Fortinet black logo

AWS Administration Guide

Deploying auto scaling on AWS

Copy Link
Copy Doc ID 9e3b59dc-ba0b-11e9-a989-00505692583a:397979
Download PDF

Deploying auto scaling on AWS

You can deploy FortiGate virtual machines (VMs) to support Auto Scaling on AWS. Optionally, AWS Transit Gateway can be used to connect Amazon Virtual Private Clouds (Amazon VPCs) and their on-premises networks to a single gateway. This integration extends the FortiGate protection to all networks connected to the Transit Gateway. Consolidate logging and reporting for your FortiGate cluster by integrating FortiAnalyzer. Fortinet provides FortiGate Autoscale for AWS deployment packages to facilitate the deployment.

Multiple FortiGate-VM instances form an Auto Scaling group to provide highly efficient clustering at times of high workloads. FortiGate-VM instances can be scaled out automatically according to predefined workload levels. When a spike in traffic occurs, FortiGate-VM instances are automatically added to the Auto Scaling group. Auto Scaling is achieved by using FortiGate-native High Availability (HA) features that synchronize operating system (OS) configurations across multiple FortiGate-VM instances at the time of scale-out events.

FortiGate Autoscale for AWS is available with FortiOS 6.2.5, FortiOS 6.4.6, FortiOS 7.0.0, and FortiOS 7.0.1 and supports any combination of On-demand and Bring Your Own License (BYOL) instances. FortiAnalyzer 6.4.6 can be incorporated into Fortinet FortiGate Autoscale to use extended features that include storing logs into FortiAnalyzer.

Note

Fees will be incurred based on the Amazon Elastic Compute Cloud (Amazon EC2) instance type. Additionally, a license is required for each FortiGate Bring Own License (BYOL) instance you might use.

FortiGate Autoscale for AWS uses AWS CloudFormation Templates (CFTs) to deploy components.

Deployments without Transit Gateway integration have:

  • A highly available architecture that spans two Availability Zones.*
  • An Amazon VPC configured with public and private subnets according to AWS best practices, to provide you with your own virtual network on AWS.*
  • An Internet gateway to allow access to the Internet.*
  • In the public subnets:
    • (Optional) A FortiAnalyzer instance, which consolidates logging and reporting for your FortiGate cluster.

    • Two or more FortiGate-VM instances, which complement AWS security groups. Security groups provide intrusion protection, web filtering, and threat detection to help protect your services from cyberattacks. Each instance also provides VPN access for authorized users. VPN connections use the Diffie-Hellman Group 14 and SHA256 (Secure Hash Algorithm 2).
    • A cluster of FortiGate-VM instances in the Auto Scaling groups, where one FortiGate-VM acts as the primary while the others act as secondary. The primary FortiGate-VM also acts as NAT gateway by default, allowing egress Internet access for resources in the private subnets.
  • A public-facing network load balancer that distributes inbound traffic across the FortiGate-VM instances. An internal-facing network load balancer is optional.
  • AWS Lambda, which provides the core Auto Scaling functionality between FortiGates-VM instances.
  • Amazon Simple Storage Service (Amazon S3) to host artifacts for Lambda functions and logs.

  • Amazon DynamoDB to store information about Auto Scaling condition states.

* When deploying into an existing VPC, the marked components in the above list are not created - you are prompted for your existing VPC configuration.

Deployments with Transit Gateway integration have:

  • A highly available architecture that spans two Availability Zones.
  • An Amazon VPC configured with public and private subnets according to AWS best practices, to provide you with your own virtual network on AWS.
  • An Internet gateway to allow access to the Internet.
  • In the public subnets:
    • (Optional) A FortiAnalyzer instance, which consolidates logging and reporting for your FortiGate cluster.
    • Two or more FortiGate-VM instances, which complement AWS security groups. Security groups provide intrusion protection, web filtering, and threat detection to help protect your services from cyberattacks. Each instance also provides VPN access for authorized users. VPN connections use the Diffie-Hellman Group 14 and SHA256 (Secure Hash Algorithm 2).
    • A primary FortiGate-VM instance in the Auto Scaling group(s).
  • AWS Lambda, which provides the core Auto Scaling functionality between FortiGate-VM instances.
  • Amazon Simple Storage Service (Amazon S3) to host artifacts for Lambda functions and logs.
  • Amazon DynamoDB to store information about Auto Scaling condition states.
  • Site-to-Site VPN connections.

