Deploy the Deep Security AMI Quick Start

Instead of manually deploying Deep Security software, we recommend that you use the Quick Start Deep Security on AWS. This method uses AWS CloudFormation templates for quick deployment in about 1 hour. This Quick Start automatically deploys two Deep Security Manager nodes on AWS, using AWS services and best practices. Quick Start is our preferred method of deployment, but you can also use our manual instructions to deploy the AMI yourself if you only require a single-node Deep Security Manager. And if you're upgrading an existing Deep Security AMI, see Upgrade Deep Security Manager AMI instead.

The default configuration protects instances in the Amazon Virtual Private Cloud (VPC) where your Deep Security Manager is deployed. After deployment, you can change this to protect instances across your entire AWS infrastructure.

The Deep Security AMI has two billing models:

• Pay as you Go (also called 'Per Protected Instance Hour')
• Seat-based (also called 'Bring your own License (BYOL)')

The template includes an option for deploying in the AWS GovCloud (US) region.

Detailed step-by-step instructions for deploying the Quick Start are available in the AWS Quick Start deployment guide. Basic steps include:

1. If you're not familiar with AWS services, read the AWS Deep Security Overview.
2. Set up or identify an Amazon VPC that has two private subnets in different Availability Zones (AZ) and one public subnet with an Internet gateway.
3. Subscribe to Deep Security using one of the licensing models.

4. Launch the Quick Start template for the licensing model you selected: Per Protected Instance Hour Quick Start or BYOL Quick Start.

   When it finishes, a Deep Security management cluster has been deployed into the VPC that you have set up. This cluster includes:

   • Deep Security public elastic load balancers (ELBs)
   • 2 Deep Security Manager instances
   • a highly available multi-AZ RDS instance for the Deep Security database and its mirror

   If you'd like more than just the two Deep Security Managers offered by the Quick Start, you'll have to launch a new AMI. See Deploy the Deep Security AMI manually.

5. Log in to the Manager console using the URL provided on the Outputs tab of the AWS CloudFormation stack.

   To connect via SSH to the Amazon Linux server where Deep Security Manager is running, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html.

   The user name for the Deep Security Manager instance is "trend", not "root" or "ec2-user".

Next steps

After installing the manager, you are ready to deploy a Deep Security Relay and Deep Security Agents.