Fortinet Document Library

Version:


Table of Contents

AWS Cookbook

Resources

Upgrade Path Tool

AWS Cookbook

6.2.0
Download PDF
Copy Link

AWS services and components

FortiGate-VM for AWS is an Elastic Compute Cloud (EC2) instance with an Elastic Block Store (EBS) volume attached. The following lists AWS services and components that you must understand when deploying FortiGate-VM for different purposes:

Ordinary FortiGate-VM single instance deployment or FortiGate-native active-passive high availability

Service/component

Description

Virtual private cloud (VPC)

This is where the FortiGate-VM and protected VMs are situated and users control the network. The public-facing interface is routed to the Internet gateway, which is created within the VPC.

EC2

FortiGate-VM for AWS is an EC2 VM instance. Every instance has a unique instance ID.

Subnets, route tables

You must appropriately configure FortiGate-VM with subnets and route tables to handle traffic.

Internet gateways

The AWS gateway as a VPC component that allows communication between instances in your VPC and the Internet.

Elastic IP address (EIP)

At least one public IP address must be allocated to the FortiGate-VM to access and manage it over the Internet.

Security groups

AWS public-facing protection. Allow only necessary ports and protocols.

AMI

A special type of deployable image used on AWS. You can launch FortiGate-VM (BYOL) directly from the publicly available FortiGate AMI instead of using the marketplace. See Deploying from BYOL AMI.

The on-demand AMI is launchable but does not allow you to properly boot up as it is not intended to be deployed from AMI.

CloudFormation Templates (CFT)

FortiGate instances can be deployed using CFTs where tailor-made resource instantiation is defined. Fortinet provides CFTs for the following use cases:

  • Deploying FortiGate-native A-P HA
  • Customer-required scenarios with particular topologies

CFTs are available on GitHub.

Fortinet-provided CFTs are not supported within the regular Fortinet technical support scope. Contact awssales@fortinet.com with questions.

Additional or alternative HA using AWS mechanisms

Service/component

Description

Auto Scaling

Auto scaling can automatically scale out by instantiating additional FortiGate-VM instances at times of high workloads. See Deploying auto scaling on AWS.

To run auto scaling, you must enable/subscribe to coexisting AWS services:

  • Route 53
  • API gateway
  • Load Balancer
  • CloudWatch
  • Lambda
  • SNS
  • DynamoDB
  • Simple Storage Services (S3) (BYOL only)

These services are not always required for AWS auto scaling in general, but are predefined in Fortinet-provided Lambda scripts.

Load Balancer

Also called Elastic Load Balancer (ELB). A network load balancer automatically distributes traffic across multiple FortiGate-VM instances when configured properly. Topologies will be different depending on how you distribute incoming and outgoing traffic and cover AZs. There are two use cases to use LB with FortiGate-VM:

Monitoring

Service/component

Description

CloudWatch

Monitoring service for various AWS resources. You can use CloudWatch in three scenarios with FortiGate-VM:

  • Monitor FortiGate-VM instance health and alert when needed.
  • Define auto scaling scale-out triggers to fire alarms
  • Monitor GuardDuty events

You must subscribe to CloudWatch to use corresponding features.

Related AWS services used as prerequisites for additional HA or extra features

Service/component

Description

Lambda

AWS Lambda lets you run certain scripts and codes without provisioning servers. Fortinet provides Lambda scripts for:

  • Running auto scaling
  • GuardDuty integration

To use the scripts, you must subscribe to Lambda. Fortinet-provided Lambda scripts are not supported within the regular Fortinet technical support scope. Contact awssales@fortinet.com with questions.

API Gateway

It acts as a front door by providing a callback URL for the FortiGate-VM to send its API calls and process FortiGate-VM config-sync tasks to synchronize OS configuration across multiple FortiGate-VM instances at the time of auto scaling scale-out. It is required if the config-sync feature needs to be incorporated into auto scaling.

DynamoDB

A handy flexible database. Fortinet-provided scripts use DynamoDB to store information about varying states of auto scaling conditions.

SNS

Managed message service used to communicate between AWS components. Fortinet-provided scripts use SNS to deliver subscription notifications from CFTs to Lambda for auto scaling.

GuardDuty

Managed threat detection service that monitors unwanted behaviors/activities related to AWS resources. Fortinet can leverage externally available lists of malicious IP addresses stored at certain locations. GuardDuty can be used to populate such a list. See Populating threat feeds with GuardDuty. To use this feature, you must subscribe to GuardDuty.

S3

AWS storage. You can use S3 in four scenarios with FortiGate-VM:

  • As the location where the list of blocklisted IP addresses is stored which is pointed by the FortiGate-VM in integrating with GuardDuty. See Populating threat feeds with GuardDuty. You must allow the FortiGate-VM access to the S3 bucket/directory on S3 configuration.
  • To store license keys which are parsed when provisioning additional FortiGate-VM instances in the event of auto scaling scale-out.
  • To store a license key and the FortiGate-VM config file to bootstrap the FortiGate-VM at initial boot-up. See Bootstrapping the FortiGate-VM at initial boot-up using user data.
  • To store license keys which are parsed when provisioning A-P HA.

