This manual provides detailed step-by-step instructions for deploying a VyOS instance and required resources (VPC, ENIs, Subnets, Security Groups) on AWS.
You can use Amazon EC2 to create your key pairs, or you can use a third-party tool to create your key pairs and then import them to Amazon EC2.
Amazon EC2 supports:
2048-bitSSH-2RSAkeys for Linux and Windows instances.
ED25519keys for Linux instances (not supported for Windows).
When you create a key pair using Amazon EC2:
The publickey is stored in Amazon EC2.
You store the privatekey securely on your local machine.
In the navigation pane, under Network&Security, choose KeyPairs.
Choose Createkeypair and select AWSregion at the top right corner of the windows where you plan to deploy the VyOS instance.
Configure Key Pair:
Name: Enter a descriptive name for the key pair, e.g., vyos-keypair.
Note
The key name can include up to 255 ASCII characters. It cannot include leading or trailing spaces.
Select Key Pair Type:
- For Linux instances: Choose either RSA or ED25519.
For Windows instances: Choose RSA.
Note
ED25519 keys are not supported for Windows instances.
Private Key File Format:
- PEM: Choose this format if using OpenSSH or other SSH clients (e.g., on Linux/macOS).
- PPK: Choose this format if using PuTTY on Windows.
Optional: Add tags to the key pair. Choose Add tag and provide the key and value for each tag.
Choose Create key pair.
The private key file will automatically download to your browser.
The file name will match the name you provided (e.g., vyos-keypair.pem), with the extension determined by the format you chose.
Certain resources need to be created in the AWS infrastructure before creating a VyOS instance, such as a VPC, Subnets, Elastic IPs, Route Tables, Security Groups, and others.
Step 1: Create Virtual Private Cloud (VPC) and Subnets
Network Interfaces (ENIs) are essential for connecting instances to subnets and managing network traffic. Follow the steps below to create Public and Private ENIs.
An Internet Gateway allows communication between your VPC and the internet. Follow the steps below to create and attach an Internet Gateway to your VPC.
Route tables define the paths for network traffic within your VPC. In this step, we will configure Public and Private route tables to control traffic flow for their respective subnets.
An Elastic IP (EIP) is a static, public IPv4 address designed for dynamic cloud computing. Elastic IP addresses can help maintain consistent connectivity to instances, even if they are stopped, rebooted, or replaced.
Elastic IP addresses are public IPv4 addresses and are reachable from the internet.
They can be quickly remapped to different instances or network interfaces within your AWS account to mask failures.
For more details, refer to the official AWS documentation:
You can only connect to the VyOS instance via SSH protocol. Use the default username vyos, Elastic IP and SSH Key Pair to connect to the VyOS instance via SSH:
To use Amazon CloudWatch Agent, configure it within the Amazon SSM Parameter Store. If you don’t have a configuration yet, do CloudWatch SSM Configuration creation.
Create an IAM role for the EC2 instance to access CloudWatch service, and name it CloudWatchAgentServerRole. The role should contain two default policies: CloudWatchAgentServerPolicy and AmazonSSMManagedInstanceCore.
Attach the created role to your VyOS EC2 instance.
Ensure that amazon-cloudwatch-agent package is installed.
$ sudo apt list --installed | grep amazon-cloudwatch-agent
Note
The amazon-cloudwatch-agent package is normally included in VyOS 1.3.3+ and 1.4+
Retrieve an existing CloudWatch Agent configuration from the SSM Parameter Store.
$ sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c ssm:<your-configuration-name>
This step also enables systemd service and runs it.
Note
The VyOS platform-specific scripts feature is under development. Thus, this step should be repeated manually after changing system image (Update VyOS)
Creating the Amazon Cloudwatch Agent Configuration in Amazon SSM Parameter Store.
Create an IAM role for your EC2 instance to access the CloudWatch service. Name it CloudWatchAgentAdminRole. The role should contain at two default policies: CloudWatchAgentAdminPolicy and AmazonSSMManagedInstanceCore.
Note
CloudWatchAgentServerRole is too permissive and should be used for single configuration creation and deployment. That’s why after completion of step #3 highly recommended to replace instance CloudWatchAgentAdminRole role with CloudWatchAgentServerRole.