Fortinet Document Library

Version:


Table of Contents

AWS Cookbook

Resources

Upgrade Path Tool

AWS Cookbook

6.2.0
Download PDF
Copy Link

Deploying the CloudFormation templates

FortiGate Autoscale for AWS can be deployed:

  • with Transit Gateway integration (with a new Transit Gateway or integrated with your existing Transit Gateway)
  • without Transit Gateway integration (into a New VPC or into an existing VPC)

Deployment notes

Deployment option

Notes

with Transit Gateway integration

One inbound route domain and one outbound route domain will be created for the new or existing Transit Gateway. FortiGate Autoscale for AWS will be attached to the Transit Gateway.

into an existing VPC

  • Incoming requests to the web servers in the private subnets present in your existing VPC will go through a connection that flows through the Internet gateway, network load balancer, and the FortiGate Auto Scaling group before reaching the web server. The web server returns the response using the same connection.
  • One of the FortiGates in the Autoscale deployment acts as the NAT gateway for egress traffic from the private subnets. Autoscale automatically manages the route with this destination in your route table for the private subnet. As such, you can safely stop using additional NAT devices for egress traffic from the private subnets.
  • To partially route egress traffic through a different NAT device, create a route with a specific destination with the other NAT device as the target. For example, for egress traffic to 1.2.3.4 to use a different NAT device, create a route with destination 1.2.3.4/32 and your own NAT device as the target. egress traffic to 1.2.3.4 will now flow through your own NAT device while the rest will flow through FortiGate.
To deploy the CloudFormation templates:
  1. Navigate to the S3 folder you uploaded files to in the previous section. In the example below, we navigate to Amazon S3 > fortigate-autoscale > deployment-package.
  2. Click templates and select the appropriate entry template to start the deployment. To deploy:
    • with Transit Gateway integration, click autoscale-tgw-new-vpc.template.yaml
    • without Transit Gateway integration, click autoscale-new-vpc.template.yaml to deploy into a new VPC
    • without Transit Gateway integration, click autoscale-existing-vpc.template.yaml to deploy into an existing VPC

    Select template

  3. Copy the Object URL of the template you picked in the previous step. In our example, the template chosen is for deploying into a new VPC.
    Copy the Object URL
  4. Click Services, and then Management & Governance > CloudFormation.
  5. Confirm the region you are in and then click Create Stack > With new resources (standard).
    Create Stack
  6. Paste the Object URL from step 3 into the Amazon S3 URL field as shown below.
    Paste Object URL
  7. Click Next.

Resources

Deploying the CloudFormation templates

FortiGate Autoscale for AWS can be deployed:

  • with Transit Gateway integration (with a new Transit Gateway or integrated with your existing Transit Gateway)
  • without Transit Gateway integration (into a New VPC or into an existing VPC)

Deployment notes

Deployment option

Notes

with Transit Gateway integration

One inbound route domain and one outbound route domain will be created for the new or existing Transit Gateway. FortiGate Autoscale for AWS will be attached to the Transit Gateway.

into an existing VPC

  • Incoming requests to the web servers in the private subnets present in your existing VPC will go through a connection that flows through the Internet gateway, network load balancer, and the FortiGate Auto Scaling group before reaching the web server. The web server returns the response using the same connection.
  • One of the FortiGates in the Autoscale deployment acts as the NAT gateway for egress traffic from the private subnets. Autoscale automatically manages the route with this destination in your route table for the private subnet. As such, you can safely stop using additional NAT devices for egress traffic from the private subnets.
  • To partially route egress traffic through a different NAT device, create a route with a specific destination with the other NAT device as the target. For example, for egress traffic to 1.2.3.4 to use a different NAT device, create a route with destination 1.2.3.4/32 and your own NAT device as the target. egress traffic to 1.2.3.4 will now flow through your own NAT device while the rest will flow through FortiGate.
To deploy the CloudFormation templates:
  1. Navigate to the S3 folder you uploaded files to in the previous section. In the example below, we navigate to Amazon S3 > fortigate-autoscale > deployment-package.
  2. Click templates and select the appropriate entry template to start the deployment. To deploy:
    • with Transit Gateway integration, click autoscale-tgw-new-vpc.template.yaml
    • without Transit Gateway integration, click autoscale-new-vpc.template.yaml to deploy into a new VPC
    • without Transit Gateway integration, click autoscale-existing-vpc.template.yaml to deploy into an existing VPC

    Select template

  3. Copy the Object URL of the template you picked in the previous step. In our example, the template chosen is for deploying into a new VPC.
    Copy the Object URL
  4. Click Services, and then Management & Governance > CloudFormation.
  5. Confirm the region you are in and then click Create Stack > With new resources (standard).
    Create Stack
  6. Paste the Object URL from step 3 into the Amazon S3 URL field as shown below.
    Paste Object URL
  7. Click Next.