This recipe is part of the process of deploying FortiGate HA for AWS. See below for the rest of the recipes in this process:
- Customize the CFT template
- Check the prerequisites
- Review the network failover diagram
- Invoke the CFT template
- Connect to the FortiGates
- [Connectivity test] Configure FortiGate firewall policy
- [Failover test] Shut down FortiGate A
Prior to invoking the CFT template on the AWS portal, verify the AWS EC2 instance type and complete the following prerequisites.
AWS EC2 instance type
Ensure your AWS EC2 instance type matches your needs according to your FortiGate license entitlement. Refer to https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html.
At least four network interfaces per FortiGate instance must be supported in forming this HA.
When invoking the CFT template, AWS instance types FortiGate supports show up. Select one from the list. The supported type is written in the CFT template. Do not manually rewrite these with other types, as these have been testified and verified by Fortinet.
Ensure that you do not have an existing VPC that has an overlapping network CIDR (such as 10.0.0.0/16) as specified in the CFT template. The CFT template automatically creates a new VPC.
Five elastic IP addresses are automatically created and consumed to deploy and run FortiGate instances in the HA. By default, one AWS region usually allows a maximum of five elastic IP addresses.. Choose a region with no existing elastic IP address. You may think five public IP addresses are too many, but in the case there are communication issues due to an incorrect setup, you will still be able to access FortiGate A and B for the repair with at least one or two IP addresses.
Ensure you have an existing key pair in the region.
If these prerequisites are not met when invoking the CFT template, the deployment operation fails. In this case, the AWS process automatically revokes the failure and rolls back to the beginning by deleting all in-progress resources. Fix the error and invoke the CFT template again.
Latest posts by In Hye Lee (see all)
- Connect to the FortiGate - February 21, 2018
- Deploying FortiGate for GCP - February 21, 2018
- (Connectivity test) Configure FortiGate firewall policies and virtual IPs - February 14, 2018