch with 1-Click

Go to VPC Management Console, select Route Tables from the left navigation section and add an entry to route to the Sophos UTM  assuming is the CIDR block for the second VPC. If the instance ID of the Sophos UTM is not listed, you will need to select Enter instance ID to locate it.

VPC 1 Route Table

Once the Sophos UTM Instance is provisioned, assign an elastic IP (public IP) to the Sophos UTM instance. You will also need to disable the Source/Dest Check setting. Right click the instance and select  Change Source / Dest Check option. Click Yes, Disable button to disable the check.

Source Dest Check

Open https://:4444 to set up Sophos UTM, where is the public IP you have associated with your Sophos UTM instance. Fill out all the fields and click Perform basic system setup button to proceed.

Sophos Setup

Create the Second VPC

Go to another region and follow the steps listed in Create the First VPC. Instead of using and as the CIDR block and Subnet.  Please make sure the blocks are different than the first VPC.

Subnet 2

Select Customer Gateways from the left navigation section and create a new customer gateway which is the Sophos UTM resided in the first VPC. Make sure to select Dynamic for Routing and the public IP of the Sophos UTM for IP Address. BGP ASN can be set to 65000. Then click Yes, Create button to proceed.

Customer Gateway

Select Virtual Private Gateways from the left navigation section and create a new virtual private gateway which will be used by the route table to route to Sophos UTM. Once the virtual private gateway is created, click Attach to VPC button attach it to the VPC.

Virtual Private Gateway

Select VPN Connections from the left navigation section and create a new VPN connection to connect to the Sophos UTM. Select the virtual private gateway and customer gateway you have created. Make sure to select Use dynamic routing (requires BGP) option. Then click Yes, Create button to proceed.


Once the VPN connection is created, click Download Configuration to down the appropriate configuration file for Sophos UTM. You will need to select Sophos as Vendor, UTM as Platform, and V9 as Software.


You will need to replace the public IP of Sophos UTM  with the private IP of the Sophos UTM in the downloaded configuration file. The replacement should occur in two places in the file.

Configuration Updated

Go to VPC Management Console, select Route Tables from the left navigation section and add an entry to route to the Virtual Private Gateway assuming is the CIDR block for the first VPC. The Virtual Private Gateway starts with vgw- prefix.

VPC 2 Route Table

Setup the Sophos UTM Instance

Open https://Sophos UTM>:4444 to apply the configuration file to VPC config file under Site-to-Site VPN > Amazon VPC > Setup > Import via Amazon VPC configuration section.

Amazon VPC

Once the configuration file is imported and applied, you will see the tunnels turning green.

VPC Tunnel

Go to Network Protection > Firewall and add a rule to allow any sources to any destinations for any services. You can click on the folder icon to drag and drop the Any option to each text area. When the rule is added, it is turned off by default. Make sure to toggle the switch from off position to on position to enable it.


The last step you may want to do is to apply the license. You can upload and apply it to License file under Management > Licensing > Installation.

This entry was posted in Uncategorized and tagged , , , , , , , . Bookmark the permalink.

One Response to Using Sophos UTM to Connect Two VPCs Together

  1. Sunil Kewade says:

    awesome article.. very helpful.. thanks
    cheers !!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s