1-Click CloudFormation Deploy

Deploy the Cloud Spectra Gateway

Pick a tier, configure every stack parameter on this one clean page -- with a live architecture diagram that updates as you go -- then launch straight into the AWS CloudFormation console in the region you choose, settings pre-filled.

Subscribe to the AMI

Subscribe to your Cloud Spectra tier on the AWS Marketplace (one-time, per account).

Configure below

Choose a tier and region, then fill the grouped form. Sensible defaults are pre-set.

Launch to AWS

Click Launch in CloudFormation. You land on the AWS quick-create page, pre-filled.

Create stack

Review on AWS, check the IAM box, click Create stack. Live in ~10 minutes.

Stack configuration

Configure your deployment

Parameters are grouped by function. Green groups are the essentials; purple are optional features (off by default). Hover any ?Help tooltips like this explain each parameter, including its underlying CloudFormation parameter name. for details. You always finish and submit on the AWS console.

Essentialstier, target, network, placement, compute

Tier ?Cloud Spectra product tier. The tier determines which Marketplace AMI is deployed and the pricing multiple. Network = core data plane; Security adds IDS/IPS and threat detection; Enterprise adds transit mesh, Kubernetes and GPU fabric.

Version ?Cloud Spectra AMI release version. The matching AMI ID for your tier, version and region is selected automatically below. Defaults to the latest published version.

Marketplace version used to resolve the AMI. "latest" resolves to the newest image at instance launch.

EC2 on-demand1x

On-demand premium~$83/mo

Annual (-25%)~$62/mo

Cloud Spectra premium per instance (est., c6in.large, US East on-demand) on top of your EC2 cost. See full pricing ->

AWS Region * ?The region the stack is created in. Sets the AWS console host and the stack region. AMIs are region-specific -- pick where your Marketplace subscription and workloads live.

The matching AMI for your tier and version is selected automatically per region.

Stack name * ?A name for the CloudFormation stack. Must start with a letter and contain only letters, numbers and hyphens (max 128 chars).

Becomes part of every resource name. Use a different name per stack in the same account/region.

VPC mode ?Create a brand-new VPC, or wire Cloud Spectra into an existing one. With "Existing", Cloud Spectra adds its own subnets, route tables and ENIs to the VPC you select. newOrExistingVpc

Create new VPC Use existing VPC

ℹ

CloudFormation always requires a VPC reference. In create-new mode you can leave "Existing VPC ID" blank here -- on the AWS console page, just pick any VPC from the dropdown. It is ignored, and a brand-new VPC is created from the CIDR below.

New VPC CIDR block ?CIDR for the new VPC (used only in create-new mode). Example 10.0.0.0/16. network0000cidrBlock

A /16 gives plenty of room for per-AZ subnets. Must not overlap VPCs you intend to peer with.

Client access CIDR * ?CIDR allowed inbound on SSH (port 22) and the dashboard HTTPS port. Use 0.0.0.0/0 to allow all, or restrict to your office/VPN range for tighter security. clientCidrBlock

For production, restrict this to your admin network rather than 0.0.0.0/0.

Transit CIDRs (allow-all) ?Comma-separated CIDRs allowed all-protocol inbound for gateway transit traffic. Default is all RFC-1918 private space. Up to 3 CIDRs; leave trailing slots empty to use fewer. allowAllCidrs

Restrict to specific spoke VPC CIDRs to tighten the transit security group.

Dashboard HTTPS port ?HTTPS port for the Cloud Spectra dashboard. Default 9443 keeps port 443 free for customer port-forwarding (DNAT) rules. dashboardPort

1024-65535. Keep 9443 unless you have a specific reason to change it.

💡

Each enabled AZ gets its own subnet, ENI, route table and Auto Scaling Group -- an independent gateway. Add zones for high availability. Subnet CIDR accepts an explicit block (10.0.0.0/28), a prefix length (24) for auto-selection, or empty for an auto /28.

Availability Zone 1 * ?AZ for slot 1 (required). A bare letter like "a" or a full AZ name like "us-east-1a". availabilityZone1 / subnet1CidrBlock

Left: zone letter. Right: subnet CIDR (optional).

