Fortinet Document Library

Version:


Table of Contents

About FortiGate for AWS

Deploying FortiGate on AWS

Deploying auto scaling on AWS

Single FortiGate-VM Deployment

Use Case: High Availability for FortiGate on AWS

Security Fabric Connector Integration with AWS

Resources

Upgrade Path Tool
6.0.0
Copy Link

AWS Services and Components

FortiGate for AWS is an EC2 instance with an EBS volume attached. The following lists AWS services and components required to be understood when deploying FortiGate.

Purpose

Service/component

Description

Ordinary FortiGate single instance deployment or FortiGate-native A-P HA

Virtual private cloud (VPC)

This is where the FortiGate and protected VMs are situated and the network is controlled by users. The public-facing interface is routed to the Internet gateway, which is created within the VPC.

EC2

FortiGate for AWS is an EC2 VM instance. Every instance has a unique instance ID.

Subnets, route tables

FortiGate is required to be appropriately configured with subnets and route tables to handle traffic.

Internet gateways

The AWS gateway as a VPC component that allows communication between instances in your VPC and the Internet.

Elastic IP address

At least one public IP address must be allocated to FortiGate to access and manage it over the Internet.

Security groups

AWS public-facing protection. Allow only necessary ports and protocols.

AMI

A special type of deployable image used on AWS. You can launch FortiGate (BYOL) directly from the publicly available FortiGate AMI instead of using the Marketplace. See Deploying from BYOL AMI.

The on-demand AMI is launchable but does not allow you to properly boot up as it is not intended to be deployed from AMI.

CloudFormation Templates (CFT)

FortiGate instances can be deployed using CFT where tailor-made resource instantiation is defined. Fortinet provides CFTs for the following use cases:

  • Deploying FortiGate-native A-P HA
  • Customer-required scenarios with particular topologies

CFTs are available on GitHub.

Fortinet-provided CFTs are not supported within the regular Fortinet technical support scope. Contact awssales@fortinet.com with questions.

Additional or alternative HA using AWS mechanisms

Auto Scaling

Auto scaling can automatically scale out by instantiating additional FortiGate instances at times of high workloads. See Deploying Auto Scaling on AWS.

To run Auto Scaling, coexisting AWS services must be enabled/subscribed:

  • Route 53
  • API gateway
  • Load Balancer
  • CloudWatch
  • Lambda
  • SNS
  • DynamoDB
  • S3 (BYOL only)

These services are not always required for AWS Auto Scaling in general, but are predefined in Fortinet-provided Lambda scripts.

Load Balancer

Also called Elastic Load Balancer (ELB). A network load balancer automatically distributes traffic across multiple FortiGate instances when configured properly. Topologies will be different depending on how you distribute incoming and outgoing traffic and cover availability zones. There are two use cases to use LB with FortiGate:

Monitoring

CloudWatch

Monitoring service for various AWS resources. CloudWatch can be used in three scenarios with FortiGate:

  • Monitor FortiGate instances for their health and alert when needed.
  • Define Auto Scaling scale-out triggers to fire alarms
  • Monitor GuardDuty events

You must subscribe to CloudWatch to use corresponding features.

Related AWS services used as prerequisites for additional HA or extra features

Lambda

AWS Lambda lets you run certain scripts and codes without provisioning servers. Fortinet provides Lambda scripts for:

  • Running Auto Scaling
  • Integration to GuardDuty

To use the scripts, you must subscribe to Lambda. Fortinet-provided Lambda scripts are not supported within the regular Fortinet technical support scope. Contact awssales@fortinet.com with questions.

API Gateway

It acts as a front door by providing a callback URL for FortiGate to send its API calls and process FortiGate config-sync tasks to synchronize OS configuration across multiple FortiGate instances at the time of Auto Scaling scale-out. It is required if the Config-Sync feature needs to be incorporated into Auto Scaling.

DynamoDB

A handy flexible database. Fortinet-provided scripts use DynamoDB to store information about varying states of Auto Scaling conditions.

SNS

Managed message service used to communicate between AWS components. Fortinet-provided scripts use SNS to deliver subscription notifications from CFTs to Lambda for Auto Scaling.

GuardDuty

Managed threat detection service that monitors unwanted behaviors/activities related to AWS resources. Fortinet can leverage externally available lists of malicious IP addresses stored at certain locations. GuardDuty can be used to populate such a list. See GuardDuty integration. To use this feature, you must subscribe to GuardDuty.

S3

AWS storage. S3 can be used in four scenarios with FortiGate:

  • Used as the location where the list of blacklisted IP addresses is stored which is pointed by the FortiGate in integrating with GuardDuty. See GuardDuty integration. You must allow FortiGate access to the S3 bucket/directory on S3 configuration.
  • Used to store license keys which are parsed when provisioning additional FortiGate instances in the event of Auto Scaling scale-out.
  • Used to store a license key and FortiGate config file to bootstrap FortiGate at initial boot-up. See Bootstrapping FortiGate at Initial Boot-Up Using User Data.
  • Used to store license keys which are parsed when provisioning A-P HA. See Customizing the CFT template.

