Adding instances to the protected subnet
When the deployment has completed, an Instance group can be created and VMs can be added to the protected subnet, behind the internal load balancer.
In GCP, NICs must reside in separate VPCs. In this deployment, the FortiGate will have two NICs: one in the exposed public subnet / VPC; the other in the protected subnet / VPC. By default, the protected subnet will be called fortigateautoscale-protected-subnet-CLUSTER-SUFFIX.
The default FortiGate configuration located under
/assets/configset/baseconfig specifies a VIP on port 80 and a VIP on port 443 with a policy that points to an internal load balancer.
In FortiOS 6.2.3 any VIPs created on the primary instance will not sync to the secondary instances. Any VIP you wish to add must be added as part of the baseconfig.
The following illustrates adding a basic unmanaged Instance group into the protected subnet and internal load balancer.
- Create the VM, ensuring that it resides within the proper region, VPC and subnet:
- Create an Instance group:
- Under Network services > Load balancing choose the Internal load balancer, select Backend configuration and add the new Instance group.