Netgate is thrilled to introduce pfSense Plus software support for AWS Graviton-based EC2 instances. This opens the door to substantial cost savings for our customers, potentially reducing Amazon Elastic Compute Cloud (Amazon EC2) expenses by up to 20%. This not only helps streamline cloud investments but also ensures top-tier security for mission-critical cloud workloads on AWS.
Our latest enhancement empowers Netgate customers with greater flexibility and choice. As cloud adoption continues to rise, businesses are increasingly turning to cloud instances to power their IT infrastructure. AWS Graviton-based EC2 instances offer a compelling alternative to traditional instance types, providing superior performance at a lower cost.
Netgate's pfSense Plus software on AWS EC2 Graviton instances maximizes the performance capabilities of AWS Graviton Processors, and is readily available across all regions. Customers have the flexibility to launch instances of varying sizes, ranging from 2 to 16 virtual cores.
Leveraging Embedded Crypto Accelerators for VPN Performance
pfSense Plus software supports Netgate’s IPSec Multi-Buffer (IIMB) engine, which increases VPN performance on Intel, AMD, and ARM platforms where extended instruction support is present. IIMB accelerates cryptographic workloads by replacing some cryptographic functions provided by the kernel with accelerated functions that utilize those extended instructions. The following AWS instance types are able to take advantage of this support and are available for provisioning:
Graviton 2: C6g and M6g
Graviton 3: C7g and M7g, M7gd
Running CryptoBench (a tool Netgate built to exercise the crypto engines available in the kernel) performance tests on the M7g.large instance, we have seen the following performance results vs stock OCF (Open Cryptographic Framework):
The above numbers are from the OCF crypto engine interface, and not the network stack, which may not reflect real-world performance. However, the differences between stock OCF and IIMB are significant as stock OCF uses all cores in async to achieve the result, while IIMB uses one core.
IIMB is a feature which is free to enable on pfSense Plus software, and is highly recommended for VPN applications to lighten the load on the CPU, freeing it up for firewall and routing services.
sync: The encryption job is run immediately when the request is sent to the API. Stock OCF may choose to submit the job to a different thread if there are free CPU resources. IIMB will handle the job immediately on the same processing thread.
async: The job is queued to another worker kernel thread. Stock OCF spreads this load across multiple workers, whereas IIMB has a single thread for each stream (for example a VPN connection generally has 2 streams per connection - one for inbound, the other for outbound). Keeping IIMB streams tied to one thread helps with CPU utilization by keeping the caches "hot". It also allows other CPUs to be free for other critical workloads, such as userspace daemons.
Network Protection in the Cloud & On-Premises
The world’s leading firewall, router, and VPN solution for network edge and cloud secure networking, Netgate pfSense Plus software is the world’s most trusted firewall. Millions of customers across all sectors depend on physical, virtual, and cloud-delivered pfSense software instances to provide real-time protection against highly evasive threats with advanced features such as IDS/IPS and powerful blocking options.
Securing Your Cloud Journey at the Lowest TCO
Netgate pfSense Plus software is already known as the lowest TCO firewall/router/VPN solution on the cloud, as outlined in this white paper. Coupled with AWS Graviton instances, customers can enjoy significant cost savings while protecting their most important asset – their data. Netgate is excited to work closely with AWS to ensure that our joint customers can choose the instance types that best suit their needs and budgets. pfSense Plus software can be purchased with on-demand pricing or annual subscriptions in the AWS Marketplace.