FortiADC AWS Deployment Guide

Download as pdf or txt
Download as pdf or txt
You are on page 1of 87

FortiADC - AWS Deployment Guide

Version 7.2.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE


https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT


https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM


https://www.fortinet.com/training-certification

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://www.fortiguard.com

END USER LICENSE AGREEMENT


https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: techdoc@fortinet.com

February 3, 2023
FortiADC 7.2.0 AWS Deployment Guide
01-540-000000-20200214
TABLE OF CONTENTS

Change Log 4
Introduction 5
Before deploying the FortiADC-VM 6
Deploying the FortiADC-VM 10
Deploying FortiADC-VM for AWS 11
Example: Set VS on AWS in HA-VRRP mode 16
Bootstrapping the FortiADC-VM at initial boot-up using user data 21
Deploying Autoscaling on AWS 26
Planning & Prerequisites 28
Obtaining the deployment package 29
Deploying the CloudFormation templates 30
CFT parameters 33
Optional settings 40
Completing the deployment 42
Locating deployed resources 43
Verifying the deployment 47
Connecting to the primary FortiADC-VM 53
Configuring the FortiADC-VM for Autoscaling 58
Upgrading the deployment to apply firmware updates to the FortiADC instances 61
Configuring the Network Load Balancer 66
Attaching the FortiADC-VM instance to an existing Autoscaling group 69
Debug 74
Script 77
Importing the Amazon machine image 78
Important notes 86

FortiADC 7.2.0 AWS Deployment Guide 3


Fortinet Inc.
Change Log

Change Log

Date Change Description

2023-02-03 Added Autoscale.

2020-04-08 Replaced cloud-init section with Bootstrapping the FortiADC-VM section

2020-02-14 Added cloud-init.

2019-10-01 Added Marketplace support.

2018-20-11 Second release.

FortiADC 7.2.0 AWS Deployment Guide 4


Fortinet Inc.
Introduction

Introduction

Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web
Services (AWS) cloud. Using Amazon EC2 eliminates your need to invest in hardware up front, so you can
develop and deploy applications faster. You can use Amazon EC2 to launch virtual servers, configure security
and networking, and manage storage.
This guide shows how to deploy FortiADC-VM on AWS EC2.

FortiADC 7.2.0 AWS Deployment Guide 5


Fortinet Inc.
Before deploying the FortiADC-VM

Before deploying the FortiADC-VM

1. Create VPC and specify the IPv4 address range for your VPC

2. Create Subnet and specify your subnet's IP address block

3. Create internet gateway, and attach it to VPC

FortiADC 7.2.0 AWS Deployment Guide 6


Fortinet Inc.
Before deploying the FortiADC-VM

4. Create or use default route table, and configure "subnet associations" according to
the actual network

5. Create security group, configure "Inbound Rules" and "Outbound Rules"

FortiADC 7.2.0 AWS Deployment Guide 7


Fortinet Inc.
Before deploying the FortiADC-VM

6. Create IAM policy

When switching to HA, it executes AWS API for migration of floating IP and reflection of public IP address.
An example of AWS permissions policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:*",
"ec2:*",
"elasticloadbalancing:*",
"sns:*",
"sqs:*",
"rds:*",
"iam:*"
],
"Resource": "*"
}
]
}

FortiADC 7.2.0 AWS Deployment Guide 8


Fortinet Inc.
Before deploying the FortiADC-VM

7. Create role and attach permissions policies

FortiADC 7.2.0 AWS Deployment Guide 9


Fortinet Inc.
Deploying the FortiADC-VM

Deploying the FortiADC-VM

There are two ways to deploy FortiADC-VM on Amazon Web Services’ Elastic Compute Cloud (Amazon EC2):
l Bring Your Own License (BYOL) — Requires a FortiADC-VM.
l On-demand — Provides a fully-licensed instance of FortiADC-VM, all FortiGuard services, and technical
support on an hourly basis.
Both methods require an existing Amazon EC2 account and Amazon Virtual Private Cloud (Amazon VPC). You
can deploy the FortiADC-VM for AWS using AWS Marketplace or from your own AMIs directly.

Starting from version 5.2.4, we suggest configuring the FortiADC from Amazon
Marketplace.

FortiADC 7.2.0 AWS Deployment Guide 10


Fortinet Inc.
Deploying the FortiADC-VM

Deploying FortiADC-VM for AWS

1. Login to AWS and ensure that you have a VPC (Virtual Private Cloud).

2. Go to the AWS Instances page and Launch Instance

3. Navigate to your choice of method for selecting the image: your AMIs or Marketplace

Marketplace is now recommended, as selecting the image through AMIs is more time-
consuming.

A. Marketplace
Go to Marketplace. Launch Instance > Marketplace > Search for "FortiADC."
Use the default image that is provided.
B. Use my AMIs
Please refer to Importing the Amazon machine image on page 78 for uploading the image manually.

FortiADC 7.2.0 AWS Deployment Guide 11


Fortinet Inc.
Deploying the FortiADC-VM

4. Select the appropriate region and EC2 instance type for your deployment. (suggest the over 4G
memory)

5. Configure Instance Details

Such as: Number of instances, Purchasing option, Network, Subnet, Auto-assign Public IP, IAM role, and more. (Role is
required if in HA mode)

6. Add Storage

Notes: Root volume (suggested that you use a size of at least 1G).

FortiADC 7.2.0 AWS Deployment Guide 12


Fortinet Inc.
Deploying the FortiADC-VM

After FortiADC-VM bootup, execute command “execute formatlogdisk”


If you change the size of the FortiADC-VM virtual hard disk after deployment, immediately run the following command:
execute formatlogdisk. The formatlogdisk command clears logs from the virtual hard disk.

7. Configure Security Group

You can create a new security group or select from an existing one.

8. Create a new key pair and download it

Use the instructions provided under Key Pair. Creating a key pair allows you to access the command-line interface via
SSH.

FortiADC 7.2.0 AWS Deployment Guide 13


Fortinet Inc.
Deploying the FortiADC-VM

9. Click “Launch Instances”.

10. Navigate to the "Instances" page, check instance state.

11. You can connect to the command-line interface (CLI) using SSH or telnet connection, or connect to
the web UI using the HTTP or HTTPS. The default admin password is the AWS instance ID.

12. Create interface for FortiADC-VM

Step 1:Navigate to the EC2 "Network Interface" page, create network interface, select subnet and security group,
configure private IP.

FortiADC 7.2.0 AWS Deployment Guide 14


Fortinet Inc.
Deploying the FortiADC-VM

Step 2:Attach interface to FortiADC-VM instance.

Step 3:Reboot FortiADC-VM. After that, configure static IP for new interface.

FortiADC 7.2.0 AWS Deployment Guide 15


Fortinet Inc.
Deploying the FortiADC-VM

Example: Set VS on AWS in HA-VRRP mode

Configure HA on ADC1

config system ha
set mode active-active-vrrp
set hbdev port4
set datadev port4
set group-name vrrp
set l7-persistence-pickup enable
set l4-persistence-pickup enable
set l4-session-pickup enable
set hb-type unicast
set local-address 10.1.4.253
set peer-address 10.1.4.252
end

Configure HA on ADC2

config system ha
set mode active-active-vrrp
set hbdev port4
set datadev port4
set local-node-id 1
set group-name vrrp
set priority 2
set config-priority 50
set l7-persistence-pickup enable
set l4-persistence-pickup enable

FortiADC 7.2.0 AWS Deployment Guide 16


Fortinet Inc.
Deploying the FortiADC-VM

set l4-session-pickup enable


set hb-type unicast
set local-address 10.1.4.252
set peer-address 10.1.4.253
end

Configure Traffic-Group on ADC


config system traffic-group
edit "traffic_group_1"
set failover-order 0 1
set preempt enable
next
edit "traffic_group_2"
set failover-order 1 0
set preempt enable
next
end

Configure VS on ADC

config load-balance real-server


edit "10_1_2_201"
set ip 10.1.2.201
next
edit "10_1_3_201"
set ip 10.1.3.201
next
end
config load-balance pool
edit "RS_2_0"
set health-check-list LB_HLTHCK_ICMP
set real-server-ssl-profile NONE
config pool_member
edit 1
set pool_member_cookie rs1
set real-server 10_1_2_201
next
end
next
edit "RS_3_0"
set real-server-ssl-profile NONE
config pool_member
edit 1
set pool_member_cookie rs1
set real-server 10_1_3_201
next
end
next
end

config load-balance virtual-server


edit "VS1"
set type l7-load-balance
set interface port1

FortiADC 7.2.0 AWS Deployment Guide 17


Fortinet Inc.
Deploying the FortiADC-VM

set ip 10.1.1.101
set load-balance-profile LB_PROF_HTTP
set load-balance-method LB_METHOD_ROUND_ROBIN
set load-balance-pool RS_2_0
set traffic-group traffic_group_1
next
edit "VS2"
set interface port1
set ip 10.1.1.102
set load-balance-profile LB_PROF_TCP
set load-balance-method LB_METHOD_ROUND_ROBIN
set load-balance-pool RS_3_0
set traffic-group traffic_group_2
next
end

Configure Floating IP on ADC

ADC1:
config system interface
edit "port2"
set vdom root
set ip 10.1.2.253/24
set allowaccess ping
config ha-node-ip-list
end
set traffic-group traffic_group_1
set floating enable
set floating-ip 10.1.2.251
next
edit "port3"
set vdom root
set ip 10.1.3.253/24
set allowaccess ping
config ha-node-ip-list
end
set traffic-group traffic_group_2
set floating enable
set floating-ip 10.1.3.251
next
end

ADC2:

config system interface


edit "port2"
set vdom root
set ip 10.1.2.252/24
set allowaccess ping
config ha-node-ip-list
end
set traffic-group traffic_group_1
set floating enable

FortiADC 7.2.0 AWS Deployment Guide 18


Fortinet Inc.
Deploying the FortiADC-VM

set floating-ip 10.1.2.251


next
edit "port3"
set vdom root
set ip 10.1.3.252/24
set allowaccess ping
config ha-node-ip-list
end
set traffic-group traffic_group_2
set floating enable
set floating-ip 10.1.3.251
next
end

Configure on AWS

1. Ensure that the gateway of RS is a floating IP.


2. Assign VS IP and floating IP to AWS-EC2_ADC network interface.
In this example, you should assign VS IP 10.1.1.101 to ADC1 eth0; assign VS IP 10.1.1.102 to ADC2 eth0; assign
floating IP 10.1.2.251 to ADC1 eth1; assign floating IP 10.1.2.251 to ADC2 eth2.
3. Allocate Elastic IP and bind with VS IP. User can access the VS through the public IP.
In this example, you should allocate elastic IP for VS1 IP 10.1.1.101 and VS2 IP 10.1.1.102.

4. For L4_DNAT_VS or L7 VS enabled "client-address", you must disable “Source/Dest. Check” on AWS_EC2_ADC
interface, which connects to RS.

FortiADC 7.2.0 AWS Deployment Guide 19


Fortinet Inc.
Deploying the FortiADC-VM

FortiADC 7.2.0 AWS Deployment Guide 20


Fortinet Inc.
Deploying the FortiADC-VM

Bootstrapping the FortiADC-VM at initial boot-up using user data

If you are installing and configuring your applications on Amazon EC2 dynamically at instance launch time, you will
typically need to pull and install packages, deploy files, and ensure services are started. The following bootstrapping
instructions help simplify, automate, and centralize FortiADC-VM deployment directly from the configuration scripts
stored in AWS S3. This is also called "cloud-init".

Setting up IAM roles

IAM roles need S3 bucket read access. This example applies the existing AmazonS3ReadOnlyAccess policy to the role
by adding the following code or selecting S3ReadOnlyAccess from the policy list in adding to the role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "*"
}
]
}

If you need further instructions, please refer to the AWS documentation on IAM Roles for Amazon EC2
.

Creating S3 buckets with license and firewall configurations

1. On the AWS console, create an Amazon S3 bucket at the root level for the bootstrap files.
2. Upload the license file and configuration files(s) to the S3 bucket. In this example, one license file and configuration
files are uploaded. For example, let's have the following FortiADC CLI command statement in the config file:
config system global

FortiADC 7.2.0 AWS Deployment Guide 21


Fortinet Inc.
Deploying the FortiADC-VM

set hostname fadcloudinit


end

This is to set a hostname as part of initial configuration at first launch.


{
"bucket" : "fortiadc-bucket",
"region" : "us-west-1",
"license" : "/FADV080000188885.lic",
"config" : "/fadconfig-init.txt"
}

Launching the instance using roles and user data

Follow the normal procedure to launch the instance from the AWS marketplace. When selecting the VPC subnet, the
instance must be with the role that was created and specify the information about the license file and configuration file
from the AWS S3 bucket previously configured under Advanced Settings.

FortiADC 7.2.0 AWS Deployment Guide 22


Fortinet Inc.
Deploying the FortiADC-VM

After launching the FortiADC-VM, open the console to verify that the VM is booting and utilizing the license file and
configuration file that was provided.

FortiADC 7.2.0 AWS Deployment Guide 23


Fortinet Inc.
Deploying the FortiADC-VM

After logging in, use the get system status command to verify the license was activated and that the specified
hostname was configured.

FortiADC 7.2.0 AWS Deployment Guide 24


Fortinet Inc.
Deploying the FortiADC-VM

FortiADC 7.2.0 AWS Deployment Guide 25


Fortinet Inc.
Deploying Autoscaling on AWS

Deploying Autoscaling on AWS

You can deploy FortiADC virtual machines (VMs) to support Autoscaling on AWS. This requires a manual deployment
incorporating AWS CloudFormation Templates (CFTs).
Multiple FortiADC-VM instances form an Autoscaling group (ASG) to provide highly efficient clustering at times of high
workloads. FortiADC-VM instances can be scaled out automatically according to predefined workload levels. When a
spike in traffic occurs, the Lambda script is invoked to automatically add FortiADC-VM instances to the ASG. Autoscaling
is achieved by using FortiADC Cloud Autoscaling features such as system autoscale that synchronize operating system
(OS) configurations across multiple FortiADC-VM instances at the time of scale-out events.
FortiADC Autoscale for AWS is available with FortiADC 7.2.0 and supports On-demand (PAYG) instances.
In this use case, you only need to configure on the primary FortiADC-VM, and the secondary FortiADC-VMs will
automatically synchronize configurations.

FortiADC-VM Autoscale for AWS uses AWS CloudFormation Templates (CFTs) to deploy the following components:

FortiADC 7.2.0 AWS Deployment Guide 26


Fortinet Inc.
Deploying Autoscaling on AWS

l A highly available architecture that spans two Availability Zones (AZs).


l An Amazon Virtual Private Cloud (VPC) configured with public subnets according to AWS best practices, to provide
you with your own virtual network on AWS.
l An Internet gateway to allow access to the Internet.
l In the public subnets, a FortiADC-VM host in an ASG complements AWS security groups to provide web filtering
and threat detection to protect your services from cyber attacks.
l An externally facing network load balancer is created as part of the deployment process.
l An elastic IP to access the primary FortiADC-VM. When the primary role is transferred from one instance to another,
the EIP will be associated with the new instance at the same time.
l An Amazon API Gateway, which acts as a front door by providing a Callback URL for the FortiADC-VM ASG.
FortiADC-VMs use the API Gateway to send API calls and to process FortiADC Autoscaling tasks to synchronize
configurations across multiple FortiADC-VM instances at the time of the Autoscaling scale-out event. This is
currently only for internal use. There is no public access available.
l An AWS Lambda, which allows you to run certain scripts and code without provisioning servers. Fortinet provides
Lambda scripts for running Autoscaling. Lambda functions are used to handle Autoscaling (launch/terminate
instance based on the scale-out/scale-in policy), failover management (heartbeat check and primary election), CFT
deployment, and configuration for other related components.
l An Amazon DynamoDB database that uses Fortinet-provided scripts to store information about Autoscaling
condition states, including the primary node and health check state of each FortiADC-VM in the ASG group.

