SDN connector support for alternate resources

In 7.2.4 and later versions, the FortiOS AWS SDN connector supports querying AWS for resource elastic IP addresses (EIP) based on resource attributes such as the owner ID, resource descriptions, and tags.

To configure an AWS SDN connector to query AWS alternate resources in the CLI:

config system sdn-connector
    edit "aws1"
        set status enable
        set type aws
        set access-key <accesskey>
        set secret-key <secretkey>
        set region "us-west-2"
        set vpc-id ''
        set alt-resource-ip enable
        set update-interval 30
    next
end

To create an address object in the CLI:

config firewall address
    edit "aws-alt-resource-ip-NetLB-PrivateIPs"
        set type dynamic
        set sub-type sdn
        set sdn <connectorname>
        set comment ''
        set associated-interface ''
        set color 0
        set filter "Description=ELB app/net-lb/afbb52e2591b3eee"
        set sdn-addr-type private | Public | ALL
        set fabric-object disable
    next
end
FGVM04TM######### (aws-alt-resource~ace) # set filter
<key1=value1>    [& <key2=value2>] [| <key3=value3>]

Filter keys

The following lists filter keys for the AWS alternative resource:

• <InterfaceId>
• <InterfaceType>
• <SubnetId>
• <OwnerId>
• <Description>
• <VpcId>
• <Tag>
• <PrivateDnsName>
• <PublicDnsName>
• <SecurityGroupId>

For more information, see DescribeNetworkInterfaces.

Examples

The following provides examples of this feature in use.

Subnet ranges are 172.31.0.0/20 and 172.31.32.0/20 for private IP address examples.

Query load balancer private EIP based on description

To configure this address object in the GUI:

1. In FortiOS, go to Policy & Objects > Addresses.
2. Click Create New, then select Address.
3. From the Type dropdown list, select Dynamic.
4. From the Sub Type dropdown list, select Fabric Connector Address.
5. From the SDN Connector dropdown list, select the AWS SDN connector.
6. For SDN address type, select Private.
7. In the Filter field, enter Description=ELB app/net-lb/afbb52e2591b3eee.
8. Click OK.

To configure this address object in the CLI:

FGVM04TM###### (address) # edit aws-alt-resource-ip-NetLB-PrivateIPs
FGVM04TM###### (aws-alt-resource~IPs) # show
config firewall address
    edit "aws-alt-resource-ip-NetLB-PrivateIPs"
        set uuid e94c3c1e-69c1-51ed-60d9-3e7d4d743b30
        set type dynamic
        set sdn "aws-alt-resource-ip"
        set filter "Description=ELB app/net-lb/afbb52e2591b3eee"
        config list
            edit "172.31.11.206"
            next
            edit "172.31.32.47"
            next
        end
    next
end

Query load balancer public EIP based on description

To configure this address object in the GUI:

1. In FortiOS, go to Policy & Objects > Addresses.
2. Click Create New, then select Address.
3. From the Type dropdown list, select Dynamic.
4. From the Sub Type dropdown list, select Fabric Connector Address.
5. From the SDN Connector dropdown list, select the AWS SDN connector.
6. For SDN address type, select Public.
7. In the Filter field, enter Description=ELB app/net-lb/afbb52e2591b3eee.
8. Click OK.

To configure this address object in the CLI:

FGVM04TM###### (address) # edit aws-alt-resource-ip-NetLB-PublicIPs
FGVM04TM###### (aws-alt-resource~IPs) # show
config firewall address
    edit "aws-alt-resource-ip-NetLB-PublicIPs"
        set uuid 5c03cec0-69c2-51ed-4fb0-4e1425b62620
        set type dynamic
        set sdn "aws-alt-resource-ip"
        set filter "Description=ELB app/net-lb/afbb52e2591b3eee"
        set sdn-addr-type public
        config list
            edit "54.165.XX.XX"
            next
            edit "54.225.XX.XX"
            next
        end
    next
end

Query dynamic address object based on interface type

To configure this address object in the GUI:

1. In FortiOS, go to Policy & Objects > Addresses.
2. Click Create New, then select Address.
3. From the Type dropdown list, select Dynamic.
4. From the Sub Type dropdown list, select Fabric Connector Address.
5. From the SDN Connector dropdown list, select the AWS SDN connector.
6. For SDN address type, select Private.
7. In the Filter field, enter InterfaceType=gateway_load_balancer.
8. Click OK.

To configure this address object in the CLI:

config firewall address
    edit "aws-alt-resource-interfacetype"
        set uuid 8faa639a-69f1-51ed-fa58-01bfd8fe3a72
        set type dynamic
        set sub-type sdn
        set sdn "aws-alt-resource-ip"
        set comment ''
        set associated-interface ''
        set color 0
        set filter "InterfaceType=gateway_load_balancer"
        set sdn-addr-type private
        config list
            edit "172.31.47.24"
            next
            edit "172.31.5.201"
            next
        end
        set fabric-object disable
    next
end

Query dynamic address object based on WorkSpace tag

Due to WorkSpace deployment, the WorkSpace interfaces must have the WorkSpace tag or you must assign the WorkSpace instance the tag.

To configure this address object in the GUI:

1. In FortiOS, go to Policy & Objects > Addresses.
2. Click Create New, then select Address.
3. From the Type dropdown list, select Dynamic.
4. From the Sub Type dropdown list, select Fabric Connector Address.
5. From the SDN Connector dropdown list, select the AWS SDN connector.
6. For SDN address type, select All.
7. In the Filter field, enter Tag.workspace=alt-resource.
8. Click OK.

To configure this address object in the CLI:

tag.keyname=valueoftag. WorkSpace is the key and alt-resource is the value.

FGVM04TM####### (address) # edit aws-alt-workspace-tag
FGVM04TM###### (aws-alt-workspac~tag) # show
config firewall address
    edit "aws-alt-workspace-tag"
        set uuid 1cfc1368-69c7-51ed-ff14-ed1ec99e8a73
        set type dynamic
        set sdn "aws-alt-resource-ip"
        set filter "Tag.workspace=alt-resource"
        set sdn-addr-type all
        config list
            edit "172.31.1.XX"
            next
            edit "23.21.70.XX"
            next
        end
    next
end

Query dynamic address object based on security group

To configure this address object in the GUI:

1. In FortiOS, go to Policy & Objects > Addresses.
2. Click Create New, then select Address.
3. From the Type dropdown list, select Dynamic.
4. From the Sub Type dropdown list, select Fabric Connector Address.
5. From the SDN Connector dropdown list, select the AWS SDN connector.
6. For SDN address type, select All.
7. In the Filter field, enter SecurityGroupId=sg-05011306bf07bc753.
8. Click OK.

To configure this address object in the CLI:

FGVM04TM22001205 (address) # edit aws-alt-workspace-secgroup
FGVM04TM22001205 (aws-alt-workspac~oup) # show
config firewall address
    edit "aws-alt-workspace-secgroup"
        set uuid da0363be-69cf-51ed-a282-01b64d23715f
        set type dynamic
        set sdn "aws-alt-resource-ip"
        set filter "SecurityGroupId=sg-05011306bf07bc753"
        set sdn-addr-type all
        config list
            edit "172.31.1.XX"
            next
            edit "23.21.70.XX"
            next
        end
    next
end