Availability Zone 2 ?AZ for slot 2. Leave empty (--) to disable this zone. availabilityZone2 / subnet2CidrBlock

Availability Zone 3 ?AZ for slot 3. Leave empty (--) to disable this zone. availabilityZone3 / subnet3CidrBlock

Availability Zone 4 ?AZ for slot 4. Leave empty (--) to disable this zone. availabilityZone4 / subnet4CidrBlock

Availability Zone 5 ?AZ for slot 5. Leave empty (--) to disable this zone. availabilityZone5 / subnet5CidrBlock

Availability Zone 6 ?AZ for slot 6. Leave empty (--) to disable this zone. availabilityZone6 / subnet6CidrBlock

AMI ID (override) ?Optional. Leave BLANK (default) to auto-resolve the Marketplace AMI from your selected Tier and Version at instance launch. Set an explicit ami-xxxxxxxx only to override -- handy for testing a custom or shared image. imageAmiId

Blank = auto-resolved from your Marketplace subscription (Tier + Version). Set an ami-xxxx to override.

Instance family ?EC2 instance family. Network-optimized families (c6in, c7gn, c8gn, c8in and similar) give the enhanced-networking throughput the data plane needs. The family sets the AMI architecture automatically (x86_64 or Graviton/arm64).

Instance size ?Size within the chosen family. Larger sizes add vCPU and network bandwidth and drive the price estimate above. You can resize later from the dashboard without redeploying. instance0000type

Start small; resize later from the dashboard.

Min / Desired / Max per AZ ?Auto Scaling Group sizing per AZ. The stack supports 0 or 1 instance per AZ at deploy time; multi-instance-per-AZ is configured afterward from the Cloud Spectra dashboard or API. MinSize / DesiredCapacity / MaxSize

Min / Desired / Max (each 0-1). For multiple instances per AZ, scale from the dashboard after deploy.

Warm pool ?Pre-initialized standby instances per ASG for fast scale-out (~25s vs ~90s cold launch). Disabled by default. When enabled, choose how many standby instances and whether they are Stopped (cheapest) or Running (fastest). warmPoolDisabled / warmPoolMinSize / warmPoolState

Disabled / Enabled · min standby (0-10) · Stopped or Running.

Features (optional)off by default -- expand to enable

Enable multi-cloud ?Enable WireGuard tunnels for GCP/Azure/on-prem spokes. Opens the WireGuard UDP port range in the gateway security group. multiCloudEnabled

Tunnels per peering ?Parallel WireGuard interfaces (wg0..wgN-1) per spoke, each on a distinct UDP port for ECMP across CPU cores. 1 = canonical single tunnel. Range 1-64. multiCloudTunnelsPerPeering

WireGuard base port ?Base UDP port for WireGuard tunnels. Tunnel i listens on basePort+i. Range 1024-65000. multiCloudWireguardBasePort

WireGuard last port ?Last UDP port (inclusive) of the WireGuard range opened in the security group. Must be >= base port and >= base + tunnels - 1. multiCloudWireguardLastPort

💡

When a port-forwarding rule is submitted with externalPort=0, the gateway auto-allocates a free port from this range and opens it in the security group -- ideal for WireGuard tunnels dialed in from on-prem sites behind NAT.

Dial-in base port ?Base UDP port (inclusive) of the dial-in DNAT range the gateway auto-allocates from. Range 1024-65535. portForwardingDialInBasePort

Dial-in last port ?Last UDP port (inclusive) of the dial-in DNAT range. Must be >= the base port. portForwardingDialInLastPort

Dial-in source CIDRs ?Comma-separated source CIDRs allowed to reach the dial-in range -- set to your on-prem sites' public IPs (e.g. 203.0.113.10/32). Up to 3; empty keeps the range closed. Use 0.0.0.0/0 only to expose the authenticated port to the internet. portForwardingDialInSourceCidrs

Leave empty to keep the dial-in range closed until you add sources later.

Enable GWLB ?Enable AWS Gateway Load Balancer for transparent traffic steering across all ASG instances via GENEVE. Creates the GWLB, target group, endpoint service, per-AZ endpoints, and swings route-table defaults to the endpoints. enableGwlb

Create VPC endpoints ?Create per-AZ VPC endpoints and swing route tables to them. Requires GWLB enabled. Set false to create the GWLB and endpoint service without route-swinging (manual endpoint creation). enableGwlbVpcEndpoints

Firewall policies ?Comma-separated AWS Network Firewall policy names to sync Suricata IDS/IPS rules from. Only FirewallPolicy and RuleGroup resources are needed -- no firewall endpoints ($0/month). Empty disables sync at deploy (enable later via dashboard/Terraform). firewallPolicies

Leave empty to skip firewall sync at deploy time.

