Fortinet black logo

Handbook

Amazon Web Services (AWS) Connector

Amazon Web Services (AWS) Connector

When you create an Amazon Web Services (AWS) connector, you are authorizing FortiADC to periodically (every 30 seconds by default) get information from AWS instances and dynamically populate it in the server pool configuration.

Before you begin:
  • Ensure the system time is synchronized between AWS EKS and FortiADC. You can enable NTP on FortiADC to correct the time clock. For details, see Configuring system time.
  • If you want to access AWS EKS objects through the Metadata IAM role for the FortiADC EC2 instance, you must have permissions enabled. For details, see Accessing AWS EKS objects through Metadata IAM role.

To create an AWS Connector:

  1. Go to Security Fabric > External Connectors.
  2. Click Create New.
  3. Under Public SDN, select Amazon Web Services (AWS) to display the configuration editor.
  4. Configure the following settings:

    Setting

    Description

    NameType a name for the external connector object.
    Status

    Toggle on to enable the external connector object.

    Toggle off to disable the external connector object.

    Update Interval (s)

    Specify the update interval for the connector to get AWS objects and dynamically populate the information in the server pool configuration.

    Access Key ID

    Specify the access key ID.

    Secret Access Key

    Specify the secret access key.

    Region Name

    Specify the region where your instances are deployed.

    Use Metadata IAM

    When FortiADC is deployed on AWS, you can assign IAM role for it to access EC2 instances and EKS objects.

  5. Click Save.

After the connector is created, you can select this connector when creating a server pool. FortiADC will then get the IP addresses of the instances from AWS and dynamically populate the objects in the server pool configuration.

You can use the IP Address Type option to get the private address or public address of the instance. This option is supported only when the FortiADC is deployed on AWS.

Accessing AWS EKS objects through Metadata IAM role

If you want to use the Metadata IAM role for the FortiADC EC2 instance to access the AWS EKS objects, follow the steps below to enable permission before you configure the AWS SDN connector.

Note: If you have already configured the AWS SDN connector with Metadata IAM enabled, it must be disabled and re-enabled in order for the below steps to take effect in the new configuration.

  1. Go to the AWS Dashboard and navigate to IAM > Access management > Role.
  2. Create a role and grant the role with the AdministratorAccess permission policy to allow the FortiADC EC2 instance to call AWS EKS services on your behalf.
  3. Record the Role ARN information to be used later.
  4. Assign the newly created IAM role to the FortiADC EC2 instance.
  5. Add role-based access control (RBAC) access to the IAM role using the aws-auth ConfigMap.
    1. Check the current aws-auth ConfigMap and copy the roleARN information.
      The roleARN may appear differently depending on the way the EKS cluster node group is created. In this context, the EKS cluster node group is created with the Amazon EKS vended AWS CloudFormation templates, which makes the NodeInstanceRole the roleARN.
      kubectl describe configmap -n kube-system aws-auth
    2. Download the configuration map template.
      curl -o aws-auth-cm.yaml https://amazon-eks.s3.us-west-2.amazonaws.com/cloudformation/2020-10-29/aws-auth-cm.yaml
    3. Create a new aws-auth configuration by adding the IAM role created previously and the NodeInstanceRole into aws-auth-cm.yaml.
      	apiVersion: v1
      	kind: ConfigMap
      	metadata:
      	  name: aws-auth
      	  namespace: kube-system
      	data:
      	  mapRoles: |
      	    - rolearn: arn:aws:iam::xxxx:role/eksctl-qa-cluster-nodegroup-ng-16-NodeInstanceRole-yyyy
      	      username: system:node:{{EC2PrivateDNSName}}
      	      groups:
      	        - system:bootstrappers
      	        - system:nodes
      	    - rolearn: arn:aws:iam::xxxx:role/FortiADC-role
      	      username: system:node:{{EC2PrivateDNSName}}
      	      groups:
      	        - system:bootstrappers
      	        - system:nodes
      
    4. Apply the aws-auth-cm.yaml by kubectl apply command.
      kubectl apply -f aws-auth-cm.yaml
    5. Use the kubectl describe command to check the aws-auth ConfigMap.

For more information on AWS IAM user and role access to the EKS cluster, refer to AWS official documentation.

