fortigate-aws-ha-dualaz-cloudformation

Example Diagram Example Diagram

Example Diagram Example Diagram

Version:
Last updated: Thu, May 22, 2025 22:11:29 UTC
Copyright© 2025 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Subsections of fortigate-aws-ha-dualaz-cloudformation

Introduction

Example Diagram Example Diagram

Example Diagram Example Diagram

Welcome

The purpose of this site is to provide a quick start guide for using Infrastructure as Code (IaC) templates located in the repo fortigate-aws-ha-dualaz-cloudformation.

Reference the prerequisites and deployment sections on this site to get started.

For detailed documentation on FGCP in AWS, walk through of a post deployment failover, and additional use cases, please reference CSE Team FGCP in AWS.

For other documentation needs such as FortiOS administration, please reference docs.fortinet.com.

Prerequisites

Before attempting to create a stack with the templates, a few prerequisites should be checked to ensure a successful deployment:

  1. An AMI subscription must be active for the FortiGate license type being used in the template.

  2. The solution requires 3 EIPs to be created so ensure the AWS region being used has available capacity. Reference AWS Documentation for more information on EC2 resource limits and how to request increases.

  3. If BYOL licensing is to be used, ensure these licenses have been registered on the support site.

  4. Create a new S3 bucket in the same region where the template will be deployed. If the bucket is in a different region than the template deployment, bootstrapping will fail and the FGTs will be inaccessible.

  5. If BYOL licensing is to be used, upload these licenses to the root directory of the same S3 bucket from the step above.

  6. Ensure that an S3 gateway endpoint is deployed and assigned to both of the PublicSubnet’s AWS route table. If you are using the ‘NewSecurityVPC_FGCP_DualAZ.template.json’ template, then this will be deployed for you. Reference AWS Documentation for further information.

  7. Ensure that all of the PublicSubnet’s and HAmgmtSubnet’s AWS route tables have a default route to an AWS Internet Gateway. Reference AWS Documentation for further information. Otherwise you must set the variable only_private_ec2_api to ‘yes’.

Deployment

Once the prerequisites have been satisfied proceed with the deployment steps below.

  1. To download the templates, you can either clone the repo with the git command below, or download the repo as a ZIP archive. The templates themselves are located in the /cloudformation folder
git clone https://github.com/FortinetCloudCSE/fortigate-aws-ha-dualaz-cloudformation.git

  1. Login to your AWS account. In the AWS services page under All Services > Management Tools, select CloudFormation.

  2. Select Create Stack then select with new resources.

  3. On the Select Template page, under the Choose a Template section select Upload a template to Amazon S3 and browse to your local copy of the chosen deployment template.

  4. On the Specify Details page, you will be prompted for a stack name and parameters for the deployment. We are using the ‘NewSecurityVPC_FGCP_DualAZ.template.json’ template which deploys a new VPC, gives options for TGW integration, and deploys a FGCP cluster as well.

    We are chosing to deploy TGW so we have set both ‘TgwAttach’ and ‘TgwCreation’ to ‘Yes’. Note you can also attach to an existing TGW by changing ‘TgwCreation’ to ‘No’ and providing the appropriate values for the ‘TgwExisting…’ parameters.

  5. In the FortiGate Instance Configuration parameters section, we have selected an Instance Type and Key Pair to use for the FortiGates, chose to encrypt both OS and Log disks, as well as BYOL licensing. Notice we are prompted the InitS3Bucket where the licenses are stored, License Types, FortiGate1LicenseFile, and FortiGate2LicenseFile parameters. For the values we are going to reference the S3 bucket and relevant information from the deployment prerequisite step 4.

    Notice that the license files are in the root directory of the S3 bucket, so we did not need to specify a prefix in our values for FortiGate1LicenseFile and FortiGate2LicenseFile.

  6. In the Interface IP Configuration for the FortiGates parameters section, we are going with the defaults in this example as the subnet addressing matches. These IPs will be the primary IPs assigned to the FortiGate ENIs. These values will also be used as the static IPs in the FortiOS configuration for both FortiGates.

  7. On the Options page, you can scroll to the bottom and select Next.

  8. On the Review page, scroll down to the capabilities section. As the template will create IAM resources, you need to acknowledge this by checking the box next to ‘I acknowledge that AWS CloudFormation might create IAM resources’ and then click Submit.

  9. On the main AWS CloudFormation console, you will now see your stack being created. You can monitor the progress by selecting your stack and then select the Events tab.

  10. Once the stack creation has completed successfully, select the Outputs tab to get the login information for the FortiGate instances and cluster. If you chose to deploy a new TGW as part of the deployment you will see the IDs of your Transit Gateway and relevant TGW Route Tables. These will be used as inputs for the ‘SpokeVPC_TGW_DualAZ.template.json’ template.

  1. Here is an example of deploying a spoke VPC using the ‘SpokeVPC_TGW_DualAZ.template.json’ template. Note we are referencing the relevant IDs for Transit Gateway and relevant TGW Route Tables created for us using the ‘NewSecurityVPC_FGCP_DualAZ.template.json’ template. Note that you will need to add static routes to both FortiGate instances to reach the spoke VPC CIDR via the AWS intrinsic router IP through interface port2.