FortiGate AutoScaling for Existing VPC with Mixed BYOL and On-Demand Deployment


In this recipe, you will deploy FortiGate Autoscaling into an existing VPC OnDemand deployment in Amazon Web Services (AWS).

If you do not already have the correct template, it can be found on GitHub.

1. Uploading the template

In the AWS Management Console, go to CloudFormation Service and select Create New Stack.

Under Choose a template, enable Select a sample template, then select the template for upload.


2. Configuring Autoscaling

In Specify Details, set the Stack Name to a Region Unique name. Set ASQueue to an SQS Queue Name that is unique within the scope of your queues.

Set AZForFirewall1 and AZForFirewall2 to Availability Zones with the region you wish to place FortiGate 1 and FortiGate 2 respectively.


In VPC Configuration, use the dropdown menu to set the VPC specific details, as well as the public and private subnets. These values are pulled from the existing VPCs.


In FortiGate Instance Configuration, select an Instance Type for initial FortiGates. Set CIDRForFortiGateAccess to define the Security Group for FortiGate Access and FortiGateKeyPair to allow SSH access to the FortiGate instances.

Provide the name of the S3LicenseBucket. If the S3 bucket does not currently exist, provide a valid S3 bucket name and create the bucket and upload the licenses after this template is deployed. The autoscale script will “sleep” waiting for the creation of the S3 bucket and the licenses to be uploaded.

In ELB Configuration, if you need to change the default values, refer to AWS Documentation.
In Worker Node Instance Configuration, set ASKeypair to allow SSH access to the FortiGate instances and CIDRForASAccess to define the Security Group for FortiGate Access.
In Options, you can add additional Tags, Permissions, or Advanced Notification Options as desires. For more information, refer to AWS Documentation.
Review your parameters and acknowledge the IAM resources notification. Select Create.

3. Results

Verify that the stack’s Status is shown as CREATE_IN_PROGRESS.
You can also monitor Stack Creation Events.
Availabilty Zone may not support the instance size of the FortiGate instance. If you get a warning that a specific instance size is not supported, choose a different size or choose a different zone.