Fortinet Document Library

Version:


Table of Contents

About FortiGate for AWS

Deploying FortiGate on AWS

Deploying Auto Scaling on AWS

Single FortiGate-VM Deployment

Use Case: High Availability for FortiGate on AWS

Security Fabric Connector Integration with AWS

Resources

Upgrade Path Tool
6.0.0
Copy Link

Introduction

You can deploy FortiGate-VM to support Auto Scaling on AWS. This requires a manual deployment incorporating CloudFormation Templates (CFT)s.

Multiple FortiGate instances can form an Auto Scaling group to provide highly efficient clustering at times of high workloads. FortiGate instances can be scaled out automatically according to predefined workload levels. When a spike in traffic occurs, a Lambda script is invoked to scale out the group by automatically adding FortiGate instances. Auto Scaling is achieved by using FortiGate-native high availability (HA) features such as Config-Sync, which synchronizes operating system (OS) configurations across multiple FortiGate instances at the time of scale-out events.

This Auto Scaling feature is available with FortiOS 6.0.3 and later versions for On-Demand (PAYG) instances. BYOL instance support is planned for a later time.

Before you deploy FortiGate Autoscale for AWS, it is recommended that you become familiar with the following AWS services. If you are new to AWS, see Getting Started on AWS.

FortiGate Autoscale for AWS uses AWS CFTs to deploy the following components:

  • A highly available architecture that spans two Availability Zones (AZ)s
  • A virtual private cloud (VPC) configured with public and private subnets according to AWS best practices, to provide you with your own virtual network on AWS
  • An Internet gateway to allow access to the Internet
  • In the public subnets, FortiGates that act as NAT gateways, allowing outbound Internet access for resources in the private subnets
  • In the public subnets, a FortiGate host in an Auto Scaling group complements AWS security groups to provide intrusion protection, web filtering, and threat detection to protect your services from cyber-attacks. It also allows VPN access by authorized users.
  • An external facing network load balancer is created as part of the deployment process. An internal facing network load balancer is optional.
  • Amazon API Gateway, which acts as a front door by providing a callback URL for the FortiGate Auto Scaling group. FortiGates use an API Gateway to send API calls and to process FortiGate Config-Sync tasks to synchronize OS configuration across multiple FortiGate instances at the time of the Auto Scaling scale-out event. This is currently only for internal use. There is no public access available.
  • AWS Lambda, which allows you to run certain scripts and code without provisioning servers. Fortinet provides Lambda scripts for running Auto Scaling. Lambda functions are used to handle Auto Scaling, failover management, AWS CloudFormation deployment, and configuration for other related components.
  • An Amazon DynamoDB database that uses Fortinet-provided scripts to store information about Auto Scaling condition states.

Resources

Introduction

You can deploy FortiGate-VM to support Auto Scaling on AWS. This requires a manual deployment incorporating CloudFormation Templates (CFT)s.

Multiple FortiGate instances can form an Auto Scaling group to provide highly efficient clustering at times of high workloads. FortiGate instances can be scaled out automatically according to predefined workload levels. When a spike in traffic occurs, a Lambda script is invoked to scale out the group by automatically adding FortiGate instances. Auto Scaling is achieved by using FortiGate-native high availability (HA) features such as Config-Sync, which synchronizes operating system (OS) configurations across multiple FortiGate instances at the time of scale-out events.

This Auto Scaling feature is available with FortiOS 6.0.3 and later versions for On-Demand (PAYG) instances. BYOL instance support is planned for a later time.

Before you deploy FortiGate Autoscale for AWS, it is recommended that you become familiar with the following AWS services. If you are new to AWS, see Getting Started on AWS.

FortiGate Autoscale for AWS uses AWS CFTs to deploy the following components:

  • A highly available architecture that spans two Availability Zones (AZ)s
  • A virtual private cloud (VPC) configured with public and private subnets according to AWS best practices, to provide you with your own virtual network on AWS
  • An Internet gateway to allow access to the Internet
  • In the public subnets, FortiGates that act as NAT gateways, allowing outbound Internet access for resources in the private subnets
  • In the public subnets, a FortiGate host in an Auto Scaling group complements AWS security groups to provide intrusion protection, web filtering, and threat detection to protect your services from cyber-attacks. It also allows VPN access by authorized users.
  • An external facing network load balancer is created as part of the deployment process. An internal facing network load balancer is optional.
  • Amazon API Gateway, which acts as a front door by providing a callback URL for the FortiGate Auto Scaling group. FortiGates use an API Gateway to send API calls and to process FortiGate Config-Sync tasks to synchronize OS configuration across multiple FortiGate instances at the time of the Auto Scaling scale-out event. This is currently only for internal use. There is no public access available.
  • AWS Lambda, which allows you to run certain scripts and code without provisioning servers. Fortinet provides Lambda scripts for running Auto Scaling. Lambda functions are used to handle Auto Scaling, failover management, AWS CloudFormation deployment, and configuration for other related components.
  • An Amazon DynamoDB database that uses Fortinet-provided scripts to store information about Auto Scaling condition states.