FortiADC 7.2.0 AWS Deployment Guide 27


Fortinet Inc.
Deploying Autoscaling on AWS

Planning & Prerequisites

Before you deploy FortiADC-VM Autoscaling on AWS, it is recommended that you become familiar with the following
AWS services.
l Amazon Elastic Cloud Compute (Amazon EC2)
l Amazon EC2 Autoscaling
l Amazon VPC
l AWS CloudFormation
l AWS Lambda
l Amazon DynamoDB
l Amazon API Gateway
l Amazon CloudWatch
l Amazon S3
If you are new to AWS, go to the Getting Started Resource Center and the AWS Training and Certification website.
It is expected that DevOps engineers or advanced system administrators who are familiar with the listed items deploy
FortiADC Autoscale for AWS.

Technical Requirements

To start the deployment, you must have an AWS account. If you do not already have one, create one at
https://aws.amazon.com/ by following the on-screen instructions. Part of the sign-up process involves receiving a phone
call and entering a PIN. Your AWS account is automatically signed up for all AWS services. You are charged only for the
services you use.
Log into your AWS account and verify the following:
l IAM permissions — Ensure that the AWS user deploying the template has sufficient permissions to perform the
required service actions on resources. At a minimum, the following are required: Service: IAM;
Actions:CreateRole; Resource: *. The FortiADC-VM Autoscaling for AWS template increases the security level of
the deployment stack by narrowing down the scope of access to external resources belonging to the same user
account as well as restricting access to resources within the deployment.
l Region — Use the region selector in the navigation bar to choose the AWS region where you want to deploy
FortiADC-VM Autoscaling for AWS.
l FortiADC subscription(s) — Confirm that you have a valid subscription to the On-demand (PAYG) FortiADC as
required for your deployment.
l Key pair — Ensure at least one Amazon EC2 key pair exists in your AWS account in the region where you plan to
deploy FortiADC-VM Autoscaling for AWS. Make note of the key pair name.
l Resources — If necessary, request service quota increases. This is necessary when you might exceed the default
quotas with this deployment. The Service Quotas console displays your usage and quotas for some aspects of
some services. For more information, see the AWS documentation. The default instance type is c5.2xlarge.

FortiADC 7.2.0 AWS Deployment Guide 28


Fortinet Inc.
Deploying Autoscaling on AWS

Obtaining the deployment package

The FortiADC Autoscale for AWS deployment package is located in the Fortinet GitHub project.

To obtain the deployment package:

1. From the GitHub project release page, download the source code (.zip or .tar.gz) for the latest version.
2. Extract the source code into the project directory in your local workspace.
3. Create the directories and sub-directories, and place all the files under your S3 bucket using the same
organizational structure as in the source code file.

FortiADC 7.2.0 AWS Deployment Guide 29


Fortinet Inc.
Deploying Autoscaling on AWS

Deploying the CloudFormation templates

There are two options available for deploying FortiADC-VM Autoscaling for AWS:
l Deployment into a new VPC (end-to-end deployment). This option builds a new AWS environment consisting of the
VPC, subnets, FortiADC-VMs, security groups, and other infrastructure components, and then deploys FortiADC-
VM Autoscaling into this new VPC.
l Deployment into an existing VPC. This option provisions FortiADC-VM Autoscaling in your existing AWS
infrastructure.

Incoming requests to the protected real servers in the private subnets will go through a
connection that flows through the Internet gateway, network load balancer, and the FortiADC-
VM ASG before reaching the protected real server. The protected real server returns the
response using the same connection.

FortiADC-VM Autoscaling provides separate CFTs for these options. It also allows you to configure CIDR blocks,
instance types, and FortiADC-VM settings.

To deploy the CloudFormation templates:

1. In the AWS Management Console, navigate to the S3 folder you uploaded files to in the previous section.
2. Click templates and select the appropriate entry template to start the deployment:
l To deploy into a new VPC, use "workload-main.template".

l To deploy into an existing VPC, use "workload-main-with-VPC.template"

FortiADC 7.2.0 AWS Deployment Guide 30


Fortinet Inc.
Deploying Autoscaling on AWS

3. Select the template and copy the Object URL for use in later steps. In our example, the template chosen is for
deploying into a new VPC.

4. Go to Services > Management & Governance > CloudFormation.


5. Confirm the region you are in and then click Create Stack > With new resources (standard).

FortiADC 7.2.0 AWS Deployment Guide 31


Fortinet Inc.
Deploying Autoscaling on AWS

6. Paste the Object URL from step 3 into the Amazon S3 URL field as shown:

7. Click Next.
8. On the Specify stack details page, enter a stack name and review parameters for the template, providing values
for parameters that require input. For details on each parameter, see the next section [cft parameters].

FortiADC 7.2.0 AWS Deployment Guide 32


Fortinet Inc.
Deploying Autoscaling on AWS

CFT parameters

After deploying the CFT, you must define the stack name and enter parameter values.
The following sections provide descriptions of the available parameters. Some parameters are specific to certain
templates, and are only displayed when that template is selected.
After entering all the required parameters, click Next to continue.

Navigate to the list of parameters specific to your template:

l Parameters for a new VPC deployment on page 33


l Parameters for an existing VPC deployment on page 36

Parameters for a new VPC deployment

Network configuration

Parameter label (name) Default Description

Availability Zones Requires List of Availability Zones to use for the subnets in the VPC. The
(AvailabilityZones) input FortiADC Autoscale solution uses two Availability Zones from
your list and preserves the logical order you specify.

VPC CIDR (VPCCIDR) 10.0.0.0/16 Classless Inter-Domain Routing (CIDR) block for the FortiADC
Auto Scale VPC.

Public subnet 1 CIDR 10.0.0.0/24 CIDR block for the public subnet located in Availability Zone 1
(PublicSubnet1CIDR) where FortiADC Autoscale instances will be deployed to.

Public subnet 2 CIDR 10.0.2.0/24 CIDR block for the public subnet located in Availability Zone 2
(PublicSubnet2CIDR) where FortiADC Autoscale instances will be deployed to.

FortiADC configuration

Parameter label (name) Default Description

Resource name prefix fadcASG A custom identifier as the resource name prefix. Can only contain
(CustomIdentifier) uppercase letters, lowercase letters, and numbers. Maximum
length is 10.

Fortiadc PAYG AMI Type FAD-PAYG- FortiADC PAYG image type.


(FortiadcPAYGAMIType) 1gbps

EC2 Instance type c5.2xlarge Instance type to launch as FortiADC-VM on-demand instances.
(FortiadcInstanceType) l FAD-PAYG-100mbps, FAD-PAYG-500mbps, and FAD-

PAYG-1gbps support the following EC2 Instance types:


m5.large, m5.xlarge, m5.2xlarge, c5.large, c5.xlarge and
c5.2xlarge
l FAD-PAYG-5gbps and FAD-PAYG-10gbps support the

FortiADC 7.2.0 AWS Deployment Guide 33


Fortinet Inc.
Deploying Autoscaling on AWS

Parameter label (name) Default Description

following EC2 Instance types:


m5.2xlarge, m5.4xlarge, m5.8xlarge, c5.2xlarge, c5.4xlarge,
and c5.9xlarge
For more information about instance types, see Amazon EC2
Instance Types.

Admin port (FortiadcAdminPort) 8443 A port number for FortiADC-VM administration.


Select 8443 for HTTPS access.
8080 port is reserved for HTTP access.
10443 port is reserved for auto scaling configuration
synchronization port.

