Fortinet white logo
Fortinet white logo

GCP Administration Guide

Creating the external LB

Creating the external LB

Google Cloud load balancer (LB) is a set of multiple resources tied together to provide desired functionality. Some resources can be shared between external and internal LBs, while others cannot.

An external LB is responsible for sending packets between the Internet and the active FortiGate instance.

To create the external LB:
  1. Create a shared health check:

    gcloud compute health-checks create http fgt-hcheck-tcp8008 --region=$REGION \ --port=8008 \ --timeout=2s \ --healthy-threshold=1

  2. Create a backend service and add instance groups to it:
    gcloud compute backend-services create fgtelb-bes --region=$REGION \
      --load-balancing-scheme=EXTERNAL \
      --protocol=UNSPECIFIED \
      --health-checks=fgt-hcheck-tcp8008 \
      --health-checks-region=$REGION \
      --connection-persistence-on-unhealthy-backends=NEVER_PERSISTS
    gcloud compute backend-services add-backend fgtelb-bes --region=$REGION \
      --instance-group=fgt-umig-$ZONE1_LABEL \
      --instance-group-zone=$ZONE1
    gcloud compute backend-services add-backend fgtelb-bes-$REGION_LABEL --region=$REGION\
      --instance-group=fgt-umig-$ZONE2_LABEL \
      --instance-group-zone=$ZONE2
    
  3. Reserve a public IP address and create a forwarding rule:

    gcloud compute addresses create fgtelb-serv1-eip-$REGION_LABEL --region=$REGION gcloud compute forwarding-rules create fgtelb-serv1-fwd-$REGION_LABEL-l3 --region=$REGION \ --address=fgtelb-serv1-eip-$REGION_LABEL \ --ip-protocol=L3_DEFAULT \ --ports=ALL \ --load-balancing-scheme=EXTERNAL \ --backend-service=fgtelb-bes-$REGION_LABEL

  4. Repeat step 3 if you need more public IP addresses attached to the cluster.
  5. Enable connections to FortiGates using a cloud firewall ALLOW rule.

Creating the external LB

Creating the external LB

Google Cloud load balancer (LB) is a set of multiple resources tied together to provide desired functionality. Some resources can be shared between external and internal LBs, while others cannot.

An external LB is responsible for sending packets between the Internet and the active FortiGate instance.

To create the external LB:
  1. Create a shared health check:

    gcloud compute health-checks create http fgt-hcheck-tcp8008 --region=$REGION \ --port=8008 \ --timeout=2s \ --healthy-threshold=1

  2. Create a backend service and add instance groups to it:
    gcloud compute backend-services create fgtelb-bes --region=$REGION \
      --load-balancing-scheme=EXTERNAL \
      --protocol=UNSPECIFIED \
      --health-checks=fgt-hcheck-tcp8008 \
      --health-checks-region=$REGION \
      --connection-persistence-on-unhealthy-backends=NEVER_PERSISTS
    gcloud compute backend-services add-backend fgtelb-bes --region=$REGION \
      --instance-group=fgt-umig-$ZONE1_LABEL \
      --instance-group-zone=$ZONE1
    gcloud compute backend-services add-backend fgtelb-bes-$REGION_LABEL --region=$REGION\
      --instance-group=fgt-umig-$ZONE2_LABEL \
      --instance-group-zone=$ZONE2
    
  3. Reserve a public IP address and create a forwarding rule:

    gcloud compute addresses create fgtelb-serv1-eip-$REGION_LABEL --region=$REGION gcloud compute forwarding-rules create fgtelb-serv1-fwd-$REGION_LABEL-l3 --region=$REGION \ --address=fgtelb-serv1-eip-$REGION_LABEL \ --ip-protocol=L3_DEFAULT \ --ports=ALL \ --load-balancing-scheme=EXTERNAL \ --backend-service=fgtelb-bes-$REGION_LABEL

  4. Repeat step 3 if you need more public IP addresses attached to the cluster.
  5. Enable connections to FortiGates using a cloud firewall ALLOW rule.