Deploy Threat Defense Virtual in a New VPC on AWS


This document describes deploying Cisco Secure Firewall Threat Defense Virtual and other network components on AWS using a terraform script. This procedure creates all the required resources in a new VPC on your AWS account. If you want to deploy the Threat Defense Virtual in an existing VPC on AWS, see Deploy Threat Defense Virtual in an Existing VPC on AWS.

End-to-End Process

The following flowchart illustrates the workflow for deploying Threat Defense Virtual in a new VPC on AWS.

Sample Topology

The following network topology is deployed on AWS.


Download and install Terraform on your local machine. For more information, see Install Terraform.

An AWS account with proper permissions for creating VPCs and EC2 instances. For more information, see Amazon VPC policy examples.


Perform the following steps to deploy the required infrastructure in a new VPC in your AWS account.


  1. Download the terraform scripts from here.
  2. Extract the zip file and open the folder.
  3. Open the terraform.tfvars file by using a code editor or "vim" and provide inputs.
  4. Add your aws_access_key , aws_secret_key and region in the space provided between double quotes. For example, region = “us-east-1.” For information on how to fetch access keys and secret access key for your account, see Managing access keys for IAM users.
  5. Optionally, add a password for admin in the admin_password field. By default, the password is Admin123.
  6. If required, change the version of the Threat Defense Virtual in the "FTD_version" field.
  7. Initialize the providers and modules by using the following command: terraform init
  8. Submit the terraform plan by using the following command: terraform plan --out filename
  9. Verify the output of the plan in the terminal and then apply the plan by using the following command: terraform applyfilename
  10. The terraform output displays the IP address of the management interface and the command to SSH into the firewall. Use these to access the Threat Defense Virtual over HTTPs/SSH.
  11. Open the AWS console after the deployment is complete. Go to your provided region and validate the final configuration.
    1. Go to Service > VPC to view all the configured subnets under your VPC.
    2. Go to Service > EC2 to view the EC2 instance of Threat Defense Virtual with the name - Cisco Threat Defense Virtual.



Do not delete the .terraform folder and terraform.tfstate files as they are required for the clean-up process.


We recommend that you delete the infrastructure deployment once it's not needed to prevent unnecessary billing on your AWS account.

To delete the infrastructure deployment that was created by terraform, enter the terraform destroy command from the same directory in which you entered the terraform apply command.

terraform destroy

  • Type "yes" to delete the infrastructure deployment.



The terraform destroy command does not delete anything that was manually configured on your AWS account.

  • After entering the command, verify that all the resources are deleted from your AWS account.



You have now completed, Deploy Threat Defense Virtual in a New VPC on AWS.

What’s Next

Check out our Secure Firewall Github page
Or YouTube channel