Deploying Web Access with an AWS Public IP

  • Published on Nov 20, 2025
  • 3 minute(s) read
  • ED
  • CD
  • SS
 Prev Next

This guide is intended for IT infrastructure architects and DevOps professionals responsible for deploying or enabling Web Access in the AWS public cloud.

This guide applies to Nasuni Edge Appliance version 10.1 and later.

Cloud: AWS

Product: Direct Access (Elastic IP and Security Group)

Supported: Certified

Introduction

To enable access to Web Access through the public internet, assign the Edge Appliance a static Public IP address in AWS. A security group restricts external access to the Edge Appliance to ports 443 (HTTPS) and 80 (HTTP).

Web Access can also be deployed behind an application load balancer (ALB). An ALB offloads encryption/decryption, simplifies SSL/TLS certificate management, and integrates with other services for enhanced security and performance. For more information on setting up an AWS ALB, see Deploying Web Access with AWS Application Load Balancer.

Prerequisites

  • An Edge Appliance must be deployed to AWS and joined to the NMC.

  • A public FQDN for your instance and corresponding SSL/TLS server certificate.

  • Access to DNS to set up the FQDN.

Creating an Elastic IP

Elastic IPs are the only way to assign a public IP address in AWS.  If an elastic IP address is not used, the public IP address changes whenever the instance is powered off.  The public FQDN also changes with the IP address, which prevents CNAME records from functioning.

To create an Elastic IP, follow these steps:

  1. Log in to AWS Console.

  2. Navigate to EC2Elastic IPsAllocate Elastic IP address.

  3. For “Public IPv4 address pool”, select “Amazon’s pool of IPv4 addresses” (or choose an alternate pool if appropriate for your organization).

  4. For “Network border group”, select the region the instance is to run in.

  5. To allocate the elastic IP address, click Allocate.

  6. After the IP is allocated, select the new IP address and choose Actions → “Associate Elastic IP address”.

  7. Select Instance, then choose the instance that is the NEA running Web Access.  

  8. Click Associate.

  9. Navigate to EC2Instances.

  10. On the Instances page, choose the associated instance.
    The Public IP address now shows under Details.

Security Groups

To secure the instance and enable public access to the Web Access console, a security group must be assigned that allows HTTPS and HTTP access.

Creating a security Group

  1. Navigate to EC2Security GroupsCreate security group. The “Create security group” page appears.

  2. Give the Security Group a Security Group Name and Description, such as “Nasuni WebAccess”.

  3. For the VPC, select the VPC with the running instance.

  4. Configure Inbound rules by following these steps:

    1. Click Add rule.

    2. From the Type drop-down list, select HTTPS.

    3. From the Source drop-down list, select Anywhere IPv4.

    4. Click Add rule.

    5. From the Type drop-down list, select HTTP.

    6. From the Source drop-down list, select Anywhere IPv4.

Note:  Adding HTTP does not allow for HTTP access.  It allows for browser redirection from HTTP → HTTPS, which can be convenient for end-users.

  1. Configure Outbound rules.
    One of the security groups assigned to the instance needs to permit outbound access.  Refer to Firewall and Port Requirements for a restricted list of FQDNs.

  1. Click “Create security group”.

Assigning the security group

  1. Select the Instance and right-click to open the options panel.

  2. Choose SecurityChange Security Groups.

Note: An instance can have multiple security groups.  It is recommended to have the security settings for public access in its own group and security settings for administration or SMB/NFS connects in another group.  However, all settings can be placed in the same group.

  1. Select the group created in the previous step and click Add security group.

  2. Then click Save these changes.

Testing

Navigating to the public IP address for the NEA should now load the Web Access interface after giving a certificate warning.  (This assumes that a share has been enabled for Web Access on the appliance.)

SSL Certificate and FQDN

After the Web Access page loads, a signed certificate for the desired FQDN needs to be installed on the appliance and the FQDN registered in the customer’s DNS provider.

For more information on the SSL Setup, see Generating SSL CA-signed or self-signed server certificate.

Related articles