Enable Kubernetes ?Run a Kubernetes control plane on the gateway. The ASG leader runs kubeadm init with Calico CNI and the Headlamp dashboard; other instances auto-join as workers. kubernetesEnabled

Master runs workloads ?Remove the control-plane taint so the master also runs workloads. Useful for single-node clusters and quick testing. kubernetesMasterCompute

Workers auto-join ?Auto-join non-master ASG instances as worker nodes. Only takes effect when Kubernetes is enabled. kubernetesWorkerCompute

Pod CIDR ?Pod network CIDR for the Calico CNI. kubernetesPodCidr

Service CIDR ?Kubernetes Service CIDR. kubernetesServiceCidr

Ingress HTTP / HTTPS ports ?Ports for the K8s ingress controller HTTP and HTTPS traffic. kubernetesIngressHttpPort / kubernetesIngressHttpsPort

Left: HTTP. Right: HTTPS.

Operations & Advancedupgrades, admin, developer, marketplace

Auto-upgrade version ?Target version for auto-upgrade on boot. Empty = disabled, "latest" = always newest, or pin a version like v1.2.3. Operators can override later via SSM without redeploying. (Separate from the AMI version above.) cloudspectraSoftware0000version

Leave empty to pin to the AMI's built-in version.

Software download URL ?HTTPS base URL of the public Cloud Spectra software releases bucket, used for auto-upgrade downloads and cross-account quickcreate links. Override only if self-hosting release artifacts. cloudspectraSoftware0000downloadUrl

Keep the default unless you self-host the release bucket.

Resource name prefix ?Short lowercase prefix applied to all resource names and tags. Change only when deploying multiple stacks in one account/region. 1-32 chars, [a-z0-9-]. cloudspectraSoftware0000resourceNamePrefix

Lambda handler log level ?Log level for the Lambda CloudFormation handler. DEBUG is verbose for troubleshooting; INFO is the production default. cloudspectraLogLevel

🔑

For your security, the admin password is never placed in a launch URL. Leave it blank to auto-generate a strong initial password (retrievable via SSH), or set one in the masked adminPassword field on the AWS console page. Plaintext rules: 8-128 chars with upper, lower, digit and special; or paste a bcrypt hash.

Skip signature check ?Per-build secret that bypasses RSA template-integrity verification (dev/test only). Leave empty for production so the Lambda verifies the template signature on every Create/Update. cloudspectraSkipSignatureCheck

Production deployments must leave this empty.

Update main route table ?When true, adds a 0.0.0.0/0 default route to the VPC main route table pointing at the gateway ENI in AZ 1. Enable only after confirming all VPC workloads should transit the gateway by default. UpdateMainRoutingTable

Launch test instance ?When true, launches a single Ubuntu t3.micro test instance in the AZ 1 user subnet (0.0.0.0/0 routed via the gateway) for quick packet-path demos. Set false when not in use to avoid cost. EnableTestAsg

📦

These default to Cloud Spectra's public releases bucket. AWS Marketplace sets them automatically at publish time. Change only if self-hosting the Lambda artifacts.

Lambda bucket name ?Base S3 bucket holding the Lambda code ZIPs. Self-hosted: the stack region is appended to form <name>-<region>, the same-region bucket Lambda requires. MPS3BucketName

Lambda bucket region ?Region of the Lambda ZIP bucket. Empty defaults to the stack region. Marketplace replaces this at publish time. MPS3BucketRegion

Lambda key prefix ?S3 key prefix for the Lambda code ZIPs (e.g. 1.0.0/). Marketplace replaces this at publish time. MPS3KeyPrefix

Ready to launch

Opens the AWS CloudFormation quick-create page with your settings pre-filled. You review and click Create stack on AWS.

Show the generated launch URL

Template: latest/cloudspectra_gateway_asg.yaml. You must be signed in to the AWS console for the chosen region. The final Create-stack step (including the IAM capabilities acknowledgement) always happens on AWS -- this page never touches your account.