The Umbrella Documentation Hub

Welcome to the Umbrella documentation hub. Here you'll find access to all of our Cisco Umbrella user guides.

Get Started    

Deploy VAs in Amazon Web Services

Two virtual appliances (VAs) are required per Umbrella site. It is critical that these VAs are not cloned or copied in any way. Each VA must be set up and configured manually.


  • If you are using the VA on Amazon Web Services as a DNS server for your on-premise endpoints, then DNS traffic from these endpoints should not traverse through a Network Address Translation (NAT) device en route to the VA. The VA should receive DNS packets with the source IP as the internal IP of the endpoints. An AWS Direct Connect or dedicated MPLS or VPN connection from your on-premise environment to AWS will meet this requirement.
  • Only VAs running version 2.6 or above can be deployed in AWS.

Procedural Overview

  1. Prepare the Virtual Appliance Amazon Machine Image. This is a one time task.
  2. Launch the virtual appliance on Amazon Web Services. Perform this task for each VA after you have performed the one-time task of preparing the VA image.

1. Prepare the Virtual Appliance Amazon Machine Image

Note: This is a one-time task to create an Amazon Machine Image (AMI) that can be used to launch multiple VAs.

  1. Navigate to Deployments > Configuration > Sites and Active Directory and click Download.
  1. Click Download for VA for Hyper-V.

Umbrella generates and downloads to your computer a zip file unique to your deployment.

  1. Extract the downloaded zip file. You'll find two folders—Virtual Hard Disks and Virtual Machines—and a config file.
  1. Follow the steps provided by AWS to (optionally) create an S3 bucket and to create the vmimport service role.
  2. Upload the downloaded vhd files (forwarder-va.vhd and dynamic.vhd) to the S3 bucket.
    This should be the same S3 bucket as specified in the role-policy.json file.
  3. Use the AWS CLI to import the image.
    Create a file locally named "containers.json" for importing the image. The following is an example of a containers.json file. Specify the S3 bucket where you have saved the vhd images in this file.
    "Description": "Forwarder",
    "Format": "vhd",
    "UserBucket": {
        "S3Bucket": "va-vhd-bucket",
        "S3Key": "forwarder-va.vhd"
    "Description": "Dynamic",
    "Format": "vhd",
    "UserBucket": {
        "S3Bucket": "va-vhd-bucket",
        "S3Key": "dynamic.vhd"

Image File Format

You must use the .vhd files to create the Amazon Machine Image and not the .ova file. Creating the AMI using the .ova file will result in the VA not being able to register to Umbrella.

  1. Use the AWS CLI command import-image to create import tasks:
    aws ec2 import-image --description "Umbrella VA" --license-type BYOL --disk-containers "file://containers.json"
  2. Note the AMI ID and verify that the import has been completed through the describe-import-image-tasks command:
    aws ec2 describe-import-image-tasks --import-task-ids <AMI ID>
  3. Once the VA Amazon Machine Image is created, use this image to launch multiple VAs. For more information, see Step 2. Launch the Virtual Appliance on Amazon Web Services.

2. Launch the Virtual Appliance on Amazon Web Services

Note: Before performing this task, you must complete the one-time task of preparing the VA image on AWS.

  1. Use the AWS console to launch Umbrella VA instances in AWS using the VA image you created in Step 1. Prepare the Virtual Appliance Image on Amazon Web Services. Choose a VM size with at least 1 VCPU and 1 GB RAM.
    Note: Instance types that enable the Elastic Networking Adapter (ENA) and Nitro-based Instance types are currently not supported. Refer to AWS documentation for the list of such instance types.
    The VA automatically pulls a DHCP IP and registers to Umbrella with this IP address.
    Note: Specifying a public IP address for the VA is a security risk and is not a supported configuration.
  1. In Umbrella, navigate to Deployments > Configuration > Sites and Active Directory.
    You should see the VA listed here with the dynamic IP address as its name.
    You can now configure the VA. For more information and the procedure, see Enter Configuration Mode on a VA Deployed in Azure.


Automated deployment of the VA on AWS using Terraform or other tools is currently not supported.

Deployment of the VA is not recommended for cases where Route53 is used as the local DNS server.

Updated about a month ago

Deploy VAs in Amazon Web Services

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.