Fortinet black logo

GCP Administration Guide

Home FortiGate Public Cloud 7.0.0 GCP Administration Guide

Adding instances to the protected subnet

7.0.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Copy Link
Copy Doc ID 2a566884-8679-11eb-9995-00505692583a:31327
Download PDF

Adding instances to the protected subnet

When the deployment has completed, an Instance group can be created and VMs can be added to the protected subnet, behind the internal load balancer.

In GCP, NICs must reside in separate VPCs. In this deployment, the FortiGate will have two NICs: one in the exposed public subnet / VPC; the other in the protected subnet / VPC. By default, the protected subnet will be called fortigateautoscale-protected-subnet-CLUSTER-SUFFIX.

The default FortiGate configuration located under /assets/configset/baseconfig specifies a VIP on port 80 and a VIP on port 443 with a policy that points to an internal load balancer.

Note

In FortiOS 6.2.3 any VIPs created on the primary instance will not sync to the secondary instances. Any VIP you wish to add must be added as part of the baseconfig.

The following illustrates adding a basic unmanaged Instance group into the protected subnet and internal load balancer.

  1. Create the VM, ensuring that it resides within the proper region, VPC and subnet:

    Add VM instance

    Add VM instance

  2. Create an Instance group:

    Add Instance group

  3. Under Network services > Load balancing choose the Internal load balancer, select Backend configuration and add the new Instance group.

    Add new Instance group to the internal load balancer

Previous
Next

Adding instances to the protected subnet

When the deployment has completed, an Instance group can be created and VMs can be added to the protected subnet, behind the internal load balancer.

In GCP, NICs must reside in separate VPCs. In this deployment, the FortiGate will have two NICs: one in the exposed public subnet / VPC; the other in the protected subnet / VPC. By default, the protected subnet will be called fortigateautoscale-protected-subnet-CLUSTER-SUFFIX.

The default FortiGate configuration located under /assets/configset/baseconfig specifies a VIP on port 80 and a VIP on port 443 with a policy that points to an internal load balancer.

Note

In FortiOS 6.2.3 any VIPs created on the primary instance will not sync to the secondary instances. Any VIP you wish to add must be added as part of the baseconfig.

The following illustrates adding a basic unmanaged Instance group into the protected subnet and internal load balancer.

  1. Create the VM, ensuring that it resides within the proper region, VPC and subnet:

    Add VM instance

    Add VM instance

  2. Create an Instance group:

    Add Instance group

  3. Under Network services > Load balancing choose the Internal load balancer, select Backend configuration and add the new Instance group.

    Add new Instance group to the internal load balancer

Previous
Next