Resources

AWS Services and Components

FortiGate for AWS is an EC2 instance with an EBS volume attached. The following lists AWS services and components required to be understood when deploying FortiGate.

Purpose

Service/component

Description

Ordinary FortiGate single instance deployment or FortiGate-native A-P HA

Virtual private cloud (VPC)

This is where the FortiGate and protected VMs are situated and the network is controlled by users. The public-facing interface is routed to the Internet gateway, which is created within the VPC.

EC2

FortiGate for AWS is an EC2 VM instance. Every instance has a unique instance ID.

Subnets, route tables

FortiGate is required to be appropriately configured with subnets and route tables to handle traffic.

Internet gateways

The AWS gateway as a VPC component that allows communication between instances in your VPC and the Internet.

Elastic IP address

At least one public IP address must be allocated to FortiGate to access and manage it over the Internet.

Security groups

AWS public-facing protection. Allow only necessary ports and protocols.

AMI

A special type of deployable image used on AWS. You can launch FortiGate (BYOL) directly from the publicly available FortiGate AMI instead of using the Marketplace. See Deploying from BYOL AMI.

The on-demand AMI is launchable but does not allow you to properly boot up as it is not intended to be deployed from AMI.

CloudFormation Templates (CFT)

FortiGate instances can be deployed using CFT where tailor-made resource instantiation is defined. Fortinet provides CFTs for the following use cases:

  • Deploying FortiGate-native A-P HA
  • Customer-required scenarios with particular topologies

CFTs are available on GitHub.

Fortinet-provided CFTs are not supported within the regular Fortinet technical support scope. Contact awssales@fortinet.com with questions.

Additional or alternative HA using AWS mechanisms

Auto Scaling

Auto scaling can automatically scale out by instantiating additional FortiGate instances at times of high workloads. See Deploying Auto Scaling on AWS.

To run Auto Scaling, coexisting AWS services must be enabled/subscribed:

  • Route 53
  • API gateway
  • Load Balancer
  • CloudWatch
  • Lambda
  • SNS
  • DynamoDB
  • S3 (BYOL only)

These services are not always required for AWS Auto Scaling in general, but are predefined in Fortinet-provided Lambda scripts.

Load Balancer

Also called Elastic Load Balancer (ELB). A network load balancer automatically distributes traffic across multiple FortiGate instances when configured properly. Topologies will be different depending on how you distribute incoming and outgoing traffic and cover availability zones. There are two use cases to use LB with FortiGate:

Monitoring

CloudWatch

Monitoring service for various AWS resources. CloudWatch can be used in three scenarios with FortiGate:

  • Monitor FortiGate instances for their health and alert when needed.
  • Define Auto Scaling scale-out triggers to fire alarms
  • Monitor GuardDuty events

You must subscribe to CloudWatch to use corresponding features.

Related AWS services used as prerequisites for additional HA or extra features

Lambda

AWS Lambda lets you run certain scripts and codes without provisioning servers. Fortinet provides Lambda scripts for:

  • Running Auto Scaling
  • Integration to GuardDuty

To use the scripts, you must subscribe to Lambda. Fortinet-provided Lambda scripts are not supported within the regular Fortinet technical support scope. Contact awssales@fortinet.com with questions.

API Gateway

It acts as a front door by providing a callback URL for FortiGate to send its API calls and process FortiGate config-sync tasks to synchronize OS configuration across multiple FortiGate instances at the time of Auto Scaling scale-out. It is required if the Config-Sync feature needs to be incorporated into Auto Scaling.

DynamoDB

A handy flexible database. Fortinet-provided scripts use DynamoDB to store information about varying states of Auto Scaling conditions.

SNS

Managed message service used to communicate between AWS components. Fortinet-provided scripts use SNS to deliver subscription notifications from CFTs to Lambda for Auto Scaling.

GuardDuty

Managed threat detection service that monitors unwanted behaviors/activities related to AWS resources. Fortinet can leverage externally available lists of malicious IP addresses stored at certain locations. GuardDuty can be used to populate such a list. See GuardDuty integration. To use this feature, you must subscribe to GuardDuty.

S3

AWS storage. S3 can be used in four scenarios with FortiGate:

  • Used as the location where the list of blacklisted IP addresses is stored which is pointed by the FortiGate in integrating with GuardDuty. See GuardDuty integration. You must allow FortiGate access to the S3 bucket/directory on S3 configuration.
  • Used to store license keys which are parsed when provisioning additional FortiGate instances in the event of Auto Scaling scale-out.
  • Used to store a license key and FortiGate config file to bootstrap FortiGate at initial boot-up. See Bootstrapping FortiGate at Initial Boot-Up Using User Data.
  • Used to store license keys which are parsed when provisioning A-P HA. See Customizing the CFT template.