Fortinet black logo

GCP Administration Guide

Home FortiGate Public Cloud 7.4.0 GCP Administration Guide
7.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0

Adding instances to the protected subnet

Adding instances to the protected subnet

When the deployment completes, you can create an instance group and add VMs to the protected subnet, behind the internal load balancer (LB).

In GCP, NICs must reside in separate VPCs. In this deployment, the FortiGate have two NICs: one in the exposed public subnet/VPC and the other in the protected subnet/VPC. By default, the protected subnet is called fortigateautoscale-protected-subnet-CLUSTER-SUFFIX.

The default FortiGate configuration located under /assets/configset/baseconfig specifies a virtual IP address (VIP) on port 80 and a VIP on port 443 with a policy that points to an internal LB.

Note

Any VIPs created on the primary instance do not sync to the secondary instances. You must add any VIP you want to add as part of the baseconfig.

The following illustrates adding a basic unmanaged instance group into the protected subnet and internal LB.

To add instances to the protected subnet:
  1. Create the VM, ensuring that it resides within the proper region, VPC, and subnet:

    Add VM instance

    Add VM instance

  2. Create an instance group:

    Add Instance group

  3. Under Network services > Load balancing, select Internal load balancer > Backend configuration and add the new instance group.

    Add new Instance group to the internal load balancer

Previous
Next

Adding instances to the protected subnet

When the deployment completes, you can create an instance group and add VMs to the protected subnet, behind the internal load balancer (LB).

In GCP, NICs must reside in separate VPCs. In this deployment, the FortiGate have two NICs: one in the exposed public subnet/VPC and the other in the protected subnet/VPC. By default, the protected subnet is called fortigateautoscale-protected-subnet-CLUSTER-SUFFIX.

The default FortiGate configuration located under /assets/configset/baseconfig specifies a virtual IP address (VIP) on port 80 and a VIP on port 443 with a policy that points to an internal LB.

Note

Any VIPs created on the primary instance do not sync to the secondary instances. You must add any VIP you want to add as part of the baseconfig.

The following illustrates adding a basic unmanaged instance group into the protected subnet and internal LB.

To add instances to the protected subnet:
  1. Create the VM, ensuring that it resides within the proper region, VPC, and subnet:

    Add VM instance

    Add VM instance

  2. Create an instance group:

    Add Instance group

  3. Under Network services > Load balancing, select Internal load balancer > Backend configuration and add the new instance group.

    Add new Instance group to the internal load balancer

Previous
Next