Fortinet Document Library

Version:


Table of Contents

AWS Cookbook

Resources

Upgrade Path Tool

AWS Cookbook

6.4.0
Download PDF
Copy Link

Updating the route table and adding an IAM policy

To update the route table and add an IAM policy:
  1. Update the route table:
    1. After configuring the internal network ports, you must route all internal traffic to the elastic network interface (ENI) of the primary FortiGate-VM port2. In the AWS console, open the Elastic Cloud Compute service.
    2. Select Instances, then select the primary FortiGate-VM.
    3. On the Description tab, select port2 (eth1) and copy the interface ID.
    4. Save the content into a text editor.
    5. In the AWS console, open the VPC service.
    6. Select Route Tables, then select the Sec_VPC_Internal route table.
    7. On the Routes tab, click the Edit Routes button.
    8. Add the following two rules:

      Destination

      Target

      0.0.0.0/0

      Paste the ENI copied in step 1.

      10.0.0.0/8

      Transit Gateway

    9. Click Save. Check that the internal port2 subnets for both A and B are associated with this routing table.
  2. Both firewalls need an IAM policy attached to make API calls to AWS to move the elastic IP address on port1 and network interface on port2 between primary and secondary FortiGate-VMs. Go to the AMI service and create a role with the following policy: {

    "Version": "2012-10-17",

    "Statement": [

    {

    "Action": [

    "ec2:Describe*",

    "ec2:AssociateAddress",

    "ec2:AssignPrivateIpAddresses",

    "ec2:UnassignPrivateIpAddresses",

    "ec2:ReplaceRoute"

    ],

    "Resource": "*",

    "Effect": "Allow"

    }

    ]

    }

  3. Attach the AMI role to both FortiGate-VMs by selecting the FortiGate EC2 instance and selecting Attach/Replace IAM Role in the Actions menu.

Resources

Updating the route table and adding an IAM policy

To update the route table and add an IAM policy:
  1. Update the route table:
    1. After configuring the internal network ports, you must route all internal traffic to the elastic network interface (ENI) of the primary FortiGate-VM port2. In the AWS console, open the Elastic Cloud Compute service.
    2. Select Instances, then select the primary FortiGate-VM.
    3. On the Description tab, select port2 (eth1) and copy the interface ID.
    4. Save the content into a text editor.
    5. In the AWS console, open the VPC service.
    6. Select Route Tables, then select the Sec_VPC_Internal route table.
    7. On the Routes tab, click the Edit Routes button.
    8. Add the following two rules:

      Destination

      Target

      0.0.0.0/0

      Paste the ENI copied in step 1.

      10.0.0.0/8

      Transit Gateway

    9. Click Save. Check that the internal port2 subnets for both A and B are associated with this routing table.
  2. Both firewalls need an IAM policy attached to make API calls to AWS to move the elastic IP address on port1 and network interface on port2 between primary and secondary FortiGate-VMs. Go to the AMI service and create a role with the following policy: {

    "Version": "2012-10-17",

    "Statement": [

    {

    "Action": [

    "ec2:Describe*",

    "ec2:AssociateAddress",

    "ec2:AssignPrivateIpAddresses",

    "ec2:UnassignPrivateIpAddresses",

    "ec2:ReplaceRoute"

    ],

    "Resource": "*",

    "Effect": "Allow"

    }

    ]

    }

  3. Attach the AMI role to both FortiGate-VMs by selecting the FortiGate EC2 instance and selecting Attach/Replace IAM Role in the Actions menu.