Invoke the CFT template


This recipe is part of the process of deploying FortiGate HA for AWS. See below for the rest of the recipes in this process:

  1. Customize the CFT template
  2. Check the prerequisites
  3. Review the network failover diagram
  4. Invoke the CFT template
  5. Connect to the FortiGates
  6. [Connectivity test] Configure FortiGate firewall policy
  7. [Failover test] Shut down FortiGate A
  1. Log into the AWS portal and select CloudFormation.
  2. Click Create new stack.
  3. Under Choose a template, select Upload a template to Amazon S3. Locate and upload the prepared template, then click Next. If there is a JSON syntax error, a message displays. If this happens, fix the issue before continuing.
  4. Based on the CFT template’s content, the following screen may appear. Ensure all fields, including the IP addresses and subnets, match the configuration files for FortiGate A and B mentioned in Customize the CFT template. You may also want to change the default values in the CFT template to ensure they show up here.
  5. Choose the desired AWS instance type.
  6. Select the key pair. Otherwise, the CFT deployment will fail.
  7. The bottom of the page refers to “Cluster” options. This is not related to AWS clustering technologies or services. This refers to the secondary IP addresses of port 1 and 2 of the FortiGates as they can be considered as clusters under HA. Click Next.
  8. Leave the Options page blank and click Next. Do not specify a Name key in the tags as it will duplicate the content in the CFT template. This will cause an error.
  9. Review the configuration. Select the acknowledgement checkbox. Click Create.

    The CFT template starts running and creates relevant resources.

    After a while, if no error occurs, all resources are successfully created.
  10. Navigate to EC2 console and check if two FortiGate instances were created.
  11.  Verify the VPC that was just created.
  12. Verify the four new subnets created in CIDR, depending on what you specified.
  13. Verify the routing tables that were just created. You can use the Routes and Subnet Associations tabs for more detailed information.
  14. Verify the elastic IP addresses. You can see that the elastic IP addresses are associated with the following interfaces:
    • FortiGate A eth0 (not assigned to FortiGate A’s port):
    • FortiGate B eth0 (port 1):
    • FortiGate A eth0 secondary IP address (port 1):
    • FortiGate A eth3 (port 4):
    • FortiGate B eth3 (port 4):

  15. Verify the secondary IP addresses assigned to FortiGate A’s eth0 and eth1.