Deploying auto scaling on AWS

You can deploy FortiGate virtual machines (VMs) to support Auto Scaling on AWS. Optionally, AWS Transit Gateway can be used to connect Amazon Virtual Private Clouds (Amazon VPCs) and their on-premises networks to a single gateway. This integration extends the FortiGate protection to all networks connected to the Transit Gateway. Consolidate logging and reporting for your FortiGate cluster by integrating FortiAnalyzer. Fortinet provides FortiGate Autoscale for AWS deployment packages to facilitate the deployment.

Multiple FortiGate-VM instances form an Auto Scaling group to provide highly efficient clustering at times of high workloads. FortiGate-VM instances can be scaled out automatically according to predefined workload levels. When a spike in traffic occurs, FortiGate-VM instances are automatically added to the Auto Scaling group. Auto Scaling is achieved by using FortiGate-native High Availability (HA) features that synchronize operating system (OS) configurations across multiple FortiGate-VM instances at the time of scale-out events.

FortiGate Autoscale for AWS is available with FortiOS 6.2.5, FortiOS 6.4.6, FortiOS 7.0.0, and FortiOS 7.0.1 and supports any combination of On-demand and Bring Your Own License (BYOL) instances. FortiAnalyzer 6.4.6 can be incorporated into Fortinet FortiGate Autoscale to use extended features that include storing logs into FortiAnalyzer.

Note

Fees will be incurred based on the Amazon Elastic Compute Cloud (Amazon EC2) instance type. Additionally, a license is required for each FortiGate Bring Own License (BYOL) instance you might use.

FortiGate Autoscale for AWS uses AWS CloudFormation Templates (CFTs) to deploy components.

Deployments without Transit Gateway integration have:

  • A highly available architecture that spans two Availability Zones.*
  • An Amazon VPC configured with public and private subnets according to AWS best practices, to provide you with your own virtual network on AWS.*
  • An Internet gateway to allow access to the Internet.*
  • In the public subnets:
    • (Optional) A FortiAnalyzer instance, which consolidates logging and reporting for your FortiGate cluster.

    • Two or more FortiGate-VM instances, which complement AWS security groups. Security groups provide intrusion protection, web filtering, and threat detection to help protect your services from cyberattacks. Each instance also provides VPN access for authorized users. VPN connections use the Diffie-Hellman Group 14 and SHA256 (Secure Hash Algorithm 2).
    • A cluster of FortiGate-VM instances in the Auto Scaling groups, where one FortiGate-VM acts as the primary while the others act as secondary. The primary FortiGate-VM also acts as NAT gateway by default, allowing egress Internet access for resources in the private subnets.
  • A public-facing network load balancer that distributes inbound traffic across the FortiGate-VM instances. An internal-facing network load balancer is optional.
  • AWS Lambda, which provides the core Auto Scaling functionality between FortiGates-VM instances.
  • Amazon Simple Storage Service (Amazon S3) to host artifacts for Lambda functions and logs.

  • Amazon DynamoDB to store information about Auto Scaling condition states.

* When deploying into an existing VPC, the marked components in the above list are not created - you are prompted for your existing VPC configuration.

Deployments with Transit Gateway integration have:

  • A highly available architecture that spans two Availability Zones.
  • An Amazon VPC configured with public and private subnets according to AWS best practices, to provide you with your own virtual network on AWS.
  • An Internet gateway to allow access to the Internet.
  • In the public subnets:
    • (Optional) A FortiAnalyzer instance, which consolidates logging and reporting for your FortiGate cluster.
    • Two or more FortiGate-VM instances, which complement AWS security groups. Security groups provide intrusion protection, web filtering, and threat detection to help protect your services from cyberattacks. Each instance also provides VPN access for authorized users. VPN connections use the Diffie-Hellman Group 14 and SHA256 (Secure Hash Algorithm 2).
    • A primary FortiGate-VM instance in the Auto Scaling group(s).
  • AWS Lambda, which provides the core Auto Scaling functionality between FortiGate-VM instances.
  • Amazon Simple Storage Service (Amazon S3) to host artifacts for Lambda functions and logs.
  • Amazon DynamoDB to store information about Auto Scaling condition states.
  • Site-to-Site VPN connections.