Fortinet black logo

AWS Administration Guide

Configuring the SDN connector to populate dynamic objects

Copy Link
Copy Doc ID 9e3b59dc-ba0b-11e9-a989-00505692583a:258765
Download PDF

Configuring the SDN connector to populate dynamic objects

It is recommended to configure the SDN Connector using the GUI, then check the configuration using the CLI:

Configuring the AWS SDN Connector using the GUI

  1. Go to Security Fabric > Fabric Connectors. Click Create New.
  2. Under SDN, select Amazon Web Services (AWS). Note you can create only one SDN Connector per connector type.
  3. In the AWS access key ID field, enter the key created in the AWS management portal.

  4. In the AWS secret access key field, enter the secret access key accompanying the above access key.
  5. In the AWS region name field, enter the region name. Refer to AWS Regions and Endpoints for the desired region name.
  6. In the AWS VPC ID field, enter the VPC ID within the specified region you desire to cover with the SDN Connector.
  7. In the Update Interval field, enter the desired number of seconds. You can enter any value between 1 and 3600 seconds. The default value is 60 seconds.
  8. Toggle the Status on or off.
  9. Click OK.

Checking the configuration using the CLI

To check the configuration, open the CLI console and enter the following commands:

config system sdn-connector

edit "<connector-name>"

show

The output resembles the following:

config system sdn-connector

edit "<connector-name>"

set access-key "<example-access-key>"

set secret-key ENC <example-secret-key>

set region "us-west-2"

set vpc-id "vpc-e1e4b587"

set update-interval 1

next

end

If you see that the Fabric connector is not enabled in Security Fabric > Fabric Connectors in the FortiOS GUI, try running the following commands to enable the Fabric Connector:

diagnose deb application awsd -1

diagnose debug enable

The output may display an error like the following:

FGT # awsd sdn connector AWS_SDN prepare to update

awsd sdn connector AWS_SDN start updating

aws curl response err, 403

<?xml version="1.0" encoding="UTF-8"?>

<Response><Errors><Error><Code>UnauthorizedOperation</Code><Message>You are not authorized to perform this operation.</Message></Error></Errors><RequestID>8403cc11-b185-41da-ad6d-23bb4db7d00a</RequestID></Response>

awsd curl failed 403

awsd sdn connector AWS_SDN failed to get instance list

aws curl response err, 403

{"Message":"User: arn:aws:iam::956224459807:user/jcarcavallo is not authorized to perform: eks:ListClusters on resource: arn:aws:eks:us-east-1:956224459807:cluster/*"}

awsd sdn connector AWS_SDN get EKS cluster list failed

awsd sdn connector AWS_SDN list EKS cluster failed

awsd sdn connector AWS_SDN start updating IP addresses

awsd sdn connector AWS_SDN finish updating IP addresses

awsd reap child pid: 569

In this case, you must configure power user access for the current administrator in the AWS management console:

After configuring power user access, run the following commands:

diagnose deb application awsd -1

diagnose debug enable

The output should display without error, as follows:

FGT # AWSD: update sdn connector AWS_SDN status to enabled

awsd sdn connector AWS_SDN prepare to update

awsd sdn connector AWS_SDN start updating

awsd get ec2 instance info successfully

awsd sdn connector AWS_SDN start updating IP addresses

awsd sdn connector AWS_SDN finish updating IP addresses

awsd reap child pid: 893

The AWS connector is now enabled:

Configuring the SDN connector to populate dynamic objects

It is recommended to configure the SDN Connector using the GUI, then check the configuration using the CLI:

Configuring the AWS SDN Connector using the GUI

  1. Go to Security Fabric > Fabric Connectors. Click Create New.
  2. Under SDN, select Amazon Web Services (AWS). Note you can create only one SDN Connector per connector type.
  3. In the AWS access key ID field, enter the key created in the AWS management portal.

  4. In the AWS secret access key field, enter the secret access key accompanying the above access key.
  5. In the AWS region name field, enter the region name. Refer to AWS Regions and Endpoints for the desired region name.
  6. In the AWS VPC ID field, enter the VPC ID within the specified region you desire to cover with the SDN Connector.
  7. In the Update Interval field, enter the desired number of seconds. You can enter any value between 1 and 3600 seconds. The default value is 60 seconds.
  8. Toggle the Status on or off.
  9. Click OK.

Checking the configuration using the CLI

To check the configuration, open the CLI console and enter the following commands:

config system sdn-connector

edit "<connector-name>"

show

The output resembles the following:

config system sdn-connector

edit "<connector-name>"

set access-key "<example-access-key>"

set secret-key ENC <example-secret-key>

set region "us-west-2"

set vpc-id "vpc-e1e4b587"

set update-interval 1

next

end

If you see that the Fabric connector is not enabled in Security Fabric > Fabric Connectors in the FortiOS GUI, try running the following commands to enable the Fabric Connector:

diagnose deb application awsd -1

diagnose debug enable

The output may display an error like the following:

FGT # awsd sdn connector AWS_SDN prepare to update

awsd sdn connector AWS_SDN start updating

aws curl response err, 403

<?xml version="1.0" encoding="UTF-8"?>

<Response><Errors><Error><Code>UnauthorizedOperation</Code><Message>You are not authorized to perform this operation.</Message></Error></Errors><RequestID>8403cc11-b185-41da-ad6d-23bb4db7d00a</RequestID></Response>

awsd curl failed 403

awsd sdn connector AWS_SDN failed to get instance list

aws curl response err, 403

{"Message":"User: arn:aws:iam::956224459807:user/jcarcavallo is not authorized to perform: eks:ListClusters on resource: arn:aws:eks:us-east-1:956224459807:cluster/*"}

awsd sdn connector AWS_SDN get EKS cluster list failed

awsd sdn connector AWS_SDN list EKS cluster failed

awsd sdn connector AWS_SDN start updating IP addresses

awsd sdn connector AWS_SDN finish updating IP addresses

awsd reap child pid: 569

In this case, you must configure power user access for the current administrator in the AWS management console:

After configuring power user access, run the following commands:

diagnose deb application awsd -1

diagnose debug enable

The output should display without error, as follows:

FGT # AWSD: update sdn connector AWS_SDN status to enabled

awsd sdn connector AWS_SDN prepare to update

awsd sdn connector AWS_SDN start updating

awsd get ec2 instance info successfully

awsd sdn connector AWS_SDN start updating IP addresses

awsd sdn connector AWS_SDN finish updating IP addresses

awsd reap child pid: 893

The AWS connector is now enabled: