Configuring FortiGate-VM load balancer using dynamic address objects
FortiOS supports using dynamic firewall addresses in real servers under a virtual server load balancing configuration. Combined with support for the autoscaling group filter (see Access key-based SDN connector integration), this enables you to use the FortiGate as a load balancer in AWS for an autoscaling deployment. You do not need to manually change each server's IP address whenever a scale in/out action occurs, as FortiOS dynamically updates the IP addresses following each scale in/out action.
Consider a scenario where the FortiGate-VM is deployed on AWS and load balancing for three servers. The SDN connector configured in FortiOS dynamically loads the server IP addresses. If a scale in action occurs, the load balancer dynamically updates to load balance to the two remaining servers.
The following instructions assume the following:
- An AWS SDN connector is configured and up.
- An AWS dynamic firewall address with a filter is configured.
To configure a dynamic address object in a real server under virtual server load balance:
CLI commands introduced in FortiOS 7.6 are shown bolded.
config firewall vip
edit "0"
set id 0
set uuid 0949dfbe-7512-51ea-4671-d3a706b09657
set comment ''
set type server-load-balance
set extip 0.0.0.0
set extintf "port1"
set arp-reply enable
set server-type http
set nat-source-vip disable
set gratuitous-arp-interval 0
set http-ip-header disable
set color 0
set ldb-method static
set http-redirect disable
set persistence none
set extport 80
config realservers
edit 1
set type address
set address "aws addresses"
set port 8080
set status active
set holddown-interval 300
set healthcheck vip
set max-connections 0
unset client-ip
next
end
set http-multiplex disable
set max-embryonic-connections 1000
next
end