Fortinet white logo
Fortinet white logo

FortiSandbox VM on AWS

Setup HA health check based on AWS Network Load Balancer in dual-zone

Appendix C - Setup HA health check based on AWS Network Load Balancer in dual-zone

Step 1: Create and configure your target group

  1. Open the Amazon EC2 console.

  2. In the navigation pane, under Load Balancing, choose Target Groups.

  3. Click Create target group and configure the group.

    Target typeChoose Instances.
    Target group nameEnter a name for the new target group
    Protocol

    Select TCP and for Port, select 514.

    If the health check needs to be created on Port 443:

    • Select TLS, and for Port, select 443.

    VPC

    Select the VPC that contains your instances.

    Health checks
    • For Health check protocol, choose TCP.

    • For Advanced health check settings, keep the default settings.

  4. Click Next.

  5. On the Register targets page, complete the following steps.

    Tooltip

    This is an optional step to create a target group. However, you must register your targets if you want to test your load balancer and ensure that it is routing traffic to your targets.

    1. For Available instances, select all FortiSandbox instances belonging to this HA Cluster.

    2. Verify the Ports for the selected instances is 514, or If the health check was created on Port 443, verify the Ports for the selected instances is 443

  6. Click Include as pending below, then click Create target group.

Step 2: Create Network load balancer

  1. On the navigation bar, choose a Region for your load balancer. Be sure to choose the same Region that you used for your FortiSandbox instances
  2. In the navigation pane, under Load Balancing, choose Load Balancers.
  3. Choose Create load balancer and then select the Network Load Balancer.
  4. For Network Load Balancer, click Create.

Step 3: Configure network load balancer and listener

  1. Configure the following settings:

    Load balancer nameEnter a name for your load balancer.
    Scheme and IP address typeKeep the default values.
    Network mapping
    1. Select the VPC that you used for your FortiSandbox instances.
    2. Select all Availability Zones that you deployed FortiSandbox instances on.
    3. Select the FortiSandbox port1 subnets under the selected Availability Zones.
    4. For the IPv4 address, keep the default settings.
    Listeners and routing
    1. For Protocol, choose TCP.
      • If the target group health check was created on Port 443, for Protocol, choose TLS.

    2. For Port, choose 514.
      • If the target group health check was created on Port 443, for Port, choose 443.

      • For Secure listener settings, refer to Health check on 443 Secure listener settings.

    3. For Default action, select the target group you created and registered previously
  2. Review your configuration, and click Create load balancer. A few default attributes are applied to your load balancer during creation. You can view and edit them after creating the load balancer

Step 4: Test your load balancer on TCP Port 514

  1. After you are notified that your load balancer was created successfully, click Close.
  2. In the navigation pane, under Load Balancing, choose Target Groups.
  3. Select the newly created target group
  4. Choose Targets and verify that your instances are ready. If the status of an instance is initial, it is likely because the instance is still in the process of being registered, or it has not passed the minimum number of health checks to be considered healthy. After the status of at least one instance is healthy, you can test your load balancer.
  5. In the navigation pane, under Load Balancing, choose Load Balancers.
  6. Select the name of the newly created load balancer to open its details page.
  7. Copy the DNS name of the load balancer (for example, my-load-balancer-1234567890abcdef.elb.us-east-2.amazonaws.com).
  8. Telnet the DNS name. For example, telnet my-load-balancer-1234567890abcdef.elb.us-east-2.amazonaws.com 514

Health check for 443 Secure listener settings

To import certificate:
  1. Open the Amazon EC2 console.

  2. In the navigation pane, under AWS Certificate Manager (ACM), choose Import certificate.

  3. Follows the AWS import certificate steps and complete the certificate import.

To configure network load balancer and listener on port 443
  1. Follow the steps in Create and configure your target group. Where applicable:
    • For Protocol select TCP/TLS.

    • For Port select 443.

  2. Follow steps 1-3 in Step 3: Configure network load balancer and listener.
  3. For Listeners and routing:
    1. For Protocol, choose TLS.
    2. For Port, choose 443.
    3. For Default action, select the target group you created and registered previously.
  4. For Secure listener settings:
    1. For Security policy, select the AWS recommended. For example, ELBSecurityPolicy-TLS13-1-2-2021-06 (recommended).
    2. For Default SSL/TLS certificate, choose From ACM and select the imported certificate
    3. For ALPN policy, keep the default settings (None).
  5. Review your configuration, and click Create load balancer.
To test your load balancer on TLS Port 443:
  1. Open the target group details page, wait all members status change to healthy.

  2. On the details page of newly created load balancer:

    1. Copy the DNS name of the load balancer.

    2. Paste the DNS name into the address field of an internet-connected web browser. If everything is working, the browser displays the default page of your server.

