Configuring AWS Elastic Load Balancer Virtual IP with Multiple FortiGate-VMs

Amazon Web Service (AWS) provides a service called Elastic Load Balancer (ELB). In this recipe, ELB is protected using a FortiGate-VM, which provides more security and reliability to the existing cloud infrastructure.

ELBs are load balancers provided by AWS. They operate either externally (Internet-facing) or internally. An external ELB is normally accessible from the Internet and distributes traffic as it enters a Virtual Private Cloud (VPC). An internal ELB has similar capabilities but is only accessible within a VPC.

Like other load balancers, ELB can be configured as n external ELB that is accessible from the Internet and distributes traffic as it enters a VPC. Or as in internal ELB has similar functions and only accessible inside a VPC.  This cookbook is to get you started with both AWS ELB and FortiGate-VM configuration at Amazon AWS environment. 

Using the configuration shown in the diagram below, an IT administrator can place an application server inside a private subnet. The application server can provide Web Applications, Terminal Services, or general purpose Internet service. The access is fully protected and logged by the FortiGate-VM.

The design shows that application servers are fully separated between two subnets for Active-Active configuration. The load is divided evenly in this configuration. 

1. Creating two subnets on your Amazon VPC

Log into AWS with your Elastic Compute Cloud (EC2) credentials and select VPC.
Select Start VPC Wizard to create a new VPC.
Select VPC with a Single Public Subnet.
Fill in the information as required and select Create VPC.

A VPC has been created with a single public subnet available. In this example, the subnet will be referred to as Fortinet-VPC.

To deploy the FortiGate-VM, a private subnet must also be created.

Go to Subnet and select Create Subnet.

 

Fill in the information as required and select Yes, Create.

In this example, the subnet will be referred to as ‘Application Subnet 1’.

 

2. Creating a security group for the FortiGate-VM

Go to Security Groups and select Create Security Group. Set it to Fortinet-VPC. Select Yes, Create.

In this example, this security group will be referred to as ‘Allow everything’.

 

Edit the ‘Allow everything’ group. Select the Inbound Rules tab and then select Edit.

Set Type to ALL TCPProtocol to TCP (6)Port Range to ALL, and Source to 0.0.0.0/0.

Select Save.

 

3. Allocating elastic IPs for the FortiGate and for public access 

Go to Elastic IPs and select Allocate New Address.

Select Yes, Allocate to allocate an IP address.

Repeat to add two more address.

 

4. Deploying the FortiGate-VM 

In this example, this FortiGate-VM instance will be referred to as FortiGate 1.

Go to Services > EC2 and select Key Pairs. Select Create Key Pair, fill in the key pair name, and select Create.

This will save the key pair to your system. Remember where this file is, as it will be used later on.

 
Go to EC2 Dashboard and select Launch Instance.  
Select AWS Marketplace and search for Fortinet. Locate and select Fortigate-VM (BYOL).  
Select General purpose m3.medium as the instance type and select Next: Configure instance Details.  
Set Network to Fortinet-VPC and Subnet to the public subnet.  

Under Network Interface, set eth0 to the public subnet and eth1 to Fortinet-VPC.

Select Next: Add Storage.

 

Review your storage options. This storage is used for logging. If you want more storage for logging, change the size from 10 to the value you want.

Select Next: Tag Instance.

 
Enter a Name tag and select Configure Security Group.  

Enable Select an existing security group and select the ‘Allow everything’ security group. This allows the FortiGate-VM security features to be used, rather than the basic protection from Amazon.

Select Review and Launch. A review page will be shown with your configuration.

Review the settings and, if the configuration is correct, select Launch.

 

Select the Fortinet-AWS-Keypair that you previously created.

Review the information, then select Launch Instance to deploy the FortiGate-VM.

 

5. Assigning an IP to the FortiGate-VM

 

Go to Network Interface and note the Network Interface ID of the private interface (in the example: eni-b25771d7).

Also note the ID for the FortiGate-VM (in the example: eni-bd5771d8).

 

Go to Elastic IPs and select one of the IPs. Select Associate Address, then enter the network interface ID of the FortiGate-VM.

Select Associate.

 

6. Creating a default route

Go to VPC Dashboard > Route Tables and select Create Route Table. Set VPC to the private subnet and select Yes, Create.

 

Select the new route, then select the Routes tab, then select Edit.

