fortigate-aws-gwlb-terraform

CloudCSE Version: v25.4.d
Revision:
Last updated: Wed, Oct 22, 2025 19:22:46 UTC
Copyright© 2025 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Subsections of fortigate-aws-gwlb-terraform

Introduction

Welcome

The purpose of this site is to provide a quick start guide for using Infrastructure as Code (IaC) templates located in the repo fortigate-aws-gwlb-terraform.

Reference the prerequisites and deployment sections on this site to get started.

For detailed documentation on FortiGates with GWLB in AWS, walk through of a post deployment failover, and additional use cases, please reference CSE Team GWLB in AWS.

For other documentation needs such as FortiOS administration, please reference docs.fortinet.com.

Prerequisites

Before attempting to create a stack with the templates, a few prerequisites should be checked to ensure a successful deployment:

  1. An AMI subscription must be active for the FortiGate license type being used in the template.

  2. The solution requires 1 EIP per FGT to be created so ensure the AWS region being used has available capacity. Reference AWS Documentation for more information on EC2 service quotas and how to request increases.

  3. If BYOL licensing is to be used, ensure these licenses have been registered on the support site.

Deployment

Once the prerequisites have been satisfied proceed with the deployment steps below.

  1. Clone this repo with the command below.
git clone https://github.com/FortinetCloudCSE/fortigate-aws-gwlb-terraform.git
  1. Change directories and modify the terraform.tfvars file with your credentials and deployment information.
Note

In the terraform.tfvars file, the comments explain what inputs are expected for the variables. For further details on a given variable or to see all possible variables, reference the variables.tf file. We chose to deploy 2 FGTs per AZ and set tgw_creation to yes.

cd fortigate-aws-gwlb-terraform/terraform
nano terraform.tfvars
  1. When ready to deploy, use the commands below to run through the deployment.
terraform init
terraform validate
terraform apply --auto-approve
  1. When the deployment is complete, you will see the public IPs and instance IDs listed in the outputs to access each FGT and other information.
Apply complete! Resources: 85 added, 0 changed, 0 destroyed.

Outputs:

fgt_login_info = <<EOT
# fgt username: admin
# fgt initial password: instance-id of the fgt
# fgt_ids_a : ["i-053888445f2e677ef","i-09c5e7a6bf403cd77"]  
# fgt_ips_a : ["34.235.8.29","52.70.176.130"]
# fgt_ids_b : ["i-094aae24d8f1665b0","i-0575b16f6aeeb0e15"]  
# fgt_ips_b : ["3.210.241.134","44.196.135.34"]

EOT
gwlb_info = <<EOT
# gwlb arn_suffix: gwy/poc-sec-gwlb/09856ffbfe1862f3
# gwlb service_name : com.amazonaws.vpce.us-east-1.vpce-svc-0db0f1b8e4b8445f1
# gwlb service_type : GatewayLoadBalancer
# gwlb ips : ["10.0.13.83","10.0.14.93"]

EOT
tgw_info = <<EOT
# tgw id: tgw-09eb29c4aa20fe1ce
# tgw spoke route table id: tgw-rtb-0b080f43f34fd129d
# tgw security route table id: tgw-rtb-0c09fcc9ce8d3e917

EOT
  1. This concludes the template deployment example.