Fortinet Document Library

Version:


Table of Contents

AWS Cookbook

Resources

Upgrade Path Tool

AWS Cookbook

6.4.0
Download PDF
Copy Link

Deploying the CloudFormation templates

Note

The deployment will fail:

  • if you do not have the required subscriptions for the On-Demand and/or BYOL marketplace listings for FortiGate.
  • if the AWS user deploying the template does not have the AWS permissions to perform the required service actions on resources. At a minimum, the following are required:
    • Service: IAM; Actions:CreateRole; Resource: *.

FortiGate Autoscale for AWS without Transit Gateway integration provides separate CFTs for two deployment options:

  • Deployment into a new VPC (end-to-end deployment). This option builds a new AWS environment consisting of the VPC, subnets, FortiGate-VMs, security groups, and other infrastructure components, and then deploys FortiGate Autoscale for AWS into this new VPC.
  • Deployment into an existing VPC. This option provisions FortiGate Autoscale for AWS in your existing AWS infrastructure.

Incoming and outgoing requests

  • Incoming requests to the web servers in the private subnets present in your existing VPC will go through a connection that flows through the Internet gateway, network load balancer, and the FortiGate-VM ASG before reaching the web server. The web server returns the response using the same connection.
  • Outgoing requests from the web servers go through the individual FortiGate-VM NAT gateway and the Internet gateway to the external network. The external network returns the response using the same path.
Note

Ensure that you remove any existing NAT device routes from existing route tables associated with the private subnets. FortiGate Autoscale for AWS automatically attaches a proper route to the route table, as described above.

To deploy the CloudFormation templates:
  1. Navigate to the S3 folder you uploaded files to in the previous section. In the example below, we navigate to Amazon S3 > fortigate-autoscale > deployment-package.
  2. Click templates and select the appropriate entry template to start the deployment:
    • To deploy into a new VPC, click autoscale-new-vpc.template.
    • To deploy into an existing VPC, click autoscale-existing-vpc.template.

    Select Template

  3. Copy the Object URL of the template you picked in the previous step. In our example, the template chosen is for deploying into a new VPC.
    Copy the Object URL
  4. Click Services, and then Management & Governance > CloudFormation.
    AWS Console CloudFormation
  5. Confirm the region you are in and then click Create Stack.
    Create Stack
  6. Paste the Object URL from step 3 into the Amazon S3 URL field as shown below.
    Paste Object URL
  7. Click Next.

 

 

 

 

 

 

 

 

 

 

Resources

Deploying the CloudFormation templates

Note

The deployment will fail:

  • if you do not have the required subscriptions for the On-Demand and/or BYOL marketplace listings for FortiGate.
  • if the AWS user deploying the template does not have the AWS permissions to perform the required service actions on resources. At a minimum, the following are required:
    • Service: IAM; Actions:CreateRole; Resource: *.

FortiGate Autoscale for AWS without Transit Gateway integration provides separate CFTs for two deployment options:

  • Deployment into a new VPC (end-to-end deployment). This option builds a new AWS environment consisting of the VPC, subnets, FortiGate-VMs, security groups, and other infrastructure components, and then deploys FortiGate Autoscale for AWS into this new VPC.
  • Deployment into an existing VPC. This option provisions FortiGate Autoscale for AWS in your existing AWS infrastructure.

Incoming and outgoing requests

  • Incoming requests to the web servers in the private subnets present in your existing VPC will go through a connection that flows through the Internet gateway, network load balancer, and the FortiGate-VM ASG before reaching the web server. The web server returns the response using the same connection.
  • Outgoing requests from the web servers go through the individual FortiGate-VM NAT gateway and the Internet gateway to the external network. The external network returns the response using the same path.
Note

Ensure that you remove any existing NAT device routes from existing route tables associated with the private subnets. FortiGate Autoscale for AWS automatically attaches a proper route to the route table, as described above.

To deploy the CloudFormation templates:
  1. Navigate to the S3 folder you uploaded files to in the previous section. In the example below, we navigate to Amazon S3 > fortigate-autoscale > deployment-package.
  2. Click templates and select the appropriate entry template to start the deployment:
    • To deploy into a new VPC, click autoscale-new-vpc.template.
    • To deploy into an existing VPC, click autoscale-existing-vpc.template.

    Select Template

  3. Copy the Object URL of the template you picked in the previous step. In our example, the template chosen is for deploying into a new VPC.
    Copy the Object URL
  4. Click Services, and then Management & Governance > CloudFormation.
    AWS Console CloudFormation
  5. Confirm the region you are in and then click Create Stack.
    Create Stack
  6. Paste the Object URL from step 3 into the Amazon S3 URL field as shown below.
    Paste Object URL
  7. Click Next.