      For example, https://my-load-balancer-1234567890abcdef.elb.us-east-2.amazonaws.com

Setup HA health check based on AWS Network Load Balancer in dual-zone

Appendix C - Setup HA health check based on AWS Network Load Balancer in dual-zone

Step 1: Create and configure your target group

  1. Open the Amazon EC2 console.

  2. In the navigation pane, under Load Balancing, choose Target Groups.

  3. Click Create target group and configure the group.

    Target typeChoose Instances.
    Target group nameEnter a name for the new target group
    Protocol

    Select TCP and for Port, select 514.

    If the health check needs to be created on Port 443:

    • Select TLS, and for Port, select 443.

    VPC

    Select the VPC that contains your instances.

    Health checks
    • For Health check protocol, choose TCP.

    • For Advanced health check settings, keep the default settings.

  4. Click Next.

  5. On the Register targets page, complete the following steps.

    Tooltip

    This is an optional step to create a target group. However, you must register your targets if you want to test your load balancer and ensure that it is routing traffic to your targets.

    1. For Available instances, select all FortiSandbox instances belonging to this HA Cluster.

    2. Verify the Ports for the selected instances is 514, or If the health check was created on Port 443, verify the Ports for the selected instances is 443

  6. Click Include as pending below, then click Create target group.

Step 2: Create Network load balancer

  1. On the navigation bar, choose a Region for your load balancer. Be sure to choose the same Region that you used for your FortiSandbox instances
  2. In the navigation pane, under Load Balancing, choose Load Balancers.
  3. Choose Create load balancer and then select the Network Load Balancer.
  4. For Network Load Balancer, click Create.

Step 3: Configure network load balancer and listener

  1. Configure the following settings:

    Load balancer nameEnter a name for your load balancer.
    Scheme and IP address typeKeep the default values.
    Network mapping
    1. Select the VPC that you used for your FortiSandbox instances.
    2. Select all Availability Zones that you deployed FortiSandbox instances on.
    3. Select the FortiSandbox port1 subnets under the selected Availability Zones.
    4. For the IPv4 address, keep the default settings.
    Listeners and routing
    1. For Protocol, choose TCP.
      • If the target group health check was created on Port 443, for Protocol, choose TLS.

    2. For Port, choose 514.
      • If the target group health check was created on Port 443, for Port, choose 443.

      • For Secure listener settings, refer to Health check on 443 Secure listener settings.

    3. For Default action, select the target group you created and registered previously
  2. Review your configuration, and click Create load balancer. A few default attributes are applied to your load balancer during creation. You can view and edit them after creating the load balancer

Step 4: Test your load balancer on TCP Port 514

  1. After you are notified that your load balancer was created successfully, click Close.
  2. In the navigation pane, under Load Balancing, choose Target Groups.
  3. Select the newly created target group
  4. Choose Targets and verify that your instances are ready. If the status of an instance is initial, it is likely because the instance is still in the process of being registered, or it has not passed the minimum number of health checks to be considered healthy. After the status of at least one instance is healthy, you can test your load balancer.
  5. In the navigation pane, under Load Balancing, choose Load Balancers.
  6. Select the name of the newly created load balancer to open its details page.
  7. Copy the DNS name of the load balancer (for example, my-load-balancer-1234567890abcdef.elb.us-east-2.amazonaws.com).
  8. Telnet the DNS name. For example, telnet my-load-balancer-1234567890abcdef.elb.us-east-2.amazonaws.com 514

Health check for 443 Secure listener settings

To import certificate:
  1. Open the Amazon EC2 console.

  2. In the navigation pane, under AWS Certificate Manager (ACM), choose Import certificate.

  3. Follows the AWS import certificate steps and complete the certificate import.

To configure network load balancer and listener on port 443
  1. Follow the steps in Create and configure your target group. Where applicable:
    • For Protocol select TCP/TLS.

    • For Port select 443.

  2. Follow steps 1-3 in Step 3: Configure network load balancer and listener.
  3. For Listeners and routing:
    1. For Protocol, choose TLS.
    2. For Port, choose 443.
    3. For Default action, select the target group you created and registered previously.
  4. For Secure listener settings:
    1. For Security policy, select the AWS recommended. For example, ELBSecurityPolicy-TLS13-1-2-2021-06 (recommended).
    2. For Default SSL/TLS certificate, choose From ACM and select the imported certificate
    3. For ALPN policy, keep the default settings (None).
  5. Review your configuration, and click Create load balancer.
To test your load balancer on TLS Port 443:
  1. Open the target group details page, wait all members status change to healthy.

  2. On the details page of newly created load balancer:

    1. Copy the DNS name of the load balancer.

    2. Paste the DNS name into the address field of an internet-connected web browser. If everything is working, the browser displays the default page of your server.

      For example, https://my-load-balancer-1234567890abcdef.elb.us-east-2.amazonaws.com