Fortinet black logo

User Guide

Cloud Connectors

Copy Link
Copy Doc ID 8d4237ec-c163-11ee-8c42-fa163e15d75b:939648
Download PDF

Cloud Connectors

In some cases your application server's IP address may dynamically change, for example, when it's deployed in auto-scaling mode on public cloud platforms. Instead of manually updating the origin server's IP address in FortiWeb Cloud, you can configure a Cloud Connector to authorize FortiWeb Cloud to access your public cloud resources in order to automatically obtain the latest IP addresses.

To create a Cloud Connector:

  1. Go to Global > System Settings > Cloud Connectors.
  2. Click Create Connector.
  3. Configure the following settings.
  4. Name Enter a name for the Cloud Connector.
    Status Turn on or off the Cloud Connector.
    Type Select the public cloud platform where your application server is deployed.
  5. Configure the following settings if the type is AWS.
    An access key on AWS grants programmatic access to your resources. If you have security considerations, it's recommended to create an IAM role specially for FortiWeb Cloud and grant read-only access. For how to create an access key, see this article.
  6. Region The region where your application server is deployed.
    Access Key ID The Access Key ID.
    Secret Access Key Secret Access Key.
    VPC ID The ID of the VPC where your application server is deployed.
  7. Configure the following settings if the type is Azure.
    You must create an Azure AD application to generate the Azure client ID and corresponding Azure client secret. This application must be a service principal. Otherwise, the Fabric connector cannot read the inventory. You can find the complete instructions at Use portal to create an Azure Active Directory application and service principal that can access resources.
    Keep the following in mind when you get to the part about making a new application registration:
    • The Application type has two options. Choose Web app/API.
    • The Sign-on URL has the asterisk commonly associated with a required field, but this is not applicable in this case. Put in any valid URL in the field to complete the form and enable the Create button.
      Server RegionThe region where your application server is deployed.
      Tenant IDSee instructions above for how to find the Tenant ID.
      Client IDSee instructions above for how to find the Client ID.
      Client SecretSee instructions above for how to find the Client Secret.
      Subscription IDThe ID of the subscription where your application server is deployed.
      Resource GroupThe name of the resource group where your application server is deployed. Make sure that the service principal (app registration) is granted for the network contributor and VM contributor roles for the target resource group.
  8. Configure the following settings if the type is GCP.
    A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs. See Understanding service accounts for how to create a service account and authenticate with private key.
    Project IDThe ID of the project where your application server is deployed.
    Service Account EmailThe Service Account Email that FortiWeb Cloud uses to access your application server.
    Private KeyThe Private Key to for authentication.
    ZoneThe zone where your application server is deployed.
  9. Click Test to verify whether FortiWeb Cloud can access the resources with the provided information. If the test succeeds, click OK to save the settings.

If you want to edit the settings or delete a Cloud Connector, click the Edit or Delete icon in the Cloud Connector row.

After the Cloud Connector is created, you can go to Network > Origin Servers to configure the dynamic server settings so that FortiWeb Cloud can use the specified conditions to find the right VMs in our account and obtain their IP addresses. See Origin Servers.

Cloud Connectors

In some cases your application server's IP address may dynamically change, for example, when it's deployed in auto-scaling mode on public cloud platforms. Instead of manually updating the origin server's IP address in FortiWeb Cloud, you can configure a Cloud Connector to authorize FortiWeb Cloud to access your public cloud resources in order to automatically obtain the latest IP addresses.

To create a Cloud Connector:

  1. Go to Global > System Settings > Cloud Connectors.
  2. Click Create Connector.
  3. Configure the following settings.
  4. Name Enter a name for the Cloud Connector.
    Status Turn on or off the Cloud Connector.
    Type Select the public cloud platform where your application server is deployed.
  5. Configure the following settings if the type is AWS.
    An access key on AWS grants programmatic access to your resources. If you have security considerations, it's recommended to create an IAM role specially for FortiWeb Cloud and grant read-only access. For how to create an access key, see this article.
  6. Region The region where your application server is deployed.
    Access Key ID The Access Key ID.
    Secret Access Key Secret Access Key.
    VPC ID The ID of the VPC where your application server is deployed.
  7. Configure the following settings if the type is Azure.
    You must create an Azure AD application to generate the Azure client ID and corresponding Azure client secret. This application must be a service principal. Otherwise, the Fabric connector cannot read the inventory. You can find the complete instructions at Use portal to create an Azure Active Directory application and service principal that can access resources.
    Keep the following in mind when you get to the part about making a new application registration:
    • The Application type has two options. Choose Web app/API.
    • The Sign-on URL has the asterisk commonly associated with a required field, but this is not applicable in this case. Put in any valid URL in the field to complete the form and enable the Create button.
      Server RegionThe region where your application server is deployed.
      Tenant IDSee instructions above for how to find the Tenant ID.
      Client IDSee instructions above for how to find the Client ID.
      Client SecretSee instructions above for how to find the Client Secret.
      Subscription IDThe ID of the subscription where your application server is deployed.
      Resource GroupThe name of the resource group where your application server is deployed. Make sure that the service principal (app registration) is granted for the network contributor and VM contributor roles for the target resource group.
  8. Configure the following settings if the type is GCP.
    A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs. See Understanding service accounts for how to create a service account and authenticate with private key.
    Project IDThe ID of the project where your application server is deployed.
    Service Account EmailThe Service Account Email that FortiWeb Cloud uses to access your application server.
    Private KeyThe Private Key to for authentication.
    ZoneThe zone where your application server is deployed.
  9. Click Test to verify whether FortiWeb Cloud can access the resources with the provided information. If the test succeeds, click OK to save the settings.

If you want to edit the settings or delete a Cloud Connector, click the Edit or Delete icon in the Cloud Connector row.

After the Cloud Connector is created, you can go to Network > Origin Servers to configure the dynamic server settings so that FortiWeb Cloud can use the specified conditions to find the right VMs in our account and obtain their IP addresses. See Origin Servers.