FortiGate Autoscale for AWS features
Major components
- The BYOL Auto Scaling group. This Auto Scaling group contains zero to many FortiGate-VMs of the BYOL licensing model and will dynamically scale-out or scale-in based on the scaling metrics specified by the parameters Scale-out threshold and Scale-in threshold. For each instance you must provide a valid license purchased from FortiCare.
For BYOL-only and hybrid licensing deployments, the Minimum group size (
FgtAsgMinSizeByol
) must be at least 2. These FortiGate-VMs are the main instances and are fixed and running 7x24. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost. - The On-demand Auto Scaling group. This Auto Scaling group contains 0 to many FortiGate-VMs of the On-demand licensing model and will dynamically scale-out or scale-in based on the scaling metrics specified by the parameters Scale-out threshold and Scale-in threshold.
For on-demand-only deployments, the minimum group size (
FgtAsgMinSizePayg
) must be at least 2. These FortiGate-VMs are the main instances and are fixed and running 7x24. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost. - The “assets” folder in the S3 Bucket.
- The configset folder contains files that are loaded as the initial configuration for a new FortiGate-VM instance.
- baseconfig is the base configuration. This file can be modified as needed to meet your network requirements. Placeholders such as {SYNC_INTERFACE} are explained in the Configset placeholders table below
- httproutingpolicy and httpsroutingpolicy are provided as part of the base configset - for a common use case - and specify the FortiGate firewall policy for VIPs for http routing and https routing respectively. This common use case includes a VIP on port 80 and a VIP on port 443 with a policy that points to an internal load balancer. The port numbers are configurable and can be changed during CFT deployment. Additional VIPs can be added here as needed.
In FortiOS 6.2.3, any VIPs created on the primary instance will not sync to the secondary instances. Any VIP you wish to add must be added as part of the base configuration.
If you set the Internal ELB options parameter to
do not need one
, then you must include your VIP configuration in the base configuration. - The ... >license-files > fortigate folder contains BYOL license files.
- The configset folder contains files that are loaded as the initial configuration for a new FortiGate-VM instance.
- Tables in DynamoDB. These tables are required to store information such as health check monitoring, primary election, state transitions, etc. These records should not be modified unless required for troubleshooting purposes.
- Networking Components These are the network load balancers, the target group, and the VPC and subnets. You are expected to create your own client and server instances that you want protected by the FortiGate-VM.
Configset placeholders
When the FortiGate-VM requests the configuration from the Auto Scaling Handler function, the placeholders in the table below will be replaced with actual values about the Auto Scaling group.
Placeholder |
Type |
Description |
---|---|---|
{SYNC_INTERFACE} |
Text |
The interface for FortiGate-VMs to synchronize information. Specify as port1, port2, port3, etc. All characters must be lowercase. |
{CALLBACK_URL} |
URL |
The endpoint URL to interact with the auto scaling handler script. Automatically generated during CloudFormation deployment. |
{PSK_SECRET} |
Text |
The Pre-Shared Key used in FortiOS. Specified during CloudFormation deployment. |
{ADMIN_PORT} |
Number |
A port number specified for admin login. A positive integer such as 443 etc. Specified during CloudFormation deployment. |
{HEART_BEAT_INTERVAL} |
Number |
The time interval (in seconds) that the FortiGate-VM waits between sending heartbeat requests to the Autoscale handler function. |
Auto Scaling Handler environment variables
Variable name |
Description |
---|---|
UNIQUE_ID |
Reserved, empty string. |
CUSTOM_ID |
Reserved, empty string. |
RESOURCE_TAG_PREFIX |
The value of the CFT parameter Resource tag prefix which is described in the section Resource tagging configuration. |
AWS GovCloud (US) support
The AWS GovCloud (US) regions us-gov-east-1
and us-gov-west-1
are supported.
AWS may have service limitations, restrictions, or different implementations for these regions. Review AWS documentation for more information.
As service is provided differently than it is for commercial regions, if you encounter errors when deploying to these regions, report them on the Issues tab of the FortiGate Autoscale for AWS GitHub project.
How to partially route egress traffic
By default, FortiGate Autoscale manages the route 0.0.0.0/0
in the route table associated with the FortiGate-VM cluster. As such, all egress traffic will be routed to the primary FortiGate-VM. If desired, you can add firewall policies to the FortiGate-VM with more customized egress rules.
In addition to the 0.0.0.0/0
route via FortiGate Autoscale, egress traffic can be also routed via other NAT gateways. This is done by creating a route with a specific destination with the NAT device as the target. This route must be next to the route 0.0.0.0/0
in the Autoscale route table and the route destination must be a valid CIDR. For example, for egress traffic to the IP address range 10.0.0.0/16
to use a different NAT device, create a route with destination 10.0.0.0/16
and the NAT device as the target. Egress traffic to 10.0.0.0/16
will now flow through the NAT device while the rest will still flow through FortiGate.
However, you cannot use the route with destination 0.0.0.0/0
because FortiGate Autoscale is managing it and will overwrite it whenever the FortiGate primary role has been switched.