Configuring the SDN connector to populate dynamic objects
It is recommended to configure the SDN Connector using the GUI, then check the configuration using the CLI:
Configuring the AWS SDN Connector using the GUI
- Go to Security Fabric > Fabric Connectors. Click Create New.
- Under SDN, select Amazon Web Services (AWS). Note you can create only one SDN Connector per connector type.
- In the AWS access key ID field, enter the key created in the AWS management portal.
- In the AWS secret access key field, enter the secret access key accompanying the above access key.
- In the AWS region name field, enter the region name. Refer to AWS Regions and Endpoints for the desired region name.
- In the AWS VPC ID field, enter the VPC ID within the specified region you desire to cover with the SDN Connector.
- In the Update Interval field, enter the desired number of seconds. You can enter any value between 1 and 3600 seconds. The default value is 60 seconds.
- Toggle the Status on or off.
- Click OK.
Checking the configuration using the CLI
To check the configuration, open the CLI console and enter the following commands:
config system sdn-connector
edit "<connector-name>"
show
The output resembles the following:
config system sdn-connector
edit "<connector-name>"
set access-key "<example-access-key>"
set secret-key ENC <example-secret-key>
set region "us-west-2"
set vpc-id "vpc-e1e4b587"
set update-interval 1
next
end
If you see that the Fabric connector is not enabled in Security Fabric > Fabric Connectors in the FortiOS GUI, try running the following commands to enable the Fabric Connector:
diagnose deb application awsd -1
diagnose debug enable
The output may display an error like the following:
FGT # awsd sdn connector AWS_SDN prepare to update
awsd sdn connector AWS_SDN start updating
aws curl response err, 403
<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>UnauthorizedOperation</Code><Message>You are not authorized to perform this operation.</Message></Error></Errors><RequestID>8403cc11-b185-41da-ad6d-23bb4db7d00a</RequestID></Response>
awsd curl failed 403
awsd sdn connector AWS_SDN failed to get instance list
aws curl response err, 403
{"Message":"User: arn:aws:iam::956224459807:user/jcarcavallo is not authorized to perform: eks:ListClusters on resource: arn:aws:eks:us-east-1:956224459807:cluster/*"}
awsd sdn connector AWS_SDN get EKS cluster list failed
awsd sdn connector AWS_SDN list EKS cluster failed
awsd sdn connector AWS_SDN start updating IP addresses
awsd sdn connector AWS_SDN finish updating IP addresses
awsd reap child pid: 569
In this case, you must configure power user access for the current administrator in the AWS management console:
After configuring power user access, run the following commands:
diagnose deb application awsd -1
diagnose debug enable
The output should display without error, as follows:
FGT # AWSD: update sdn connector AWS_SDN status to enabled
awsd sdn connector AWS_SDN prepare to update
awsd sdn connector AWS_SDN start updating
awsd get ec2 instance info successfully
awsd sdn connector AWS_SDN start updating IP addresses
awsd sdn connector AWS_SDN finish updating IP addresses
awsd reap child pid: 893
The AWS connector is now enabled: