Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    Home FortiADC 7.2.7 Handbook
    7.2.7
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.1
    6.0.0
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.7

    Amazon Web Services (AWS) Connector

    Amazon Web Services (AWS) Connector

    When you create an Amazon Web Services (AWS) connector, you are authorizing FortiADC to periodically (every 30 seconds by default) get information from AWS instances and dynamically populate it in the server pool configuration.

    Before you begin:
    • Ensure the system time is synchronized between AWS EKS and FortiADC. You can enable NTP on FortiADC to correct the time clock. For details, see Configuring system time.
    • If you want to access AWS EKS objects through the Metadata IAM role for the FortiADC EC2 instance, you must have permissions enabled. For details, see Accessing AWS EKS objects through Metadata IAM role.

    To create an AWS Connector:

    1. Go to Security Fabric > External Connectors.
    2. Click Create New.
    3. Under Public SDN, select Amazon Web Services (AWS) to display the configuration editor.
    4. Configure the following settings:

      Setting

      Description

      NameType a name for the external connector object.
      Status

      Toggle on to enable the external connector object.

      Toggle off to disable the external connector object.

      Update Interval (s)

      Specify the update interval for the connector to get AWS objects and dynamically populate the information in the server pool configuration.

      Access Key ID

      Specify the access key ID.

      Secret Access Key

      Specify the secret access key.

      Region Name

      Specify the region where your instances are deployed.

      Use Metadata IAM

      When FortiADC is deployed on AWS, you can assign IAM role for it to access EC2 instances and EKS objects.

    5. Click Save.

    After the connector is created, you can select this connector when creating a server pool. FortiADC will then get the IP addresses of the instances from AWS and dynamically populate the objects in the server pool configuration.

    You can use the IP Address Type option to get the private address or public address of the instance. This option is supported only when the FortiADC is deployed on AWS.

    Accessing AWS EKS objects through Metadata IAM role

    If you want to use the Metadata IAM role for the FortiADC EC2 instance to access the AWS EKS objects, follow the steps below to enable permission before you configure the AWS SDN connector.

    Note: If you have already configured the AWS SDN connector with Metadata IAM enabled, it must be disabled and re-enabled in order for the below steps to take effect in the new configuration.

    1. Go to the AWS Dashboard and navigate to IAM > Access management > Role.
    2. Create a role and grant the role with the AdministratorAccess permission policy to allow the FortiADC EC2 instance to call AWS EKS services on your behalf.
    3. Record the Role ARN information to be used later.
    4. Assign the newly created IAM role to the FortiADC EC2 instance.
    5. Add role-based access control (RBAC) access to the IAM role using the aws-auth ConfigMap.
      1. Check the current aws-auth ConfigMap and copy the roleARN information.
        The roleARN may appear differently depending on the way the EKS cluster node group is created. In this context, the EKS cluster node group is created with the Amazon EKS vended AWS CloudFormation templates, which makes the NodeInstanceRole the roleARN.
        kubectl describe configmap -n kube-system aws-auth
      2. Download the configuration map template.
        curl -o aws-auth-cm.yaml https://amazon-eks.s3.us-west-2.amazonaws.com/cloudformation/2020-10-29/aws-auth-cm.yaml
      3. Create a new aws-auth configuration by adding the IAM role created previously and the NodeInstanceRole into aws-auth-cm.yaml.
        	apiVersion: v1
	kind: ConfigMap
	metadata:
	  name: aws-auth
	  namespace: kube-system
	data:
	  mapRoles: |
	    - rolearn: arn:aws:iam::xxxx:role/eksctl-qa-cluster-nodegroup-ng-16-NodeInstanceRole-yyyy
	      username: system:node:{{EC2PrivateDNSName}}
	      groups:
	        - system:bootstrappers
	        - system:nodes
	    - rolearn: arn:aws:iam::xxxx:role/FortiADC-role
	      username: system:node:{{EC2PrivateDNSName}}
	      groups:
	        - system:bootstrappers
	        - system:nodes
      4. Apply the aws-auth-cm.yaml by kubectl apply command.
        kubectl apply -f aws-auth-cm.yaml
      5. Use the kubectl describe command to check the aws-auth ConfigMap.

    For more information on AWS IAM user and role access to the EKS cluster, refer to AWS official documentation.

    Previous
    Next

    Amazon Web Services (AWS) Connector

    Amazon Web Services (AWS) Connector

    When you create an Amazon Web Services (AWS) connector, you are authorizing FortiADC to periodically (every 30 seconds by default) get information from AWS instances and dynamically populate it in the server pool configuration.

    Before you begin:
    • Ensure the system time is synchronized between AWS EKS and FortiADC. You can enable NTP on FortiADC to correct the time clock. For details, see Configuring system time.
    • If you want to access AWS EKS objects through the Metadata IAM role for the FortiADC EC2 instance, you must have permissions enabled. For details, see Accessing AWS EKS objects through Metadata IAM role.

    To create an AWS Connector:

    1. Go to Security Fabric > External Connectors.
    2. Click Create New.
    3. Under Public SDN, select Amazon Web Services (AWS) to display the configuration editor.
    4. Configure the following settings:

      Setting

      Description

      NameType a name for the external connector object.
      Status

      Toggle on to enable the external connector object.

      Toggle off to disable the external connector object.

      Update Interval (s)

      Specify the update interval for the connector to get AWS objects and dynamically populate the information in the server pool configuration.

      Access Key ID

      Specify the access key ID.

      Secret Access Key

      Specify the secret access key.

      Region Name

      Specify the region where your instances are deployed.

      Use Metadata IAM

      When FortiADC is deployed on AWS, you can assign IAM role for it to access EC2 instances and EKS objects.

    5. Click Save.

    After the connector is created, you can select this connector when creating a server pool. FortiADC will then get the IP addresses of the instances from AWS and dynamically populate the objects in the server pool configuration.

    You can use the IP Address Type option to get the private address or public address of the instance. This option is supported only when the FortiADC is deployed on AWS.

    Accessing AWS EKS objects through Metadata IAM role

    If you want to use the Metadata IAM role for the FortiADC EC2 instance to access the AWS EKS objects, follow the steps below to enable permission before you configure the AWS SDN connector.

    Note: If you have already configured the AWS SDN connector with Metadata IAM enabled, it must be disabled and re-enabled in order for the below steps to take effect in the new configuration.

    1. Go to the AWS Dashboard and navigate to IAM > Access management > Role.
    2. Create a role and grant the role with the AdministratorAccess permission policy to allow the FortiADC EC2 instance to call AWS EKS services on your behalf.
    3. Record the Role ARN information to be used later.
    4. Assign the newly created IAM role to the FortiADC EC2 instance.
    5. Add role-based access control (RBAC) access to the IAM role using the aws-auth ConfigMap.
      1. Check the current aws-auth ConfigMap and copy the roleARN information.
        The roleARN may appear differently depending on the way the EKS cluster node group is created. In this context, the EKS cluster node group is created with the Amazon EKS vended AWS CloudFormation templates, which makes the NodeInstanceRole the roleARN.
        kubectl describe configmap -n kube-system aws-auth
      2. Download the configuration map template.
        curl -o aws-auth-cm.yaml https://amazon-eks.s3.us-west-2.amazonaws.com/cloudformation/2020-10-29/aws-auth-cm.yaml
      3. Create a new aws-auth configuration by adding the IAM role created previously and the NodeInstanceRole into aws-auth-cm.yaml.
        	apiVersion: v1
	kind: ConfigMap
	metadata:
	  name: aws-auth
	  namespace: kube-system
	data:
	  mapRoles: |
	    - rolearn: arn:aws:iam::xxxx:role/eksctl-qa-cluster-nodegroup-ng-16-NodeInstanceRole-yyyy
	      username: system:node:{{EC2PrivateDNSName}}
	      groups:
	        - system:bootstrappers
	        - system:nodes
	    - rolearn: arn:aws:iam::xxxx:role/FortiADC-role
	      username: system:node:{{EC2PrivateDNSName}}
	      groups:
	        - system:bootstrappers
	        - system:nodes
      4. Apply the aws-auth-cm.yaml by kubectl apply command.
        kubectl apply -f aws-auth-cm.yaml
      5. Use the kubectl describe command to check the aws-auth ConfigMap.

    For more information on AWS IAM user and role access to the EKS cluster, refer to AWS official documentation.

    Previous
    Next