SDN connector support for alternate resources
In 7.2.4 and later versions, the FortiOS AWS SDN connector supports querying AWS for resource elastic IP addresses (EIP) based on resource attributes such as the owner ID, resource descriptions, and tags.
To configure an AWS SDN connector to query AWS alternate resources in the CLI:
config system sdn-connector edit "aws1" set status enable set type aws set access-key <accesskey> set secret-key <secretkey> set region "us-west-2" set vpc-id '' set alt-resource-ip enable set update-interval 30 next end
To create an address object in the CLI:
config firewall address edit "aws-alt-resource-ip-NetLB-PrivateIPs" set type dynamic set sub-type sdn set sdn <connectorname> set comment '' set associated-interface '' set color 0 set filter "Description=ELB app/net-lb/afbb52e2591b3eee" set sdn-addr-type private | Public | ALL set fabric-object disable next end FGVM04TM######### (aws-alt-resource~ace) # set filter <key1=value1> [& <key2=value2>] [| <key3=value3>]
Filter keys
The following lists filter keys for the AWS alternative resource:
- <InterfaceId>
- <InterfaceType>
- <SubnetId>
- <OwnerId>
- <Description>
- <VpcId>
- <Tag>
- <PrivateDnsName>
- <PublicDnsName>
- <SecurityGroupId>
For more information, see DescribeNetworkInterfaces.
Examples
The following provides examples of this feature in use.
Subnet ranges are 172.31.0.0/20 and 172.31.32.0/20 for private IP address examples. |
Query load balancer private EIP based on description
To configure this address object in the GUI:
- In FortiOS, go to Policy & Objects > Addresses.
- Click Create New, then select Address.
- From the Type dropdown list, select Dynamic.
- From the Sub Type dropdown list, select Fabric Connector Address.
- From the SDN Connector dropdown list, select the AWS SDN connector.
- For SDN address type, select Private.
- In the Filter field, enter Description=ELB app/net-lb/afbb52e2591b3eee.
- Click OK.
To configure this address object in the CLI:
FGVM04TM###### (address) # edit aws-alt-resource-ip-NetLB-PrivateIPs FGVM04TM###### (aws-alt-resource~IPs) # show config firewall address edit "aws-alt-resource-ip-NetLB-PrivateIPs" set uuid e94c3c1e-69c1-51ed-60d9-3e7d4d743b30 set type dynamic set sdn "aws-alt-resource-ip" set filter "Description=ELB app/net-lb/afbb52e2591b3eee" config list edit "172.31.11.206" next edit "172.31.32.47" next end next end
Query load balancer public EIP based on description
To configure this address object in the GUI:
- In FortiOS, go to Policy & Objects > Addresses.
- Click Create New, then select Address.
- From the Type dropdown list, select Dynamic.
- From the Sub Type dropdown list, select Fabric Connector Address.
- From the SDN Connector dropdown list, select the AWS SDN connector.
- For SDN address type, select Public.
- In the Filter field, enter Description=ELB app/net-lb/afbb52e2591b3eee.
- Click OK.
To configure this address object in the CLI:
FGVM04TM###### (address) # edit aws-alt-resource-ip-NetLB-PublicIPs FGVM04TM###### (aws-alt-resource~IPs) # show config firewall address edit "aws-alt-resource-ip-NetLB-PublicIPs" set uuid 5c03cec0-69c2-51ed-4fb0-4e1425b62620 set type dynamic set sdn "aws-alt-resource-ip" set filter "Description=ELB app/net-lb/afbb52e2591b3eee" set sdn-addr-type public config list edit "54.165.XX.XX" next edit "54.225.XX.XX" next end next end
Query dynamic address object based on interface type
To configure this address object in the GUI:
- In FortiOS, go to Policy & Objects > Addresses.
- Click Create New, then select Address.
- From the Type dropdown list, select Dynamic.
- From the Sub Type dropdown list, select Fabric Connector Address.
- From the SDN Connector dropdown list, select the AWS SDN connector.
- For SDN address type, select Private.
- In the Filter field, enter InterfaceType=gateway_load_balancer.
- Click OK.
To configure this address object in the CLI:
config firewall address edit "aws-alt-resource-interfacetype" set uuid 8faa639a-69f1-51ed-fa58-01bfd8fe3a72 set type dynamic set sub-type sdn set sdn "aws-alt-resource-ip" set comment '' set associated-interface '' set color 0 set filter "InterfaceType=gateway_load_balancer" set sdn-addr-type private config list edit "172.31.47.24" next edit "172.31.5.201" next end set fabric-object disable next end
Query dynamic address object based on WorkSpace tag
Due to WorkSpace deployment, the WorkSpace interfaces must have the WorkSpace tag or you must assign the WorkSpace instance the tag. |
To configure this address object in the GUI:
- In FortiOS, go to Policy & Objects > Addresses.
- Click Create New, then select Address.
- From the Type dropdown list, select Dynamic.
- From the Sub Type dropdown list, select Fabric Connector Address.
- From the SDN Connector dropdown list, select the AWS SDN connector.
- For SDN address type, select All.
- In the Filter field, enter Tag.workspace=alt-resource.
- Click OK.
To configure this address object in the CLI:
tag.keyname=valueoftag. WorkSpace is the key and alt-resource is the value.
FGVM04TM####### (address) # edit aws-alt-workspace-tag FGVM04TM###### (aws-alt-workspac~tag) # show config firewall address edit "aws-alt-workspace-tag" set uuid 1cfc1368-69c7-51ed-ff14-ed1ec99e8a73 set type dynamic set sdn "aws-alt-resource-ip" set filter "Tag.workspace=alt-resource" set sdn-addr-type all config list edit "172.31.1.XX" next edit "23.21.70.XX" next end next end
Query dynamic address object based on security group
To configure this address object in the GUI:
- In FortiOS, go to Policy & Objects > Addresses.
- Click Create New, then select Address.
- From the Type dropdown list, select Dynamic.
- From the Sub Type dropdown list, select Fabric Connector Address.
- From the SDN Connector dropdown list, select the AWS SDN connector.
- For SDN address type, select All.
- In the Filter field, enter SecurityGroupId=sg-05011306bf07bc753.
- Click OK.
To configure this address object in the CLI:
FGVM04TM22001205 (address) # edit aws-alt-workspace-secgroup FGVM04TM22001205 (aws-alt-workspac~oup) # show config firewall address edit "aws-alt-workspace-secgroup" set uuid da0363be-69cf-51ed-a282-01b64d23715f set type dynamic set sdn "aws-alt-resource-ip" set filter "SecurityGroupId=sg-05011306bf07bc753" set sdn-addr-type all config list edit "172.31.1.XX" next edit "23.21.70.XX" next end next end