Please refer to the official Amazon AWS PowerShell documentation for full details of the steps outlined in this section.

1. In the AWS Console, create an Access Key and obtain the Access Key ID and Secret Access Key. Set them in the default profile.
   This step is applicable only if you don't have an access key ID and Secret Access Key

   Set-AWSCredential -AccessKey AKIAI6428NKYOEXAMPLE `
   -SecretKey bvfhkvvfhsbvhsdbhfbvfhfhvfhdskvbhfvbfhEXAMPLE ` 
   -StoreAs default

2. Create a bucket in Amazon S3 to store Unified Access Gateway .vmdk images if one doesn't already exist.

   $bucket="uag-images"
   New-S3Bucket -BucketName $bucket -Region us-east-2

3. Create an IAM role in Amazon AWS called vmimport and apply a policy to the role.

   $importPolicyDocument = @"
   {
   "Version":"2012-10-17",
   "Statement":[
   {
   "Sid":"",
   "Effect":"Allow",
   "Principal":{
   "Service":"vmie.amazonaws.com"
   },
   "Action":"sts:AssumeRole",
   "Condition":{
   "StringEquals":{
   "sts:ExternalId":"vmimport"
   }
   }
   }
   ]
   }
   "@
   
   New-IAMRole -RoleName vmimport -AssumeRolePolicyDocument $importPolicyDocument
   
   $bucket="uag-images"
   $rolePolicyDocument = @"
   {
   "Version": "2012-10-17",
   "Statement": [
   {
   "Effect": "Allow",
   "Action": [
   "s3:GetBucketLocation",
   "s3:GetObject",
   "s3:ListBucket"
   ],
   "Resource": [
   "arn:aws:s3:::$bucket",
   "arn:aws:s3:::$bucket/*"
   ]
   },
   {
   "Effect": "Allow",
   "Action": [
   "ec2:ModifySnapshotAttribute",
   "ec2:CopySnapshot",
   "ec2:RegisterImage",
   "ec2:Describe*"
   ],
   "Resource": "*"
   }
   ]
   }
   "@
   
   Write-IAMRolePolicy -RoleName vmimport -PolicyName vmimport -PolicyDocument $rolePolicyDocument

4. Prepare the network environment in EC2. These steps can be performed from the EC2 Management Console or with PowerShell. They just need to be done once to prepare the EC2 environment for Unified Access Gateway deployments. For this, at least one subnet is needed. For multi NIC Unified Access Gateway deployments, each NIC can either be on the same subnet or on different subnets.
5. Create a Security Group for each type of NIC.
   A security group contains a set of firewall rules to restrict TCP and UDP port access. A security group can be shared among multiple Unified Access Gateway appliances. For example you can create a security group called UAG-Internet for eth0 and associate with the first NIC automatically when the Unified Access Gateway appliance is created. For Horizon use, the first (UAG-Internet) could allow TCP ports 80, 443, 8443, 4172 and UDP ports 443, 8443, 4172 from any client. If you want to allow ssh access to Unified Access Gateway then you must specify sshEnabled=true in the General section of each .ini file. SSH should generally only be enabled for testing purposes and not for a production deployment. You should also make sure that access to ssh on TCP port 22 is restricted in the security group to individual source IP addresses so that it is not open to all.
   
6. If the Unified Access Gateway appliance is directly accessible from the Internet, then each NIC requiring access must also have an associated public IP address known as Elastic IPs.
7. For each NIC, determine the Subnet ID, the Security Group ID and the Public IP Allocation ID. If you do not specify a Security Group ID for any NIC then the default Security Group will be used. If you don't specify a Public IP ID then there won't be a public IP address for that NIC and it won't be directly accessible from the Internet. This may be the case if a load balancer is used in front of a group of Unified Access Gateway appliances.