Admin CIDR block Requires CIDR block for external admin management access.
(FortiadcAdminCidr) input Note: 0.0.0.0/0 accepts connections from any IP address. It is
recommend to use a constrained CIDR range to reduce the
potential of inbound attacks from unknown IP addresses.

Key pair name (KeyPairName) Requires Amazon EC2 key pair for admin access.
input

FortiADC Elastic IP option Use the An Elastic IP can be used to access the primary FortiADC-VM.
(ElasticIPOption) Elastic IP When the primary role is transferred from one instance to another,
specified in the EIP will be associated with the new instance at the same time.
FortiADC You can fill in the existing Elastic IP specified in FortiADC Elastic
Elastic IP or IP or Name, or let FortiADC generate a new one for you.
Name

FortiADC Elastic IP or Name fadcASG- Specify the Elastic IP address or name, through which you can
(FortiadcEl EIP manage FortiADC. If you use an existing Elastic IP, fill it in here. If
asticIP) you create a new Elastic IP, give it a name so that you can find it
easily in the AWS console.

FortiADC auto-scaling group configuration

Parameter label (name) Default Description

Instance lifecycle expiry 300 FortiADC-VM instance lifecycle expiry entry (in seconds).
(ExpireLifecycleEntry) The range is 60 to 3600.

Desired capacity 2 The number of FortiADC instances the group should have
(FortiadcAsgDesiredCapacity) at any time. Must keep at least 2 FortiADCs in the group for
High Availability. Minimum is 2.

Minimum group size 2 Minimum number of FortiADC instances in the Auto-Scaling


(FortiadcAsgMinSize) Group. Minimum is 2.

Maximum group size 4 Maximum number of FortiADC instances in the Auto-


(FortiadcAsgMaxSize) Scaling Group. Minimum is 2.

FortiADC 7.2.0 AWS Deployment Guide 34


Fortinet Inc.
Deploying Autoscaling on AWS

Parameter label (name) Default Description

Health check grace period 300 The length of time (in seconds) that autoscaling waits
(FortiadcAsgHealthCheckGracePeriod) before checking an instance's health status. Minimum is 60.

Scaling cooldown period 300 The ASG waits for the cooldown period (in seconds) to
(FortiadcAsgCooldown) complete before resuming scaling activities. The range is
60 to 3600.

Scale-out threshold 80 The average CPU threshold (in percentage) for the
(FortiadcAsgScaleOutThreshold) FortiADC-VM ASG to scale out (add) one instance. The
range is 1 to 100. The value should be between Scale-in
threshold and 100.

Scale-in threshold 25 The average CPU threshold (in percentage) for the
(FortiadcAsgScaleInThreshold) FortiADC-VM ASG to scale in (remove) one instance. The
range is 1 to 100. The value should be between 1 and
Scale-out threshold.

Healthy threshold 2 The number of consecutive health check failures required


(FortiadcElbTgHealthyThreshold) before considering a FortiADC-VM instance is unhealthy.
Minimum is 2.

Health Check Timeout 2 The amount of time in seconds, during which no response
( FortiadcElbTgHCTimeout) from a FortiADC instance means a failed health check.
Minimum is 2.

Health Check Interval 5 The approximate amount of time in seconds between


( FortiadcElbTgHCInterval) health checks of an individual FortiADC instance. Minimum
is 5.

Load balancing configuration

Parameter label (name) Default Description

Web service traffic port 443 Receive HTTPS web service traffic through this port and load
(BalanceWebTrafficOverPort) balance traffic to this port of FortiADC. The range is 1 to 65535.

AWS Quick Start configuration

Parameter label (name) Default Description

Quick Start S3 bucket name Requires The name of the S3 bucket in which the FortiADC autoscaling
(QSS3BucketName) input deployment package is stored (for example: aws-quickstart).
The Quick Start bucket name can include numbers, lowercase
letters, uppercase letters, and hyphens (-). It cannot start or end
with a hyphen (-).

Quick Start S3 key prefix Requires The path of the FortiADC autoscaling deployment package in s3 (for
(QSS3KeyPrefix) input example: quickstart-fortinet-Fortiadc/).
The Quick Start key prefix can include numbers, lowercase letters,
uppercase letters, hyphens (-), and forward slash (/).

FortiADC 7.2.0 AWS Deployment Guide 35


Fortinet Inc.
Deploying Autoscaling on AWS

Parameters for an existing VPC deployment

Network configuration

Parameter label (name) Default Description

VPC ID (VpcId) Requires Select the existing VPC IDs where you want to deploy the ASG and
input related resources. The VPC must have the option DNS hostnames
enabled, and subnets (Public/Private if needed) in different
Availability Zones.

VPC CIDR (VPCCIDR) Requires Classless Inter-Domain Routing (CIDR) block for the FortiADC Auto
input Scale VPC.

PublicSubnet1 (PublicSubnet1) Requires Select a subnet in the VPC.


input

PublicSubnet2 (PublicSubnet2) Requires Select another subnet in the VPC. The two subnets should be in
input different Availability Zones.

FortiADC configuration

Parameter label (name) Default Description

Resource name prefix fadcASG A custom identifier as the resource name prefix. Can only contain
(CustomIdentifier) uppercase letters, lowercase letters, and numbers. Maximum
length is 10.

Fortiadc PAYG AMI Typ FAD-PAYG- FortiADC PAYG image type.


(FortiadcPAYGAMIType) 1gbps

Instance type c5.2xlarge Instance type to launch as FortiADC-VM on-demand instances.


(FortiadcInstanceType) l FAD-PAYG-100mbps, FAD-PAYG-500mbps, and FAD-

PAYG-1gbps support the following EC2 Instance types:


m5.large, m5.xlarge, m5.2xlarge, c5.large, c5.xlarge and
c5.2xlarge
l FAD-PAYG-5gbps and FAD-PAYG-10gbps support the
following EC2 Instance types:
m5.2xlarge, m5.4xlarge, m5.8xlarge, c5.2xlarge, c5.4xlarge,
and c5.9xlarge
For more information about instance types, see Amazon EC2
Instance Types.

Admin port (FortiadcAdminPort) 8443 A port number for FortiADC-VM administration.


Select 8443 for HTTPS access.
8080 port is reserved for HTTP access.
10443 port is reserved for auto scaling configuration
synchronization port.

FortiADC 7.2.0 AWS Deployment Guide 36


Fortinet Inc.
Deploying Autoscaling on AWS

Parameter label (name) Default Description

Admin CIDR block Requires CIDR block for external admin management access.
(FortiadcAdminCidr) input Note: 0.0.0.0/0 accepts connections from any IP address. It is
recommend to use a constrained CIDR range to reduce the
potential of inbound attacks from unknown IP addresses.

Key pair name (KeyPairName) Requires Amazon EC2 key pair for admin access.
input

FortiADC Elastic IP option Use the An Elastic IP can be used to access the primary FortiADC-VM.
(ElasticIPOption) Elastic IP When the primary role is transferred from one instance to another,
specified in the EIP will be associated with the new instance at the same time.
FortiADC You can fill in the existing Elastic IP specified in FortiADC Elastic
Elastic IP or IP or Name, or let FortiADC generate a new one for you.
Name

FortiADC Elastic IP or Name fadcASG- Specify the Elastic IP address or name, through which you can
(FortiadcEl EIP manage FortiADC. If you use an existing Elastic IP, fill it in here. If
asticIP) you create a new Elastic IP, give it a name so that you can find it
easily in the AWS console.

FortiADC auto-scaling group configuration

Parameter label (name) Default Description

Instance lifecycle expiry 300 FortiADC-VM instance lifecycle expiry entry (in seconds).
(ExpireLifecycleEntry) The range is 60 to 3600.

Desired capacity 2 The number of FortiADC instances the group should have
(FortiadcAsgDesiredCapacity) at any time. Must keep at least 2 FortiADCs in the group for
High Availability. Minimum is 2.

Minimum group size 2 Minimum number of FortiADC instances in the Auto-Scaling


(FortiadcAsgMinSize) Group. Minimum is 2.

