Skip to content

End-to-end workflow

Whichever way you run Enforza, the journey is the same shape:

Launch a firewall → bind a policy → point traffic at it.

The single place the two run modes diverge is how you author and push policy - and that is your team’s workflow choice, not a difference in capability, enforcement, or billing.

Spin up a Linux VM - one, or several across Availability Zones for redundancy, and sized for your traffic - and enrol it. You have a few ways to launch; pick whatever fits your tooling. The outcome is identical: the firewall enrols over a single secure outbound connection and shows Online in your console within seconds.

  • Manual / quick start - run the install one-liner on any supported Linux VM. You don’t craft this command - either portal (Cloud Controller or GitHub Pipeline Integration) generates it for you with the right key baked in; you copy and run it:

    Terminal window
    curl -fsSL https://dl.neon.efz.io/install.sh \
    | sudo bash -s -- --regkey=YOUR-KEY-HERE

    The deployment key can be per-device (single-use - binds one firewall) or a fleet key (reusable across many VMs and your automation).

  • Infrastructure as code (Terraform / native cloud automation) - provision the VM, its routing, and packet-forwarding settings with Terraform or your cloud’s native automation (CloudFormation, ARM / Bicep, Deployment Manager, and the like). Reference landing-zone templates cover the common shapes - single VM, multi-AZ failover, centralised egress. The VM boots and self-enrols with the deployment key you pass in.

  • AWS Marketplace (1-click AMI) - subscribe, launch via the bundled CloudFormation, and the firewall self-registers via its EC2 instance identity. No deployment key to manage; you simply claim it in the console by account + instance id.

Run more than one VM when your redundancy and availability requirements call for it - the launch step is the same for each.

Attach a policy to the firewall. A policy is a policy - the same packet-engine, the same enforcement, whichever mode authored it.

Make one route change so traffic flows through the firewall. Because the last step is just a route change, rollback is instant - point the route back and you are where you started.

The only difference: how you author and push policy

Section titled “The only difference: how you author and push policy”

Everything above is identical across both modes. The one divergence is where your policy lives and how a change ships:

Cloud Controller (CCX)GitHub Pipeline Integration (GPI)
AuthorVisual editor in the consoleA YAML file in your GitHub repository
Review / gatePublish runs schema + compliance guardrailsPull request: review, checks, merge
ShipPush to one or many firewalls from the consoleMerge triggers the pipeline; the platform ships to the bound firewalls
Best forNetwork-operations teamsPlatform-engineering teams

Both run the same compliance guardrails, ship to the same packet-engine, and enforce identically. Choose the workflow your team already lives in.

Not sure which mode? See the two ways to run.

Enforza is a trading name of Synvu Limited, a company registered (15761962) in the United Kingdom. Registered office address: 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.