1-Click CloudFormation Deploy

Deploy the Cloud Spectra Gateway

Pick a tier, configure every stack parameter on this one clean page -- with a live architecture diagram that updates as you go -- then launch straight into the AWS CloudFormation console in the region you choose, settings pre-filled.

1

Subscribe to the AMI

Subscribe to your Cloud Spectra tier on the AWS Marketplace (one-time, per account).

2

Configure below

Choose a tier and region, then fill the grouped form. Sensible defaults are pre-set.

3

Launch to AWS

Click Launch in CloudFormation. You land on the AWS quick-create page, pre-filled.

4

Create stack

Review on AWS, check the IAM box, click Create stack. Live in ~10 minutes.

Stack configuration

Configure your deployment

Parameters are grouped by function. Green groups are the essentials; purple are optional features (off by default). Hover any ?Help tooltips like this explain each parameter, including its underlying CloudFormation parameter name. for details. You always finish and submit on the AWS console.

Essentialstier, target, network, placement, compute
🏆
Product Tier & Version Required
Selects the Marketplace AMI and your pricing
Tier ?Cloud Spectra product tier. The tier determines which Marketplace AMI is deployed and the pricing multiple. Network = core data plane; Security adds IDS/IPS and threat detection; Enterprise adds transit mesh, Kubernetes and GPU fabric.
Version ?Cloud Spectra AMI release version. The matching AMI ID for your tier, version and region is selected automatically below. Defaults to the latest published version.
Marketplace version used to resolve the AMI. "latest" resolves to the newest image at instance launch.
EC2 on-demand1x
On-demand premium~$83/mo
Annual (-25%)~$62/mo
Cloud Spectra premium per instance (est., c6in.large, US East on-demand) on top of your EC2 cost. See full pricing ->
🌍
Region & Stack Required
Where to deploy and what to name the stack
AWS Region * ?The region the stack is created in. Sets the AWS console host and the stack region. AMIs are region-specific -- pick where your Marketplace subscription and workloads live.
The matching AMI for your tier and version is selected automatically per region.
Stack name * ?A name for the CloudFormation stack. Must start with a letter and contain only letters, numbers and hyphens (max 128 chars).
Becomes part of every resource name. Use a different name per stack in the same account/region.
📡
Network Required
VPC, access CIDRs and the dashboard port
VPC mode ?Create a brand-new VPC, or wire Cloud Spectra into an existing one. With "Existing", Cloud Spectra adds its own subnets, route tables and ENIs to the VPC you select. newOrExistingVpc

CloudFormation always requires a VPC reference. In create-new mode you can leave "Existing VPC ID" blank here -- on the AWS console page, just pick any VPC from the dropdown. It is ignored, and a brand-new VPC is created from the CIDR below.

New VPC CIDR block ?CIDR for the new VPC (used only in create-new mode). Example 10.0.0.0/16. network0000cidrBlock
A /16 gives plenty of room for per-AZ subnets. Must not overlap VPCs you intend to peer with.
Client access CIDR * ?CIDR allowed inbound on SSH (port 22) and the dashboard HTTPS port. Use 0.0.0.0/0 to allow all, or restrict to your office/VPN range for tighter security. clientCidrBlock
For production, restrict this to your admin network rather than 0.0.0.0/0.
Transit CIDRs (allow-all) ?Comma-separated CIDRs allowed all-protocol inbound for gateway transit traffic. Default is all RFC-1918 private space. Up to 3 CIDRs; leave trailing slots empty to use fewer. allowAllCidrs
Restrict to specific spoke VPC CIDRs to tighten the transit security group.
Dashboard HTTPS port ?HTTPS port for the Cloud Spectra dashboard. Default 9443 keeps port 443 free for customer port-forwarding (DNAT) rules. dashboardPort
1024-65535. Keep 9443 unless you have a specific reason to change it.
🌐
Placement -- Availability Zones Required
AZ 1 required; AZ 2-6 optional -- leave an AZ empty to disable it
💡

Each enabled AZ gets its own subnet, ENI, route table and Auto Scaling Group -- an independent gateway. Add zones for high availability. Subnet CIDR accepts an explicit block (10.0.0.0/28), a prefix length (24) for auto-selection, or empty for an auto /28.