Maximum group size 4 Maximum number of FortiADC instances in the Auto-


(FortiadcAsgMaxSize) Scaling Group. Minimum is 2.

Health check grace period 300 The length of time (in seconds) that autoscaling waits
(FortiadcAsgHealthCheckGracePeriod) before checking an instance's health status. Minimum is 60.

Scaling cooldown period 300 The ASG waits for the cooldown period (in seconds) to
(FortiadcAsgCooldown) complete before resuming scaling activities. The range is
60 to 3600.

Scale-out threshold 80 The average CPU threshold (in percentage) for the
(FortiadcAsgScaleOutThreshold) FortiADC-VM ASG to scale out (add) one instance. The
range is 1 to 100. The value should be between Scale-in
threshold and 100.

FortiADC 7.2.0 AWS Deployment Guide 37


Fortinet Inc.
Deploying Autoscaling on AWS

Parameter label (name) Default Description

Scale-in threshold 25 The average CPU threshold (in percentage) for the
(FortiadcAsgScaleInThreshold) FortiADC-VM ASG to scale in (remove) one instance. The
range is 1 to 100. The value should be between 1 and
Scale-out threshold.

Healthy threshold 2 The number of consecutive health check failures required


(FortiadcElbTgHealthyThreshold) before considering a FortiADC-VM instance is unhealthy.
Minimum is 2.

Health Check Timeout 2 The amount of time in seconds, during which no response
( FortiadcElbTgHCTimeout) from a FortiADC instance means a failed health check.
Minimum is 2.

Health Check Interval 5 The approximate amount of time in seconds between


( FortiadcElbTgHCInterval) health checks of an individual FortiADC instance. Minimum
is 5.

Load balancing configuration

Parameter label (name) Default Description

Web service traffic port 443 Receive HTTPS web service traffic through this port and load
(BalanceWebTrafficOverPort) balance traffic to this port of FortiADC. The range is 1 to 65535.

AWS Quick Start configuration

Parameter label (name) Default Description

Quick Start S3 bucket name Requires The name of the S3 bucket in which the FortiADC autoscaling
(QSS3BucketName) input deployment package is stored (for example: aws-quickstart).
The Quick Start bucket name can include numbers, lowercase
letters, uppercase letters, and hyphens (-). It cannot start or end
with a hyphen (-).

Quick Start S3 key prefix Requires The path of the FortiADC autoscaling deployment package in s3 (for
(QSS3KeyPrefix) input example: quickstart-fortinet-Fortiadc/).
The Quick Start key prefix can include numbers, lowercase letters,
uppercase letters, hyphens (-), and forward slash (/).

Available instance types in each region

AWS has different support for instance types in each region. Refer to the AWS documentation to check whether or not
your selected FortiADC instance type is supported in the deployment region and zone.
To see if the instance type is supported in your zone, enable Available zones.

FortiADC 7.2.0 AWS Deployment Guide 38


Fortinet Inc.
Deploying Autoscaling on AWS

You can filter by instance types then search for your instance type (for example, c5.xlarge) to see its supported regions
listed in the Availability zones field.

FortiADC 7.2.0 AWS Deployment Guide 39


Fortinet Inc.
Deploying Autoscaling on AWS

Optional settings

After entering required parameters and clicking Next, you are directed to the Configure stack options page to specify
optional settings.
Once you have configured optional settings, click Next to move forward in the deployment.

Tags

You can specify key-value pairs (tags) to apply to resources in your stack. For details, see the AWS documentation.

Permissions

Under the Permissions section, you can specify an IAM role that AWS CloudFormation uses to create, modify, or delete
resources in your stack. For details, see the AWS documentation.

Advanced options

Under Advanced options, it is recommended that you disable the Stack creation option Rollback on failure to allow for
a better troubleshooting experience. For details, see the AWS documentation.

FortiADC 7.2.0 AWS Deployment Guide 40


Fortinet Inc.
Deploying Autoscaling on AWS

FortiADC 7.2.0 AWS Deployment Guide 41


Fortinet Inc.
Deploying Autoscaling on AWS

Completing the deployment

1. On the Review page, review and confirm the template settings, the stack details, and the stack options. Under
Capabilities, select both check boxes to acknowledge that the template creates IAM resources and might require
the ability to automatically expand macros.

2. Click Create stack to deploy the stack.


The creation status is shown in the Status column. To see the latest status, refresh the view. It takes about 10
minutes to create the stack.
3. Monitor the status of the stack. Deployment has completed when each stack (including the main stack and all
nested stacks) has a status of CREATE_COMPLETE.

FortiADC 7.2.0 AWS Deployment Guide 42


Fortinet Inc.
Deploying Autoscaling on AWS

Locating deployed resources

To locate a newly deployed resource, it is recommended to search for it using the ResourceTagPrefix (also referred to as
the ResourceGroup Tag Key). Alternatively, the UniqueID can be used. For items that need a shorter prefix, the
CustomIdentifier can be used. These keys are found on the Outputs tab as shown below. Note that the UniqueID is at the
end of the ResourceTagPrefix.

This section includes steps on how to locate the following deployed resources:
l VPC using the ResourceGroup Tag Key on page 44
l VPC subnets using the ResourceGroup Tag Key on page 44
l DynamoDB tables using the UniqueID on page 45
l Lambda Functions using the ResourceGroup Tag Key on page 45
l Log group using the Lambda function name on page 46
l Network Load Balancer using the ResourceGroup Tag Key on page 46

FortiADC 7.2.0 AWS Deployment Guide 43


Fortinet Inc.
Deploying Autoscaling on AWS

VPC using the ResourceGroup Tag Key

To look up the newly deployed VPC using the ResourceGroup Tag Key:

1. In the AWS console, select Services > Network & Content Delivery > VPC.
2. In the left navigation tree, click Your VPCs.
3. Click the filter box and under Tags, select ResourceGroup.
4. Select your ResourceTagPrefix from the list of Tags. Your VPC will be displayed.

VPC subnets using the ResourceGroup Tag Key

To look up the newly deployed VPC subnets using the ResourceGroup Tag Key:

1. In the AWS console, select Services > Network & Content Delivery > VPC.
2. In the left navigation tree, click VIRTUAL PRIVATE CLOUD > Subnets.
3. Click the filter box and select Tag Keys > ResourceGroup.
4. Select your ResourceTagPrefix from the list of Tag Keys. Your VPC subnets will be displayed.

FortiADC 7.2.0 AWS Deployment Guide 44


Fortinet Inc.
Deploying Autoscaling on AWS

DynamoDB tables using the UniqueID

To look up the deployed DynamoDB tables using the UniqueID:

1. In the AWS console, select Services > Database > DynamoDB.


2. In the left navigation tree, click Tables.
3. Click the filter box and enter the UniqueID.
The DynamoDB tables will be displayed. The Name of each DynamoDB table will be in the format
<CustomIdentifier>-<table-name>-<UniqueID>.

Lambda Functions using the ResourceGroup Tag Key

To look up the deployed Lambda Functions using the ResourceGroup Tag Key:

1. In the AWS console, select Services > Compute > Lambda.


2. In the left navigation tree, click Functions.
3. Click the filter box and enter the ResourceGroup.
The Lambda Functions will be displayed. Each Function name will be in the format <CustomIdentifier>-
<LambdaFunctionName>-<UniqueID>.

FortiADC 7.2.0 AWS Deployment Guide 45


Fortinet Inc.
Deploying Autoscaling on AWS

Click the Function name to go directly to the function.

Log group using the Lambda function name

To look up the deployed Log group using the Lambda function name:

1. In the AWS console, select Services > Management & Governance > CloudWatch.
2. In the left navigation tree, click Logs > Log Groups.
3. Click the filter box and enter the Lambda Function Name.
The main Lambda Function name will be in the format <CustomIdentifier>-lffadc-<UniqueID>.