Select Add another route and set Destination to 0.0.0.0/0 and Target to the network interface ID of the private interface.

 
Select the Subnet Associations tab, enable the private subnet, and select Save.  

7. Configuring the FortiGate-VM 

 

Log into the FortiGate-VM GUI using the default admin account (the default admin account has the username ‘admin’ and no password). The license activation screen should appear.

Select Choose File, select your license file, and select OK. The system will restart.

After a few minutes, the login screen will appear. Log back into the FortiGate-VM.

Screen Shot 2015-03-09 at 2.55.51 PM

Using your terminal, enter the following commands to log into the server and enable disk logging.

ssh -i ./Fortinet-AWS-Keypair.pem admin@ FortiGate-VM64-AWS #execute update-now
FortiGate-VM64-AWS #execute formatlogdisk
Go to System > Admin > Administrators and edit the default admin account. Select Change Password and enter a new password.  

Go to System > Network > Interfaces and edit an internal interface (in the example, port2). 

Set Addressing Mode to DHCP.

 

The IP address of this port has changed to the IP you entered using the terminal (in the example, 10.0.1.5).

 

Go to Firewall Objects > Virtual IPs > Virtual IPs and create a new virtual IP that will map RDP (TCP port 3389) to a Windows server that will be deployed in the next step.

 

Go to Policy > Policy > Policy and create a new policy allowing traffic from the Internet-facing interface to the internal interface.

Create a second policy allowing traffic from the internal interface to the Internet-facing interface.

8. Deploying the Windows server

Connect to AWS and go to Network Interfaces. Right-click on the private network interface, select Change Source/Dest Check, and select Disable.

AWS will now let packets pass through, instead of filtering them.

Go to EC2 instances and select Launch Instance

 

Select t2.micro for the instance type and select Next: Configure Instance Details.  

Set Network to Fortinet-VPC, subnet to Application Subnet 1, and Network Interfaces to eth0.

Select Next: Add Storage.

 

If necessary, change your storage option.

 

 

 

Select Next: Tag Instance. Enter a Name tag, then select Next: Configure Security Group.

 

Enable Select an existing security group and select the ‘Allow everything’ group.

 

Select Review and Launch.

 

After you have reviewed the configuration, select the Fortinet-AWS-Keypair that you previously created.

 

 

Review the information, then select Launch Instance to deploy the server.

 

Go to EC2 instance and select the new subnet. Select Get Windows Password.

Click on Key Pair Path Browse and select the key pair file created earlier.

Select Decrypt Password to receive the administrator password for RDP connection.

 
Test the connection to your RDP server using your terminal and the following command:   C:\> mstsc /v: /admin

9. Creating a second subnet and deploying a second FortiGate-VM

Repeat the above instructions to create a second AWS subnet and to deploy a second FortiGate-VM on the subnet. In the diagram, this subnet is referred to as Application Subnet 2 and the FortiGate-VM instance is referred to as FortiGate 2.

10. Creating an ELB between the FortiGate-VMs

Go to the EC2 Dashboard, click on Load Balancers and click on Create Load Balancer

 

Create a load balancer for RDP traffic within Fortinet-VPC.

Select Continue

Set the Ping Protocol to use HTTPS.

Select Continue.

 

Use the on Public Subnet and add it into the Selected Subnets list.

Select Continue.

 

Select Allow every traffic.

Select Continue.

Select both FortiGate-VMs.

Select Continue

 

Leave Tags as default and select Continue. A review page will appear.

After you have reviewed the configuration, select Create.

 
Now that the ELB is created, you can use a domain name to test your connection via an RDP client. 

11. Results  

Go to the EC2 dashboard and right-click on FortiGate 1. Select Instance State > Stop to stop this instance. 

Connect via RDP to the Windows server. All connections will use the subnet for FortiGate 2.

You can also connect using the DNS name of your ELB. Connections will only use the subnet for FortiGate 2.

Start FortiGate 2 and wait until ELB status is 2/2. Connect to the server using multiple sources.

The load will be balanced between the FortiGate-VM instances.

For further reading, check out the FortiGate-AWS Deployment Guide

Share this recipe:

Facebooktwittergoogle_pluslinkedin
You must already have a license key available in order to use this option.
You may select a higher instance type depending on on your license key.
If you log in too early, the license is shown as being activated with the registration server. Try logging in again in few minutes.

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.