This recipe is part of the process of deploying FortiGate HA for AWS. See below for the rest of the recipes in this process:
- Customize the CFT template
- Check the prerequisites
- Review the network failover diagram
- Invoke the CFT template
- Connect to the FortiGates
- [Connectivity test] Configure FortiGate firewall policy
- [Failover test] Shut down FortiGate A
- Log into the AWS portal and select CloudFormation.
- Click Create new stack.
- Under Choose a template, select Upload a template to Amazon S3. Locate and upload the prepared template, then click Next. If there is a JSON syntax error, a message displays. If this happens, fix the issue before continuing.
- Based on the CFT template’s content, the following screen may appear. Ensure all fields, including the IP addresses and subnets, match the configuration files for FortiGate A and B mentioned in Customize the CFT template. You may also want to change the default values in the CFT template to ensure they show up here.
- Choose the desired AWS instance type.
- Select the key pair. Otherwise, the CFT deployment will fail.
- The bottom of the page refers to “Cluster” options. This is not related to AWS clustering technologies or services. This refers to the secondary IP addresses of port 1 and 2 of the FortiGates as they can be considered as clusters under HA. Click Next.
- Leave the Options page blank and click Next. Do not specify a Name key in the tags as it will duplicate the content in the CFT template. This will cause an error.
- Review the configuration. Select the acknowledgement checkbox. Click Create.
The CFT template starts running and creates relevant resources.
After a while, if no error occurs, all resources are successfully created.
- Navigate to EC2 console and check if two FortiGate instances were created.
- Verify the VPC that was just created.
- Verify the four new subnets created in 192.168.0.0/16 CIDR, depending on what you specified.
- Verify the routing tables that were just created. You can use the Routes and Subnet Associations tabs for more detailed information.
- Verify the elastic IP addresses. You can see that the elastic IP addresses are associated with the following interfaces:
- FortiGate A eth0 (not assigned to FortiGate A’s port): 192.168.1.111
- FortiGate B eth0 (port 1): 192.168.1.12
- FortiGate A eth0 secondary IP address (port 1): 192.168.1.13
- FortiGate A eth3 (port 4): 192.168.4.11
- FortiGate B eth3 (port 4): 192.168.4.12
- Verify the secondary IP addresses assigned to FortiGate A’s eth0 and eth1.