Fortinet Document Library

Version:


Table of Contents

AWS Administration Guide

7.0.0
Download PDF
Copy Link

Configuring an AWS SDN connector using IAM roles

The following summarizes minimum sufficient IAM roles for this deployment:

{

"Version": "2012-10-17",

"Statement": [

{

"Action": [

"ec2:Describe*"

],

"Resource": "*",

"Effect": "Allow"

}

]

}

For instances running in AWS (on demand or BYOL), you can set up the AWS SDN connector using AWS Identify and Access Management (IAM) credentials.

IAM authentication is available only for FGT-AWS and FGT-AWSONDEMAND platforms.

To configure AWS SDN connector using the GUI:
  1. Configure the AWS SDN connector:
    1. Go to Security Fabric > External Connectors.
    2. Click Create New, and select Amazon Web Services (AWS).
    3. Enable Use metadata IAM.
    4. Configure other fields as desired.
    5. Click OK.
  2. Create a dynamic firewall address for the configured AWS SDN connector:
    1. Go to Policy & Objects > Addresses.
    2. Click Create New, then select Address.
    3. Configure the address:
      1. From the Type dropdown list, select Dynamic.

      2. From the Sub Type dropdown list, select Fabric Connector Address.

      3. From the SDN Connector dropdown list, select the connector that you created.

      4. In the Filter field, configure the desired filter, such as SecurityGroupId=sg-05f4749cf84267548 or K8S_Region=us-west-2.

      5. Configure other fields as desired, then click OK.

  3. Ensure that the AWS SDN connector resolves dynamic firewall IP addresses:
    1. Go to Policy & Objects > Addresses.
    2. Hover over the address created in step 2 to see a list of IP addresses for instances that belong to the security group configured in step 2.

To configure AWS SDN connector using CLI commands:
  1. Configure the AWS connector:

    config system sdn-connector

    edit "aws1"

    set status enable

    set type aws

    set use-metadata-iam enable

    set update-interval 60

    next

    end

  2. Create a dynamic firewall address for the configured AWS SDN connector with the supported filter:

    Dynamic firewall address IPs are resolved by the SDN connector.

    config firewall address

    edit "aws-ec2"

    set type dynamic

    set sdn "aws1"

    set filter "SecurityGroupId=sg-05f4749cf84267548"

    set sdn-addr-type public

    next

    edit "aws-eks1"

    set type dynamic

    set sdn "aws1"

    set filter "K8S_Region=us-west-2"

    next

    end

  3. Confirm that the AWS SDN connector resolves dynamic firewall IP addresses using the configured filter:

    config firewall address

    edit "aws-ec2"

    set type dynamic

    set sdn "aws1"

    set filter "SecurityGroupId=sg-05f4749cf84267548"

    set sdn-addr-type public

    config list

    edit "34.222.246.198"

    next

    edit "54.188.139.177"

    next

    edit "54.218.229.229"

    next

    end

    next

    edit "aws-eks1"

    set type dynamic

    set sdn "aws1"

    set filter "K8S_Region=us-west-2"

    config list

    edit "192.168.114.197"

    next

    edit "192.168.167.20"

    next

    edit "192.168.180.72"

    next

    edit "192.168.181.186"

    next

    edit "192.168.210.107"

    next

    end

    next

    end

Configuring an AWS SDN connector using IAM roles

The following summarizes minimum sufficient IAM roles for this deployment:

{

"Version": "2012-10-17",

"Statement": [

{

"Action": [

"ec2:Describe*"

],

"Resource": "*",

"Effect": "Allow"

}

]

}

For instances running in AWS (on demand or BYOL), you can set up the AWS SDN connector using AWS Identify and Access Management (IAM) credentials.

IAM authentication is available only for FGT-AWS and FGT-AWSONDEMAND platforms.

To configure AWS SDN connector using the GUI:
  1. Configure the AWS SDN connector:
    1. Go to Security Fabric > External Connectors.
    2. Click Create New, and select Amazon Web Services (AWS).
    3. Enable Use metadata IAM.
    4. Configure other fields as desired.
    5. Click OK.
  2. Create a dynamic firewall address for the configured AWS SDN connector:
    1. Go to Policy & Objects > Addresses.
    2. Click Create New, then select Address.
    3. Configure the address:
      1. From the Type dropdown list, select Dynamic.

      2. From the Sub Type dropdown list, select Fabric Connector Address.

      3. From the SDN Connector dropdown list, select the connector that you created.

      4. In the Filter field, configure the desired filter, such as SecurityGroupId=sg-05f4749cf84267548 or K8S_Region=us-west-2.

      5. Configure other fields as desired, then click OK.

  3. Ensure that the AWS SDN connector resolves dynamic firewall IP addresses:
    1. Go to Policy & Objects > Addresses.
    2. Hover over the address created in step 2 to see a list of IP addresses for instances that belong to the security group configured in step 2.

To configure AWS SDN connector using CLI commands:
  1. Configure the AWS connector:

    config system sdn-connector

    edit "aws1"

    set status enable

    set type aws

    set use-metadata-iam enable

    set update-interval 60

    next

    end

  2. Create a dynamic firewall address for the configured AWS SDN connector with the supported filter:

    Dynamic firewall address IPs are resolved by the SDN connector.

    config firewall address

    edit "aws-ec2"

    set type dynamic

    set sdn "aws1"

    set filter "SecurityGroupId=sg-05f4749cf84267548"

    set sdn-addr-type public

    next

    edit "aws-eks1"

    set type dynamic

    set sdn "aws1"

    set filter "K8S_Region=us-west-2"

    next

    end

  3. Confirm that the AWS SDN connector resolves dynamic firewall IP addresses using the configured filter:

    config firewall address

    edit "aws-ec2"

    set type dynamic

    set sdn "aws1"

    set filter "SecurityGroupId=sg-05f4749cf84267548"

    set sdn-addr-type public

    config list

    edit "34.222.246.198"

    next

    edit "54.188.139.177"

    next

    edit "54.218.229.229"

    next

    end

    next

    edit "aws-eks1"

    set type dynamic

    set sdn "aws1"

    set filter "K8S_Region=us-west-2"

    config list

    edit "192.168.114.197"

    next

    edit "192.168.167.20"

    next

    edit "192.168.180.72"

    next

    edit "192.168.181.186"

    next

    edit "192.168.210.107"

    next

    end

    next

    end