Network Load Balancer using the ResourceGroup Tag Key

To look up the deployed Network Load Balancer using the ResourceGroup Tag Key:

1. In the AWS console, select Services > Compute.


2. In the left navigation tree, click Load Balancing > Load Balancer.
3. Click the filter box and enter the ResourceGroup.
The Load balancer name will be in the format <CustomIdentifier>-nlbfadc-<UniqueID>.

FortiADC 7.2.0 AWS Deployment Guide 46


Fortinet Inc.
Deploying Autoscaling on AWS

Verifying the deployment

FortiADC-VM Autoscale creates an Auto Scaling group (ASG) with lifecycle events attached to the group. To verify the
deployment, follow the steps below.
1. Verify that the ASG (with the name starting with fadcASG by default or the prefix you specified in Resource name
prefix) was created after completion of the CloudFormation stack.

2. Navigate to the Instance management tab of the ASG.


You should see the instances with the "In-Service" lifecycle status. The number of instances should be the same as

FortiADC 7.2.0 AWS Deployment Guide 47


Fortinet Inc.
Deploying Autoscaling on AWS

the Desired Capacity that was specified in the CFT parameter.

3. Navigate to the Automatic scaling tab of the ASG and execute a scale-out action.
The scale-out action should trigger a lifecycle event for instantiating a FortiADC instance. When the scale-out event

FortiADC 7.2.0 AWS Deployment Guide 48


Fortinet Inc.
Deploying Autoscaling on AWS

is completed, you should see the total number of instances in the ASG is increased by 1.

FortiADC 7.2.0 AWS Deployment Guide 49


Fortinet Inc.
Deploying Autoscaling on AWS

FortiADC 7.2.0 AWS Deployment Guide 50


Fortinet Inc.
Deploying Autoscaling on AWS

Repeat the scale-in action as needed. Note that you must wait 300 seconds, as specified in the Scaling Cooldown
period, between scale-out and scale-in actions.
4. Check the latest logs in the log group. You will see FortiADC-VM sending heartbeats by calling the /complete
REST API to the lffadc Lambda function. The llfadc Lambda function checks whether the heartbeat is in time and

FortiADC 7.2.0 AWS Deployment Guide 51


Fortinet Inc.
Deploying Autoscaling on AWS

reports the healthy status in log.

FortiADC 7.2.0 AWS Deployment Guide 52


Fortinet Inc.
Deploying Autoscaling on AWS

Connecting to the primary FortiADC-VM

If you have enabled the Elastic IP option in the CFT parameter, you can use the EIP to manage the primary FortiADC.
1. Identify the management IP address of the FortiADC.
If you choose to use an existing Elastic IP, the Elastic IP you entered is the management IP of the FortiADC.
If you choose to create a new Elastic IP, you need to search for the IP address created for you on the AWS Elastic
IP console using the FortiADC Elastic IP or Name you have specified in the template.
Take note of the Elastic IP address for later steps.
2. Identify the Primary FortiADC in the ASG from the DynamoDB.
a. In the AWS console, go to Services > Database > DynamoDB > Items.
b. Locate the FortiadcPrimaryElection table and copy the instanceId for later steps.
For steps on how to locate the FortiadcPrimaryElection table, see Locating deployed resources on page 43.

c. Navigate to the EC2 instance tab and paste the instanceId into the filter box.
d. Locate the primary instance from the filtered list.
3. Connect to the Primary node via the serial console, SSH or web browser.
l Connect via the serial console:

In the Primary Instance tab, click Connect > EC2 serial console.

FortiADC 7.2.0 AWS Deployment Guide 53


Fortinet Inc.
Deploying Autoscaling on AWS

FortiADC 7.2.0 AWS Deployment Guide 54


Fortinet Inc.
Deploying Autoscaling on AWS

l Connect via SSH:


Use admin instead of root as the login user.

l Connect via web browser:


If you have not enabled the Elastic IP, take note of the public IP or FQDN of the primary FortiADC.

In your web browser, open an HTTPS session using the Public IP address, FQDN, or Elastic IP. Ensure to
specify the HTTPS admin port (https://<Public IP address or FQDN or Elastic IP>: 8443).
You will see a certificate error message from your browser, which is normal because the default FortiADC
certificate is self-signed and not recognized by browsers. Proceed past this error. At a later time, you can
upload a publicly signed certificate to avoid this error.
4. Login to the FortiADC-VM with the default user name admin. The password is the instance ID by default and you
will be required to change the password after you log into the FortiADC-VM.

FortiADC 7.2.0 AWS Deployment Guide 55


Fortinet Inc.
Deploying Autoscaling on AWS

See the example below for the serial console:

5. From the Web UI, navigate to System > Cloud Auto Scaling. You will see the auto-scaling configuration is
automatically configured. On the primary FortiADC-VM, you can see the status of all secondary FortiADC-VMs,
including hostname, serial number, AWS ec2 instance-id and the status.
If the status of the secondary FortiADC is init, it means the secondary FortiADC is connected and synchronized to
the primary.

FortiADC 7.2.0 AWS Deployment Guide 56


Fortinet Inc.
Deploying Autoscaling on AWS

If the status changes to online, it means the synchronization is done and the secondary FortiADC is ready to serve.
If you want to connect to the secondary FortiADC to check configuration or log, please wait until its status becomes
online.

FortiADC 7.2.0 AWS Deployment Guide 57


Fortinet Inc.
Deploying Autoscaling on AWS

Configuring the FortiADC-VM for Autoscaling

The autoscaling settings on FortiADC are automatically configured. You can view or change the configurations through
System > Cloud Auto Scaling on the GUI or run config system auto-scale in CLI.
After AWS autoscaling resources are deployed, the function APP elects a server instance, the primary node. All clients
(secondary nodes) will continuously communicate with the elected primary server. The primary node will later
synchronize its configurations to all the clients.
When a new instance joins the cluster, it automatically inherits configurations from the primary node.
You only need to configure the settings on the primary node. The configuration will be automatically synchronized to all
the secondary nodes.
Note: The configuration synchronization can be only triggered by Primary node.
The following provides steps on how to direct web traffic to FortiADC for threat detection. Please note that we would only
be covering basic options, for more information on other options such as the web protection profile, see the FortiADC
Administration Guide.

Basic steps:

1. Create and configure a real server and real server pool on page 58.
2. Create and configure a virtual server on page 59
3. Test the connection between the FortiADC-VM and AWS on page 60.

Create and configure a real server and real server pool

1. In the Primary FortiADC-VM, go to Server Load Balance > Real Server Pool.
2. Navigate to the Real Server tab and click Create New to create a new real server.

FortiADC 7.2.0 AWS Deployment Guide 58


Fortinet Inc.
Deploying Autoscaling on AWS

3. Navigate to the Real Server Pool tab and click Create New to create a new real server pool.

Create and configure a virtual server

1. Go to Server Load Balance > Virtual Server.


2. In the Virtual Server tab, click Create New to create a new virtual server.
3. Configure the following settings:
4.
Setting Guideline

Profile Select the LB_PROF_HTTPS profile.

Port Enter the port number specified in the Web service traffic port CFT
parameter.

Real Server Pool Select the real server pool created previously.

FortiADC 7.2.0 AWS Deployment Guide 59


Fortinet Inc.
Deploying Autoscaling on AWS

Test the connection between the FortiADC-VM and AWS

1. Log in to AWS and select Load Balancers in EC2 service.


2. Locate the load balancer you have created. Take note of its DNS name.

3. Enter the DNS name in your web browser to access your application.
The URL is constructed in the format https://<dns name>:<port>. For example,
https://xxxxx.amazonaws.com:443.
You should be directed to your application homepage.

FortiADC 7.2.0 AWS Deployment Guide 60


Fortinet Inc.
Deploying Autoscaling on AWS

Upgrading the deployment to apply firmware updates to the


FortiADC instances

When an auto scale-out event triggers a new FortiADC instance to deploy and join the ASG, the image version in the
Launch Template must be aligned with the image version of the current FortiADC instance in the ASG. If the image
versions between the Launch Template and the current FortiADC instance in the ASG is incompatible, the new FortiADC
would not synchronize with the primary node.
The following provides steps to apply firmware updates to the FortiADC instances that the AWS Autoscaling deployment
deployed.