Availability Zone 1 * ?AZ for slot 1 (required). A bare letter like "a" or a full AZ name like "us-east-1a". availabilityZone1 / subnet1CidrBlock
Left: zone letter. Right: subnet CIDR (optional).
Availability Zone 2 ?AZ for slot 2. Leave empty (--) to disable this zone. availabilityZone2 / subnet2CidrBlock
Availability Zone 3 ?AZ for slot 3. Leave empty (--) to disable this zone. availabilityZone3 / subnet3CidrBlock
Availability Zone 4 ?AZ for slot 4. Leave empty (--) to disable this zone. availabilityZone4 / subnet4CidrBlock
Availability Zone 5 ?AZ for slot 5. Leave empty (--) to disable this zone. availabilityZone5 / subnet5CidrBlock
Availability Zone 6 ?AZ for slot 6. Leave empty (--) to disable this zone. availabilityZone6 / subnet6CidrBlock
💻
Compute Required
AMI (auto-selected), instance type, ASG sizing and warm pool
AMI ID (override) ?Optional. Leave BLANK (default) to auto-resolve the Marketplace AMI from your selected Tier and Version at instance launch. Set an explicit ami-xxxxxxxx only to override -- handy for testing a custom or shared image. imageAmiId
Blank = auto-resolved from your Marketplace subscription (Tier + Version). Set an ami-xxxx to override.
Instance family ?EC2 instance family. Network-optimized families (c6in, c7gn, c8gn, c8in and similar) give the enhanced-networking throughput the data plane needs. The family sets the AMI architecture automatically (x86_64 or Graviton/arm64).
Instance size ?Size within the chosen family. Larger sizes add vCPU and network bandwidth and drive the price estimate above. You can resize later from the dashboard without redeploying. instance0000type
Start small; resize later from the dashboard.
Min / Desired / Max per AZ ?Auto Scaling Group sizing per AZ. The stack supports 0 or 1 instance per AZ at deploy time; multi-instance-per-AZ is configured afterward from the Cloud Spectra dashboard or API. MinSize / DesiredCapacity / MaxSize
Min / Desired / Max (each 0-1). For multiple instances per AZ, scale from the dashboard after deploy.
Warm pool ?Pre-initialized standby instances per ASG for fast scale-out (~25s vs ~90s cold launch). Disabled by default. When enabled, choose how many standby instances and whether they are Stopped (cheapest) or Running (fastest). warmPoolDisabled / warmPoolMinSize / warmPoolState
Disabled / Enabled · min standby (0-10) · Stopped or Running.
Features (optional)off by default -- expand to enable
🔗
Multi-Cloud Tunnels (WireGuard) Feature
Encrypted spoke connectivity to GCP / Azure / on-prem
Enable multi-cloud ?Enable WireGuard tunnels for GCP/Azure/on-prem spokes. Opens the WireGuard UDP port range in the gateway security group. multiCloudEnabled
Tunnels per peering ?Parallel WireGuard interfaces (wg0..wgN-1) per spoke, each on a distinct UDP port for ECMP across CPU cores. 1 = canonical single tunnel. Range 1-64. multiCloudTunnelsPerPeering
WireGuard base port ?Base UDP port for WireGuard tunnels. Tunnel i listens on basePort+i. Range 1024-65000. multiCloudWireguardBasePort
WireGuard last port ?Last UDP port (inclusive) of the WireGuard range opened in the security group. Must be >= base port and >= base + tunnels - 1. multiCloudWireguardLastPort
📤
Port Forwarding (Dial-in DNAT) Feature
Auto-allocated inbound ports for on-prem dial-in tunnels
💡

When a port-forwarding rule is submitted with externalPort=0, the gateway auto-allocates a free port from this range and opens it in the security group -- ideal for WireGuard tunnels dialed in from on-prem sites behind NAT.