Amazon Web Services (AWS) Connector

When you create an Amazon Web Services (AWS) connector, you are authorizing FortiADC to periodically (every 30 seconds by default) get information from AWS instances and dynamically populate it in the server pool configuration.

Before you begin:
  • Ensure the system time is synchronized between AWS EKS and FortiADC. You can enable NTP on FortiADC to correct the time clock. For details, see Configuring system time.
  • If you want to access AWS EKS objects through the Metadata IAM role for the FortiADC EC2 instance, you must have permissions enabled. For details, see Accessing AWS EKS objects through Metadata IAM role.

To create an AWS Connector:

  1. Go to Security Fabric > External Connectors.
  2. Click Create New.
  3. Under Public SDN, select Amazon Web Services (AWS) to display the configuration editor.
  4. Configure the following settings:

    Setting

    Description

    NameType a name for the external connector object.
    Status

    Toggle on to enable the external connector object.

    Toggle off to disable the external connector object.

    Update Interval (s)

    Specify the update interval for the connector to get AWS objects and dynamically populate the information in the server pool configuration.

    Access Key ID

    Specify the access key ID.

    Secret Access Key

    Specify the secret access key.

    Region Name

    Specify the region where your instances are deployed.

    Use Metadata IAM

    When FortiADC is deployed on AWS, you can assign IAM role for it to access EC2 instances and EKS objects.

  5. Click Save.

After the connector is created, you can select this connector when creating a server pool. FortiADC will then get the IP addresses of the instances from AWS and dynamically populate the objects in the server pool configuration.

You can use the IP Address Type option to get the private address or public address of the instance. This option is supported only when the FortiADC is deployed on AWS.

Accessing AWS EKS objects through Metadata IAM role

If you want to use the Metadata IAM role for the FortiADC EC2 instance to access the AWS EKS objects, follow the steps below to enable permission before you configure the AWS SDN connector.

Note: If you have already configured the AWS SDN connector with Metadata IAM enabled, it must be disabled and re-enabled in order for the below steps to take effect in the new configuration.

  1. Go to the AWS Dashboard and navigate to IAM > Access management > Role.
  2. Create a role and grant the role with the AdministratorAccess permission policy to allow the FortiADC EC2 instance to call AWS EKS services on your behalf.
  3. Record the Role ARN information to be used later.
  4. Assign the newly created IAM role to the FortiADC EC2 instance.
  5. Add role-based access control (RBAC) access to the IAM role using the aws-auth ConfigMap.
    1. Check the current aws-auth ConfigMap and copy the roleARN information.
      The roleARN may appear differently depending on the way the EKS cluster node group is created. In this context, the EKS cluster node group is created with the Amazon EKS vended AWS CloudFormation templates, which makes the NodeInstanceRole the roleARN.
      kubectl describe configmap -n kube-system aws-auth
    2. Download the configuration map template.
      curl -o aws-auth-cm.yaml https://amazon-eks.s3.us-west-2.amazonaws.com/cloudformation/2020-10-29/aws-auth-cm.yaml
    3. Create a new aws-auth configuration by adding the IAM role created previously and the NodeInstanceRole into aws-auth-cm.yaml.
      	apiVersion: v1
      	kind: ConfigMap
      	metadata:
      	  name: aws-auth
      	  namespace: kube-system
      	data:
      	  mapRoles: |
      	    - rolearn: arn:aws:iam::xxxx:role/eksctl-qa-cluster-nodegroup-ng-16-NodeInstanceRole-yyyy
      	      username: system:node:{{EC2PrivateDNSName}}
      	      groups:
      	        - system:bootstrappers
      	        - system:nodes
      	    - rolearn: arn:aws:iam::xxxx:role/FortiADC-role
      	      username: system:node:{{EC2PrivateDNSName}}
      	      groups:
      	        - system:bootstrappers
      	        - system:nodes
      
    4. Apply the aws-auth-cm.yaml by kubectl apply command.
      kubectl apply -f aws-auth-cm.yaml
    5. Use the kubectl describe command to check the aws-auth ConfigMap.

For more information on AWS IAM user and role access to the EKS cluster, refer to AWS official documentation.