CloudFormation Console (Stand Alone)

The CloudFormation Console allows customers to deploy Sophos UTM using a CloudFormation template. This template provides options not available in the 1-Click Launch such as defining the Elastic IP address, trusted Classless Inter-Domain Routing (CIDR) networks, and Identity and Access Management (IAM) roles. You can follow the steps listed in this section for access to Sophos CloudFormation templates or download all available templates at

To use the CloudFormation Console, follow these steps:

  1. In Amazon Marketplace click on one of the Sophos UTM search results and click Continue.

  2. Select CloudFormation Console as your delivery method.

  3. Select a Version (we recommend the latest) and a Region.

  4. Click Accept Software Terms.

    After accepting the Software Terms, you should see a page with Next Steps indicating that an email has been sent to confirm the subscription.

  5. After your subscription has been confirmed, click Return to Product Page and select Launch with CloudFormation Console.

    In the CloudFormation Console, you’ll be presented with the Create stack menu with the prepopulated S3 template URL.

  6. Click Next.

  7. Enter the parameter values for the CloudFormation template:

    Stack Details
    Stack name: A unique and descriptive name for the CloudFormation stack

    VM Configuration

    • AMIClosed of UTM: Set to autodetect for the latest AMI
    • UTM Instance size: Choose EC2 instance type for UTM. The default EC2 instance type is set to m3.medium or c4.large depending on your region

    UTM Infrastructure Configuration

    • VPCClosed ID: Select in which VPC to install UTM
    • Private Subnet ID: Select in which VPC private subnet to install UTM
    • Public Subnet ID: Select in which VPC public subnet to install UTM
    • Private Network CIDRClosed: Classless Inter-Domain Routing (CIDR) address for your VPC private subnet
    • Public Network CIDR: Classless Inter-Domain Routing (CIDR) address for your VPC public subnet
    • Existing Elastic IP ID: If you have an existing Elastic IP address you’d like to use for UTM, you can enter the address

    Access Permissions

    • SSH Key: EC2 Key Pair for SSH access
    • Trusted Network CIDR (optional): Allows all traffic from this network

    Tags (optional)

    • Key: Arbitrary key that can be used to identify your stack for purposes such as cost allocation
    • Value: arbitrary value for the key

    Permissions (optional)
    IAM Role: An existing IAM service role that CloudFormation can assume

    Advanced (optional)

    Note – For more information on advanced options refer to

  8. Click Next.

  9. On the Review page, review the values for parameter and click Create.

    This will take you to the CloudFormation management console where you can watch the Status and Events of the CloudFormation stack creation.

Once the status reads CREATE_COMPLETE, navigate to Services > EC > Instances within the AWS Management Console to confirm UTM has been deployed on a newly created EC2 instance. Select the EC2 instance and the Description tab to view the Public IP address. Please note the Public IP address to connect to your UTM (see chapter Stand Alone Configuration). If you selected CloudFormation Console for UTM (Stand Alone), you can now proceed to chapter AWS Marketplace Product Support Connection.