Dial-in base port ?Base UDP port (inclusive) of the dial-in DNAT range the gateway auto-allocates from. Range 1024-65535. portForwardingDialInBasePort
Dial-in last port ?Last UDP port (inclusive) of the dial-in DNAT range. Must be >= the base port. portForwardingDialInLastPort
Dial-in source CIDRs ?Comma-separated source CIDRs allowed to reach the dial-in range -- set to your on-prem sites' public IPs (e.g. 203.0.113.10/32). Up to 3; empty keeps the range closed. Use 0.0.0.0/0 only to expose the authenticated port to the internet. portForwardingDialInSourceCidrs
Leave empty to keep the dial-in range closed until you add sources later.
Gateway Load Balancer Feature
Transparent GENEVE traffic steering across instances
Enable GWLB ?Enable AWS Gateway Load Balancer for transparent traffic steering across all ASG instances via GENEVE. Creates the GWLB, target group, endpoint service, per-AZ endpoints, and swings route-table defaults to the endpoints. enableGwlb
Create VPC endpoints ?Create per-AZ VPC endpoints and swing route tables to them. Requires GWLB enabled. Set false to create the GWLB and endpoint service without route-swinging (manual endpoint creation). enableGwlbVpcEndpoints
🛡
Network Firewall (IDS/IPS) Feature
Sync Suricata rules from AWS Network Firewall policies
Firewall policies ?Comma-separated AWS Network Firewall policy names to sync Suricata IDS/IPS rules from. Only FirewallPolicy and RuleGroup resources are needed -- no firewall endpoints ($0/month). Empty disables sync at deploy (enable later via dashboard/Terraform). firewallPolicies
Leave empty to skip firewall sync at deploy time.
Kubernetes Feature
Run a K8s control plane on the gateway (Enterprise)
Enable Kubernetes ?Run a Kubernetes control plane on the gateway. The ASG leader runs kubeadm init with Calico CNI and the Headlamp dashboard; other instances auto-join as workers. kubernetesEnabled
Master runs workloads ?Remove the control-plane taint so the master also runs workloads. Useful for single-node clusters and quick testing. kubernetesMasterCompute
Workers auto-join ?Auto-join non-master ASG instances as worker nodes. Only takes effect when Kubernetes is enabled. kubernetesWorkerCompute
Pod CIDR ?Pod network CIDR for the Calico CNI. kubernetesPodCidr
Service CIDR ?Kubernetes Service CIDR. kubernetesServiceCidr
Ingress HTTP / HTTPS ports ?Ports for the K8s ingress controller HTTP and HTTPS traffic. kubernetesIngressHttpPort / kubernetesIngressHttpsPort
Left: HTTP. Right: HTTPS.
Operations & Advancedupgrades, admin, developer, marketplace
🔄
Software & Upgrades Optional
Auto-upgrade target, release source, naming, log level
Auto-upgrade version ?Target version for auto-upgrade on boot. Empty = disabled, "latest" = always newest, or pin a version like v1.2.3. Operators can override later via SSM without redeploying. (Separate from the AMI version above.) cloudspectraSoftware0000version
Leave empty to pin to the AMI's built-in version.
Software download URL ?HTTPS base URL of the public Cloud Spectra software releases bucket, used for auto-upgrade downloads and cross-account quickcreate links. Override only if self-hosting release artifacts. cloudspectraSoftware0000downloadUrl
Keep the default unless you self-host the release bucket.
Resource name prefix ?Short lowercase prefix applied to all resource names and tags. Change only when deploying multiple stacks in one account/region. 1-32 chars, [a-z0-9-]. cloudspectraSoftware0000resourceNamePrefix
Lambda handler log level ?Log level for the Lambda CloudFormation handler. DEBUG is verbose for troubleshooting; INFO is the production default. cloudspectraLogLevel
🔐
Admin & Security Optional
Dashboard password and template signature
🔑

For your security, the admin password is never placed in a launch URL. Leave it blank to auto-generate a strong initial password (retrievable via SSH), or set one in the masked adminPassword field on the AWS console page. Plaintext rules: 8-128 chars with upper, lower, digit and special; or paste a bcrypt hash.

Skip signature check ?Per-build secret that bypasses RSA template-integrity verification (dev/test only). Leave empty for production so the Lambda verifies the template signature on every Create/Update. cloudspectraSkipSignatureCheck
Production deployments must leave this empty.
🔧
Advanced / Developer Optional
Default-route override and test instance
Update main route table ?When true, adds a 0.0.0.0/0 default route to the VPC main route table pointing at the gateway ENI in AZ 1. Enable only after confirming all VPC workloads should transit the gateway by default. UpdateMainRoutingTable
Launch test instance ?When true, launches a single Ubuntu t3.micro test instance in the AZ 1 user subnet (0.0.0.0/0 routed via the gateway) for quick packet-path demos. Set false when not in use to avoid cost. EnableTestAsg
📦
Lambda Code Source Expert
Where CloudFormation reads the handler Lambda ZIPs (Marketplace sets these)
📦

These default to Cloud Spectra's public releases bucket. AWS Marketplace sets them automatically at publish time. Change only if self-hosting the Lambda artifacts.

Lambda bucket name ?Base S3 bucket holding the Lambda code ZIPs. Self-hosted: the stack region is appended to form <name>-<region>, the same-region bucket Lambda requires. MPS3BucketName
Lambda bucket region ?Region of the Lambda ZIP bucket. Empty defaults to the stack region. Marketplace replaces this at publish time. MPS3BucketRegion
Lambda key prefix ?S3 key prefix for the Lambda code ZIPs (e.g. 1.0.0/). Marketplace replaces this at publish time. MPS3KeyPrefix
Ready to launch
Opens the AWS CloudFormation quick-create page with your settings pre-filled. You review and click Create stack on AWS.
Show the generated launch URL

Template: latest/cloudspectra_gateway_asg.yaml. You must be signed in to the AWS console for the chosen region. The final Create-stack step (including the IAM capabilities acknowledgement) always happens on AWS -- this page never touches your account.