Resources

AWS services and components

FortiGate-VM for AWS is an Elastic Compute Cloud (EC2) instance with an Elastic Block Store (EBS) volume attached. The following lists AWS services and components that you must understand when deploying FortiGate-VM for different purposes:

Ordinary FortiGate-VM single instance deployment or FortiGate-native active-passive high availability

Service/component

Description

Virtual private cloud (VPC)

This is where the FortiGate-VM and protected VMs are situated and users control the network. The public-facing interface is routed to the Internet gateway, which is created within the VPC.

EC2

FortiGate-VM for AWS is an EC2 VM instance. Every instance has a unique instance ID.

Subnets, route tables

You must appropriately configure FortiGate-VM with subnets and route tables to handle traffic.

Internet gateways

The AWS gateway as a VPC component that allows communication between instances in your VPC and the Internet.

Elastic IP address (EIP)

At least one public IP address must be allocated to the FortiGate-VM to access and manage it over the Internet.

Security groups

AWS public-facing protection. Allow only necessary ports and protocols.

AMI

A special type of deployable image used on AWS. You can launch FortiGate-VM (BYOL) directly from the publicly available FortiGate AMI instead of using the marketplace. See Deploying from BYOL AMI.

The on-demand AMI is launchable but does not allow you to properly boot up as it is not intended to be deployed from AMI.

CloudFormation Templates (CFT)

FortiGate instances can be deployed using CFTs where tailor-made resource instantiation is defined. Fortinet provides CFTs for the following use cases:

  • Deploying FortiGate-native A-P HA
  • Customer-required scenarios with particular topologies

CFTs are available on GitHub.

Fortinet-provided CFTs are not supported within the regular Fortinet technical support scope. Contact awssales@fortinet.com with questions.

Additional or alternative HA using AWS mechanisms

Service/component

Description

Auto Scaling

Auto scaling can automatically scale out by instantiating additional FortiGate-VM instances at times of high workloads. See Deploying auto scaling on AWS.

To run auto scaling, you must enable/subscribe to coexisting AWS services:

  • Route 53
  • API gateway
  • Load Balancer
  • CloudWatch
  • Lambda
  • SNS
  • DynamoDB
  • Simple Storage Services (S3) (BYOL only)

These services are not always required for AWS auto scaling in general, but are predefined in Fortinet-provided Lambda scripts.

Load Balancer

Also called Elastic Load Balancer (ELB). A network load balancer automatically distributes traffic across multiple FortiGate-VM instances when configured properly. Topologies will be different depending on how you distribute incoming and outgoing traffic and cover AZs. There are two use cases to use LB with FortiGate-VM:

Monitoring

Service/component

Description

CloudWatch

Monitoring service for various AWS resources. You can use CloudWatch in three scenarios with FortiGate-VM:

  • Monitor FortiGate-VM instance health and alert when needed.
  • Define auto scaling scale-out triggers to fire alarms
  • Monitor GuardDuty events

You must subscribe to CloudWatch to use corresponding features.

Related AWS services used as prerequisites for additional HA or extra features

Service/component

Description

Lambda

AWS Lambda lets you run certain scripts and codes without provisioning servers. Fortinet provides Lambda scripts for:

  • Running auto scaling
  • GuardDuty integration

To use the scripts, you must subscribe to Lambda. Fortinet-provided Lambda scripts are not supported within the regular Fortinet technical support scope. Contact awssales@fortinet.com with questions.

API Gateway

It acts as a front door by providing a callback URL for the FortiGate-VM to send its API calls and process FortiGate-VM config-sync tasks to synchronize OS configuration across multiple FortiGate-VM instances at the time of auto scaling scale-out. It is required if the config-sync feature needs to be incorporated into auto scaling.

DynamoDB

A handy flexible database. Fortinet-provided scripts use DynamoDB to store information about varying states of auto scaling conditions.

SNS

Managed message service used to communicate between AWS components. Fortinet-provided scripts use SNS to deliver subscription notifications from CFTs to Lambda for auto scaling.

GuardDuty

Managed threat detection service that monitors unwanted behaviors/activities related to AWS resources. Fortinet can leverage externally available lists of malicious IP addresses stored at certain locations. GuardDuty can be used to populate such a list. See Populating threat feeds with GuardDuty. To use this feature, you must subscribe to GuardDuty.

S3

AWS storage. You can use S3 in four scenarios with FortiGate-VM:

  • As the location where the list of blocklisted IP addresses is stored which is pointed by the FortiGate-VM in integrating with GuardDuty. See Populating threat feeds with GuardDuty. You must allow the FortiGate-VM access to the S3 bucket/directory on S3 configuration.
  • To store license keys which are parsed when provisioning additional FortiGate-VM instances in the event of auto scaling scale-out.
  • To store a license key and the FortiGate-VM config file to bootstrap the FortiGate-VM at initial boot-up. See Bootstrapping the FortiGate-VM at initial boot-up using user data.
  • To store license keys which are parsed when provisioning A-P HA.