Back up all FortiADC configurations prior to upgrading the FortiADC instances.

To upgrade the deployment:

1. Obtain the AMI ID for the desired FortiADC image version:


l From the AWS marketplace — If the desired FortiADC image is available in the AWS marketplace, you can

obtain the FortiADC AMI ID from the marketplace listing.


l By importing the Amazon machine image — If the desired FortiADC is not available in the AWS marketplace,

you can obtain the AMI ID by manually importing the Amazon machine image. For details, see Importing the
Amazon machine image on page 78.
2. Edit the launch template in the ASG to use the desired image version:
a. Go to EC2 > Auto Scaling > Auto Scaling Groups.
b. Select the desired scaling group. Search using the Resource name prefix, the default is fadcASG.
c. In LAUNCH TEMPLATE, select Edit.

FortiADC 7.2.0 AWS Deployment Guide 61


Fortinet Inc.
Deploying Autoscaling on AWS

d. From the Version drop-down list, select the new version. In the example below, the Launch template is set to
use the Latest version.

e. Click Update.
3. Create a new launch template version that references the new FortiADC version's AMI ID, so that autoscaling uses
the new template version for new instances:
a. Navigate to the launch template.
b. From the Actions menu, select Modify Template (Create new version).

c. Under Application and OS Images, paste the AMI ID that you obtained in step 1 in the searchbar or search
under My AMIs.

FortiADC 7.2.0 AWS Deployment Guide 62


Fortinet Inc.
Deploying Autoscaling on AWS

In this example, the AMI name is 720600.

FortiADC 7.2.0 AWS Deployment Guide 63


Fortinet Inc.
Deploying Autoscaling on AWS

d. Add the data storage and create the template version.

You will see the newly created launch template version.

FortiADC 7.2.0 AWS Deployment Guide 64


Fortinet Inc.
Deploying Autoscaling on AWS

4. Confirm the latest created launch template version has been associated in the ASG.

5. Manually apply the update to existing instances. Only the primary FortiADC need to be updated; the firmware
updating will be triggered on the secondary FortiADC instance by the primary FortiADC. For details, see the
FortiADC Handbook on updating the firmware.

FortiADC 7.2.0 AWS Deployment Guide 65


Fortinet Inc.
Deploying Autoscaling on AWS

Configuring the Network Load Balancer

By default, a TCP listener is added to the external load balancer to allow the HTTPS traffic to be routed to the HTTPS
target autoscaling group. You can add other listeners as needed, such as a listener for HTTP traffic.

To configure the network load balancer:

1. Locate the load balancer using the ResourceGroup Tag Key. For detailed steps, see Locating deployed resources
on page 43.
2. In the Load balancer, click the Listeners tab and click Add Listener.

3. In the new listener, specify the port value for HTTP or HTTPS services respectively and click Create target group
to create a target group for this listener.

FortiADC 7.2.0 AWS Deployment Guide 66


Fortinet Inc.
Deploying Autoscaling on AWS

In the example below, the new listener is configured for TCP using port 80 for HTTP services.

4. In the new target group, configure the following Basic configurations and Advanced health check settings:
l Basic configurations — select target type as Instances and Protocol as TCP.

l Advanced health check settings — override the port with the FortiADC admin port (8443).

Select all the instances in the autoscaling group into the pending targets then create the target.

FortiADC 7.2.0 AWS Deployment Guide 67


Fortinet Inc.
Deploying Autoscaling on AWS

5. After the target is created, navigate back to the Add listener tab to associate the target with the listener.

6. Add security group inbound rules in the security group to allow HTTP or HTTPS service traffic to be sent to
FortiADC-VMs in the autoscaling group.
With these configurations, the HTTP and HTTPS traffic to the load balancer will be distributed among the FortiADC-VMs
in the autoscaling group.

FortiADC 7.2.0 AWS Deployment Guide 68


Fortinet Inc.
Deploying Autoscaling on AWS

Attaching the FortiADC-VM instance to an existing Autoscaling


group

You can attach a FortiADC-VM (which can be licensed with PAYG or BYOL) to an existing autoscaling group.

Before you begin:

l Ensure the FortiADC-VM is in standalone mode.


l Ensure the image version of the FortiADC-VM is the same as the FortiADC-VMs in the ASG. If the image version is
different, you will see the log from AWS CloudWatch or from FortiADC debug log. For details, see [debug].
l Check the rules of the network security group attached to the FortiADC-VM network interface card to ensure the
inbound/outbound rules include the rules of the network security group of the FortiADC-VMs in the ASG.

To attach the FortiADC-VM instance to an existing ASG:

1. In the AWS console, go to EC2 > Instances and select the FortiADC-VM you want to add to the ASG.
2. In the FortiADC-VM instance, click the Actions drop-down and select Instance settings > Attach to Auto
Scaling Group.

FortiADC 7.2.0 AWS Deployment Guide 69


Fortinet Inc.
Deploying Autoscaling on AWS

3. In the Attach to Auto Scaling group page, select the ASG to attach the FortiADC-VM to.

4. Check the Instance page to see the FortiADC-VM instance is attached to the ASG.

5. After the FortiADC-VM is added into the ASG, you can see the desired capacity has increased by 1, and the
minimum capacity remains the same value. In this case, the scale-in event may be triggered due to the CPU load in

FortiADC 7.2.0 AWS Deployment Guide 70


Fortinet Inc.
Deploying Autoscaling on AWS

average be lower than the set threshold. You can change the minimum capacity or make the new added instance
under scale-in protection to prevent from any instances in ASG to be terminated.

6. Configure the autoscale configuration on FortiADC-VM. If the ASG was previously empty, then configure the
FortiADC-VM as the primary node, otherwise, configure it as the secondary.
If the FortiADC-VM is the primary node, you can get a Callback URL from the launch template.
a. Configure the FortiADC-VM to autoscaling primary role:
i. In the AWS console, go to EC2 > Launch Templates and locate the launch template by ResourceGroup
tag.
ii. Click the Details > Advanced details tab and check the User data.
Take note of config-url and replace the API path get-config with complete.
In the example below, the Callback URL will be https://xxxx.execute-api.us-west-

FortiADC 7.2.0 AWS Deployment Guide 71


Fortinet Inc.
Deploying Autoscaling on AWS

2.amazonaws.com/prod/complete.

iii. Fill in the autoscaling configuration, set the role to primary and enable the status. Then, click Save.
b. Configure the FortiADC-VM as the autoscaling secondary role.
i. Take note of the Callback URL from the Primary Cloud Auto Scaling configuration and the port1 interface
IP of the primary node.
ii. Fill in the cloud autoscaling configuration and enable the status, then click Save.

iii. Checking from the primary node, you should see this FortiADC-VM is connected. If not, please check
debug.
7. Optionally, you can detach the FortiADC-VM if you do not need it.
On the AWS console, go to EC2 > Auto Scaling Group and locate the ASG. There, you can select the FortiADC-
VM to be detached by clicking Actions > Detach.

FortiADC 7.2.0 AWS Deployment Guide 72


Fortinet Inc.
Deploying Autoscaling on AWS

After FortiADC-VM is successfully detached, the status of the autoscale configuration on FortiADC-VM is
automatically disabled.

