Fortinet white logo
Fortinet white logo

AWS Administration Guide

Planning

Planning

This deployment requires familiarity with the configuration of a FortiGate using the CLI as well as with the following AWS services:

Deployments with Transit Gateway integration require knowledge of the following:

If you are new to AWS, go to the Getting Started Resource Center and the AWS Training and Certification website.

It is expected that DevOps engineers or advanced system administrators who are familiar with the listed items will deploy FortiGate Autoscale for AWS.

Technical requirements

To start the deployment, you must have an AWS account. If you do not already have one, create one at https://aws.amazon.com/ by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN. Your AWS account is automatically signed up for all AWS services. You are charged only for the services you use.

Log into your AWS account and verify the following:

  • IAM permissions. Ensure that the AWS user deploying the template has sufficient permissions to perform the required service actions on resources. At a minimum, the following are required: Service: IAM; Actions:CreateRole; Resource: *. The FortiGate Autoscale for AWS template increases the security level of the deployment stack by narrowing down the scope of access to external resources belonging to the same user account as well as restricting access to resources within the deployment.
  • Region. Use the region selector in the navigation bar to choose the AWS region where you want to deploy FortiGate Autoscale for AWS.
    Note

    This deployment includes AWS Auto Scaling, which currently not all AWS regions support. For a current list of supported regions, see the AWS documentation Service Endpoints and Quotas.

  • Instance Type. This deployment offers a range of instance types, some of which not all AWS regions support. Ensure that your desired instance type is available in your region by checking the Instance types page for your region.
  • FortiGate subscription(s). Confirm that you have a valid subscription to the On-demand FortiGate and/or BYOL FortiGate marketplace listings, as required for your deployment.
    • If you are not subscribed, open the subscription page and click Continue to Subscribe.
    • Review the terms and conditions for software usage, and then choose Accept Terms. A confirmation page loads, and an email confirmation is sent to the account owner.
    • Exit out of AWS Marketplace without further action. Do not provision the software from AWS Marketplace.
  • Key pair. Ensure at least one Amazon EC2 key pair exists in your AWS account in the region where you plan to deploy FortiGate Autoscale for AWS. Make note of the key pair name.
  • Resources. If necessary, request service quota increases. This is necessary when you might exceed the default quotas with this deployment. The Service Quotas console displays your usage and quotas for some aspects of some services. For more information, see the AWSdocumentation. The default instance type is c5.large.
  • FortiGate licenses. Ensure you have a license for each FortiGate BYOL instance you might use. Licenses can be purchased from FortiCare. In the section BYOL license files , you place the license files in an S3 bucket for use by the deployment.

Requirements when using an existing VPC

When using an existing VPC, there are additional requirements:

  • The VPC must have the option DNS hostnames enabled.
  • Each of the two Availability Zones in the VPC must have at least 1 public subnet and at least 1 private subnet.
  • A VPC Endpoint for the execute-api service under the AWS services category is required This VPC Endpoint must have the Private DNS Name option enabled and must be associated with the VPC:

After deployment, you must associate the created security group with the VPC endpoint. For details, see Post-deployment activities.

Planning

Planning

This deployment requires familiarity with the configuration of a FortiGate using the CLI as well as with the following AWS services:

Deployments with Transit Gateway integration require knowledge of the following:

If you are new to AWS, go to the Getting Started Resource Center and the AWS Training and Certification website.

It is expected that DevOps engineers or advanced system administrators who are familiar with the listed items will deploy FortiGate Autoscale for AWS.

Technical requirements

To start the deployment, you must have an AWS account. If you do not already have one, create one at https://aws.amazon.com/ by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN. Your AWS account is automatically signed up for all AWS services. You are charged only for the services you use.

Log into your AWS account and verify the following:

  • IAM permissions. Ensure that the AWS user deploying the template has sufficient permissions to perform the required service actions on resources. At a minimum, the following are required: Service: IAM; Actions:CreateRole; Resource: *. The FortiGate Autoscale for AWS template increases the security level of the deployment stack by narrowing down the scope of access to external resources belonging to the same user account as well as restricting access to resources within the deployment.
  • Region. Use the region selector in the navigation bar to choose the AWS region where you want to deploy FortiGate Autoscale for AWS.
    Note

    This deployment includes AWS Auto Scaling, which currently not all AWS regions support. For a current list of supported regions, see the AWS documentation Service Endpoints and Quotas.

  • Instance Type. This deployment offers a range of instance types, some of which not all AWS regions support. Ensure that your desired instance type is available in your region by checking the Instance types page for your region.
  • FortiGate subscription(s). Confirm that you have a valid subscription to the On-demand FortiGate and/or BYOL FortiGate marketplace listings, as required for your deployment.
    • If you are not subscribed, open the subscription page and click Continue to Subscribe.
    • Review the terms and conditions for software usage, and then choose Accept Terms. A confirmation page loads, and an email confirmation is sent to the account owner.
    • Exit out of AWS Marketplace without further action. Do not provision the software from AWS Marketplace.
  • Key pair. Ensure at least one Amazon EC2 key pair exists in your AWS account in the region where you plan to deploy FortiGate Autoscale for AWS. Make note of the key pair name.
  • Resources. If necessary, request service quota increases. This is necessary when you might exceed the default quotas with this deployment. The Service Quotas console displays your usage and quotas for some aspects of some services. For more information, see the AWSdocumentation. The default instance type is c5.large.
  • FortiGate licenses. Ensure you have a license for each FortiGate BYOL instance you might use. Licenses can be purchased from FortiCare. In the section BYOL license files , you place the license files in an S3 bucket for use by the deployment.

Requirements when using an existing VPC

When using an existing VPC, there are additional requirements:

  • The VPC must have the option DNS hostnames enabled.
  • Each of the two Availability Zones in the VPC must have at least 1 public subnet and at least 1 private subnet.
  • A VPC Endpoint for the execute-api service under the AWS services category is required This VPC Endpoint must have the Private DNS Name option enabled and must be associated with the VPC:

After deployment, you must associate the created security group with the VPC endpoint. For details, see Post-deployment activities.