Fortinet Document Library

Version:


Table of Contents

AWS Cookbook

More Links

FortiGate Autoscale for AWS GitHub project

Resources

Upgrade Path Tool

Related Videos

AWS FortiGate Autoscale with Transit Gateway support part 1

  • 588 views
  • 8 months ago

AWS FortiGate Autoscale with Transit Gateway support part 2

  • 84 views
  • 1 months ago

AWS Cookbook

6.2.0
Download PDF
Copy Link

Deploying auto scaling on AWS

You can deploy FortiGate virtual machines (VMs) to support Auto Scaling on AWS. Optionally, AWS Transit Gateway can be used to connect Amazon Virtual Private Clouds (Amazon VPCs) and their on-premises networks to a single gateway. This integration extends the FortiGate protection to all networks connected to the Transit Gateway. Both options require a manual deployment incorporating CloudFormation Templates (CFTs). Fortinet provides FortiGate Autoscale for AWS deployment packages to facilitate each deployment.

Multiple FortiGate-VM instances form an Auto Scaling group to provide highly efficient clustering at times of high workloads. FortiGate-VM instances can be scaled out automatically according to predefined workload levels. When a spike in traffic occurs, a Lambda script is invoked to scale out the Auto Scaling group by automatically adding FortiGate-VM instances. Auto Scaling is achieved by using FortiGate-native High Availability (HA) features such as config-sync, which synchronizes operating system (OS) configurations across multiple FortiGate-VM instances at the time of scale-out events.

FortiGate Autoscale for AWS is available with FortiOS 6.2.3 and supports any combination of On-Demand and Bring Your Own License (BYOL) instances.

Note

Fees will be incurred based on the Amazon Elastic Compute Cloud (Amazon EC2) instance type. Additionally, a license is required for each FortiGate Bring Own License (BYOL) instance you might use.

FortiGate Autoscale for AWS uses AWS CloudFormation Templates (CFTs) to deploy components.

Deployments without Transit Gateway integration have:

  • A highly available architecture that spans two Availability Zones.*
  • An Amazon VPC configured with public and private subnets according to AWS best practices, to provide you with your own virtual network on AWS.*
  • An Internet gateway to allow access to the Internet.*
  • In the public subnets:
    • A FortiGate host in an Auto Scaling group complements AWS security groups to provide intrusion protection, web filtering, and threat detection to protect your services from cyber-attacks. It also allows VPN access by authorized users.
    • The primary FortiGate in the Auto Scaling group(s) acts as NAT gateway, allowing outbound Internet access for resources in the private subnets.*
  • A public-facing network load balancer is created as part of the deployment process. An internal facing network load balancer is optional.
  • AWS Lambda, which provides the core Auto Scaling functionality between FortiGates.
  • An Amazon DynamoDB database that uses Fortinet-provided scripts to store information about Auto Scaling condition states.

* When deploying into an existing VPC, the marked components in the above list are not created - you are prompted for your existing VPC configuration.

Deployments with Transit Gateway integration have:

  • A highly available architecture that spans two Availability Zones.
  • An Amazon VPC configured with public and private subnets according to AWS best practices, to provide you with your own virtual network on AWS.
  • An Internet gateway to allow access to the Internet.
  • In the public subnets:
    • A FortiGate host in an Auto Scaling group complements AWS security groups to provide intrusion protection, web filtering, and threat detection to protect your services from cyber-attacks. It also allows VPN access by authorized users.
    • The primary FortiGate in the Auto Scaling group(s) acts as NAT gateway, allowing outbound Internet access for resources in the private subnets.
  • AWS Lambda, which provides the core Auto Scaling functionality between FortiGates.
  • An Amazon DynamoDB database that uses Fortinet-provided scripts to store information about Auto Scaling condition states.
  • Site-to-Site VPN connections.

More Links

Resources

Related Videos

AWS FortiGate Autoscale with Transit Gateway support part 1

  • 588 views
  • 8 months ago

AWS FortiGate Autoscale with Transit Gateway support part 2

  • 84 views
  • 1 months ago

Deploying auto scaling on AWS

You can deploy FortiGate virtual machines (VMs) to support Auto Scaling on AWS. Optionally, AWS Transit Gateway can be used to connect Amazon Virtual Private Clouds (Amazon VPCs) and their on-premises networks to a single gateway. This integration extends the FortiGate protection to all networks connected to the Transit Gateway. Both options require a manual deployment incorporating CloudFormation Templates (CFTs). Fortinet provides FortiGate Autoscale for AWS deployment packages to facilitate each deployment.

Multiple FortiGate-VM instances form an Auto Scaling group to provide highly efficient clustering at times of high workloads. FortiGate-VM instances can be scaled out automatically according to predefined workload levels. When a spike in traffic occurs, a Lambda script is invoked to scale out the Auto Scaling group by automatically adding FortiGate-VM instances. Auto Scaling is achieved by using FortiGate-native High Availability (HA) features such as config-sync, which synchronizes operating system (OS) configurations across multiple FortiGate-VM instances at the time of scale-out events.

FortiGate Autoscale for AWS is available with FortiOS 6.2.3 and supports any combination of On-Demand and Bring Your Own License (BYOL) instances.

Note

Fees will be incurred based on the Amazon Elastic Compute Cloud (Amazon EC2) instance type. Additionally, a license is required for each FortiGate Bring Own License (BYOL) instance you might use.

FortiGate Autoscale for AWS uses AWS CloudFormation Templates (CFTs) to deploy components.

Deployments without Transit Gateway integration have:

  • A highly available architecture that spans two Availability Zones.*
  • An Amazon VPC configured with public and private subnets according to AWS best practices, to provide you with your own virtual network on AWS.*
  • An Internet gateway to allow access to the Internet.*
  • In the public subnets:
    • A FortiGate host in an Auto Scaling group complements AWS security groups to provide intrusion protection, web filtering, and threat detection to protect your services from cyber-attacks. It also allows VPN access by authorized users.
    • The primary FortiGate in the Auto Scaling group(s) acts as NAT gateway, allowing outbound Internet access for resources in the private subnets.*
  • A public-facing network load balancer is created as part of the deployment process. An internal facing network load balancer is optional.
  • AWS Lambda, which provides the core Auto Scaling functionality between FortiGates.
  • An Amazon DynamoDB database that uses Fortinet-provided scripts to store information about Auto Scaling condition states.

* When deploying into an existing VPC, the marked components in the above list are not created - you are prompted for your existing VPC configuration.

Deployments with Transit Gateway integration have:

  • A highly available architecture that spans two Availability Zones.
  • An Amazon VPC configured with public and private subnets according to AWS best practices, to provide you with your own virtual network on AWS.
  • An Internet gateway to allow access to the Internet.
  • In the public subnets:
    • A FortiGate host in an Auto Scaling group complements AWS security groups to provide intrusion protection, web filtering, and threat detection to protect your services from cyber-attacks. It also allows VPN access by authorized users.
    • The primary FortiGate in the Auto Scaling group(s) acts as NAT gateway, allowing outbound Internet access for resources in the private subnets.
  • AWS Lambda, which provides the core Auto Scaling functionality between FortiGates.
  • An Amazon DynamoDB database that uses Fortinet-provided scripts to store information about Auto Scaling condition states.
  • Site-to-Site VPN connections.