FortiADC 7.2.0 AWS Deployment Guide 73


Fortinet Inc.
Deploying Autoscaling on AWS

Debug

Debug information can either be accessed through the AWS CloudWatch or through the FortiADC CLI.
Logs are available from AWS CloudWatch where you can check if FortiADC-VMs in the ASG is sending the heartbeat
callback on time, or whether FortiADC-VM maintains to be healthy. For steps on how to look up the logs and Dynamo DB
records for the deployed resource, see Locating deployed resources on page 43.
On FortiADC-VM, you can use CLI commands to look up the status of the cloud autoscaling daemon:
l Use the debug cloud-autoscale autoscaled command to see the heartbeat callback result and failover
information if the primary election is triggered.

l Use the diagnose debug cloud-autoscale autoscale-tunnel command to see the synchronization
between the primary and secondary FortiADCs. It will also show the crash log if it exists.
Primary FortiADC:

FortiADC 7.2.0 AWS Deployment Guide 74


Fortinet Inc.
Deploying Autoscaling on AWS

Secondary FortiADC:

FortiADC 7.2.0 AWS Deployment Guide 75


Fortinet Inc.
Deploying Autoscaling on AWS

FortiADC 7.2.0 AWS Deployment Guide 76


Fortinet Inc.
Script

Script

FortiADC provides the method to execute any AWS API for users – Users can upload Python script to FortiADC ( system
> AWS Scripting page) with traffic group setting and execute this script on the FortiADC to which its traffic group belongs.
If two FortiADCs are in different traffic groups for HA-VRRP mode, they can execute script individually, and
communicate with AWS when doing the HA switch.
Run script:
l Execute manually from GUI, upload scripts, choose traffic-group, click “Run”
l Traffic-group takes effect in new device and will execute scripts after doing HA switch
Command to check which traffic-group this device belongs: get system traffic-group-status detail
To execute AWS API, set the following on FortiADC:
config system aws
set region us-west-1 (set region name as need)
set accesskey XXXXXXXXXX (get from .csv file when create user on AWS)
set secretkey XXXXXXXXXX (get from .csv file when create user on AWS)
end

Example: This script modifies the default rout in the AWS route table, when the default traffic group works in the new
ADC
#!/bin/sh
traffic_group=${TRAFFIC_GROUP_NAME}
eni_id="XXXXXXXXXX"
route_table_id="XXXXXXXXXX"
echo ${TRAFFIC_GROUP_NAME}
if [$traffic_group="default"]
then
aws ec2 replace-route --route-table-id $route_table_id --destination-cidr-block 0.0.0.0/0 --
network-interface-id $eni_id
else
echo "do noting"
fi

FortiADC 7.2.0 AWS Deployment Guide 77


Fortinet Inc.
Importing the Amazon machine image

Importing the Amazon machine image

Step 1: Precondition

Install the AWS Command Line Interface and its dependencies on most Linux distributions with pip, a package manager
for Python. Please refer to https://docs.aws.amazon.com/cli/latest/userguide/awscli-install-linux.html for more
information.

A. Use pip to install the AWS CLI.

$ pip install awscli --upgrade --user

B. Verify that the AWS CLI installed correctly.

$ aws --version

Step 2: Get IAM key

A. Navigate to https://console.aws.amazon.com/iam

B. Users -> Add user

C. Check the box Programmatic access

FortiADC 7.2.0 AWS Deployment Guide 78


Fortinet Inc.
Importing the Amazon machine image

D. Check the box Administrators

E. After Created, download .csv file to get key

Step 3: Configuring the AWS CLI

$ aws configure
AWS Access Key ID []:xxxxxxxxxxxx (get from Step 2.)
AWS Secret Access Key []:xxxxxxxxxxxx (get from Step 2.)
Default region name []:us-west-1 (Please refer below table for your region name)
Default output format []: json

FortiADC 7.2.0 AWS Deployment Guide 79


Fortinet Inc.
Importing the Amazon machine image

Step 4: Create S3 bucket

A. Navigate to https://s3.console.aws.amazon.com/s3

B. Create bucket

Step 5: upload image and create snapshot

A. Upload image

l unzip image.out.xenaws.zip to get bootdisk.img


l aws s3 cp bootdisk.img s3://<your bucket name>
l Check the upload success

B. To create the service role

1) Create trust-policy.json with the following policy:

FortiADC 7.2.0 AWS Deployment Guide 80


Fortinet Inc.
Importing the Amazon machine image

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "vmie.amazonaws.com" },
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals":{
"sts:Externalid": "vmimport"
}
}
}
]
}

2) Create a role named vmimport


If the role with name vmimport already exists, skip this step.
$ aws iam create-role --role-name vmimport --assume-role-policy-document file://trust-
policy.json

3) Create role-policy.json with the following policy.


{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::<your S3 bucket name>"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<your S3 bucket name>/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:ModifySnapshotAttribute",
"ec2:CopySnapshot",
"ec2:RegisterImage",
"ec2:Describe*"
],
"Resource": "*"
}

FortiADC 7.2.0 AWS Deployment Guide 81


Fortinet Inc.
Importing the Amazon machine image

]
}

4) Attach the policy to the role created above


$ aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document
file://role-policy.json

C. Create snapshot

1) Create container.json with the following content:


{
"Description": "FADC 5.1.0 image",
"Format": "raw",
"UserBucket": {
"S3Bucket": "fortiadc-bucket", // S3Bucket:<your S3 bucket name>
"S3Key": "bootdisk.img" // S3Key:<Your image name in S3 >
}
}

2) import snapshot
$ aws ec2 import-snapshot --description "<description>" --disk-container
file://container.json
{
"SnapshotTaskDetail": {
"Status": "active",
"Description": "FADC",
"Format": "RAW",
"DiskImageSize": 0.0,
"UserBucket": {
"S3Bucket": "fortiadc-bucket",
"S3Key": "bootdisk.img"
},
"Progress": "3",
"StatusMessage": "pending"
},
"Description": "FADC",
"ImportTaskId": "import-snap-fh2q08gi"
}

You can check the progress using the following commands:


$ aws ec2 describe-import-snapshot-tasks --import-task-ids import-snap-fh2q08gi //
ImportTaskId
{
"ImportSnapshotTasks": [
{
"SnapshotTaskDetail": {
"Status": "active",
"Description": "FADC",
"Format": "RAW",
"DiskImageSize": 725500928.0,
"UserBucket": {
"S3Bucket": "fortiadc-bucket",
"S3Key": "bootdisk.img"
},
"Progress": "19",

FortiADC 7.2.0 AWS Deployment Guide 82


Fortinet Inc.
Importing the Amazon machine image

"StatusMessage": "validated"
},
"Description": "FADC",
"ImportTaskId": "import-snap-fh2q08gi"
}
]
}

$ aws ec2 describe-import-snapshot-tasks --import-task-ids import-snap-fh2q08gi


{
"ImportSnapshotTasks": [
{
"SnapshotTaskDetail": {
"Status": "completed",
"Description": "FADC",
"Format": "RAW",
"DiskImageSize": 725500928.0,
"UserBucket": {
"S3Bucket": "fortiadc-bucket",
"S3Key": "bootdisk.img"
},
"SnapshotId": "snap-00cb30ea5ce6fb97f"
},
"Description": "FADC",
"ImportTaskId": "import-snap-fh2q08gi"
}
]
}

After "Status": "completed", you can find your snapshot in the navigation pane, under Elastic Block Store

FortiADC 7.2.0 AWS Deployment Guide 83


Fortinet Inc.
Importing the Amazon machine image

Step 6: Create Amazon Machine Image (AMI)

A. Right click on FortiADC-bootdisk and choose Create Image

2. Fill name and set Virtualization type to virtual machine (HVM) and Add a New Volume with 30GB

FortiADC 7.2.0 AWS Deployment Guide 84


Fortinet Inc.
Importing the Amazon machine image

3. Click Create

4. Under My AMIs you can find the one you just created

FortiADC 7.2.0 AWS Deployment Guide 85


Fortinet Inc.
Important notes

Important notes

1. In L4_VS DNAT mode or L7_VS mode enabled "client-address", you need to disable “Source/Dest. Check” on AWS_
EC2_ADC interface, which connects to RS, and ensure that ADC is the gateway for RS.
2. Currently only supports VRRP group with no more than two ADCs.

FortiADC 7.2.0 AWS Deployment Guide 86


Fortinet Inc.
Copyright© 2023 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the
U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy