Adding instances to the protected subnet
When the deployment completes, you can create an instance group and add VMs to the protected subnet, behind the internal load balancer (LB).
In GCP, NICs must reside in separate VPCs. In this deployment, the FortiGate have two NICs: one in the exposed public subnet/VPC and the other in the protected subnet/VPC. By default, the protected subnet is called fortigateautoscale-protected-subnet-CLUSTER-SUFFIX.
The default FortiGate configuration located under /assets/configset/baseconfig
specifies a virtual IP address (VIP) on port 80 and a VIP on port 443 with a policy that points to an internal LB.
Any VIPs created on the primary instance do not sync to the secondary instances. You must add any VIP you want to add as part of the baseconfig. |
The following illustrates adding a basic unmanaged instance group into the protected subnet and internal LB.
To add instances to the protected subnet:
- Create the VM, ensuring that it resides within the proper region, VPC, and subnet:
- Create an instance group:
- Under Network services > Load balancing, select Internal load balancer > Backend configuration and add the new instance group.