Planning
This deployment requires familiarity with the configuration of a FortiGate using the CLI as well as with the following AWS services:
- Amazon Elastic Cloud Compute (Amazon EC2)
- Amazon EC2 Auto Scaling
- Amazon VPC
- AWS CloudFormation
- AWS Lambda
- Amazon DynamoDB
- Amazon API Gateway
- Amazon CloudWatch
- Amazon S3
If deploying with Transit Gateway integration, knowledge of the following is also required:
- AWS Transit Gateway
- Border Gateway Protocol (BGP)
- Equal-cost multi-path (ECMP)
If you are new to AWS, visit the Getting Started Resource Center and the AWS Training and Certification website.
It is expected that FortiGate Autoscale for AWS will be deployed by DevOps engineers or advanced system administrators who are familiar with the above.
Technical requirements
To start the deployment, you must have an AWS account. If you do not already have one, create one at https://aws.amazon.com/ by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN. Your AWS account is automatically signed up for all AWS services. You are charged only for the services you use.
Log into your AWS account and verify the following:
- IAM permissions. Ensure that the AWS user deploying the template has sufficient permissions to perform the required service actions on resources. At a minimum, the following are required: Service: IAM; Actions:CreateRole; Resource: *. The FortiGate Autoscale for AWS template increases the security level of the deployment stack by narrowing down the scope of access to external resources belonging to the same user account as well as restricting access to resources within the deployment.
-
Region. Use the region selector in the navigation bar to choose the AWS region where you want to deploy FortiGate Autoscale for AWS.
This deployment includes AWS Auto Scaling, which isn’t currently supported in all AWS Regions. For a current list of supported Regions, refer to the AWS documentation Service Endpoints and Quotas.
- Instance Type. This deployment offers a range of instance types, some of which are not currently supported in all AWS Regions. Ensure that your desired instance type is available in your region by checking the Instance types page for your region.
-
FortiGate subscription(s). Confirm that you have a valid subscription to the On-demand FortiGate and/or BYOL FortiGate marketplace listings, as required for your deployment.
- If you are not subscribed, open the subscription page and click Continue to Subscribe.
- Review the terms and conditions for software usage, and then choose Accept Terms. A confirmation page loads, and an email confirmation is sent to the account owner.
- Exit out of AWS Marketplace without further action. Do not provision the software from AWS Marketplace.
- Key pair. Ensure at least one Amazon EC2 key pair exists in your AWS account in the region where you plan to deploy FortiGate Autoscale for AWS. Make note of the key pair name.
- Resources. If necessary, request service quota increases. This is necessary when you might exceed the default quotas with this deployment. The Service Quotas console displays your usage and quotas for some aspects of some services. For more information, see the AWSdocumentation. The default instance type is c5.large.
- FortiGate licenses. Ensure you have a license for each FortiGate BYOL instance you might use. Licenses can be purchased from FortiCare. In the section BYOL license files , you will place the license files in an S3 bucket for use by the deployment.
Requirements when using an existing VPC
When using an existing VPC, there are additional requirements:
- The VPC must have the option DNS hostnames enabled.
- Each of the two Availability Zones in the VPC must have at least 1 public subnet and at least 1 private subnet.
- A VPC Endpoint for the
execute-api
service under the AWS services category is required This VPC Endpoint must have the Private DNS Name option enabled and must be associated with the VPC:
After deployment, the created Security Group must be associated with the VPC Endpoint. For details, refer to the section Post-deployment activities.