https://fortinetcloudcse.github.io/fortinet-ui-terraform/3_example_templates/3_2_autoscale_template/autoscale_reference/index.htmlDetailed explanations of autoscale template components, configuration options, and architectural considerations. Tip New to FortiGate AWS deployments? Start with the Getting Started guide to deploy your first environment using the Web UI. Return here for deeper architectural understanding. What You’ll Learn This section covers the major architectural elements available in the autoscale_template: Internet Egress Options: Choose between EIP or NAT Gateway architectures Firewall Architecture: Understand 1-ARM vs 2-ARM configurations Management Isolation: Configure dedicated management ENI and VPC options Licensing: Manage BYOL licenses and integrate FortiFlex API FortiManager Integration: Enable centralized management and policy orchestration Capacity Planning: Configure autoscale group sizing and scaling strategies (AutoScale only) Primary Protection: Implement scale-in protection for configuration stability (AutoScale only) Additional Options: Fine-tune instance specifications and advanced settings Each component page includes:Hugoen-UShttps://fortinetcloudcse.github.io/fortinet-ui-terraform/3_example_templates/3_2_autoscale_template/autoscale_reference/4_1_internet_egress/index.htmlMon, 01 Jan 0001 00:00:00 +0000https://fortinetcloudcse.github.io/fortinet-ui-terraform/3_example_templates/3_2_autoscale_template/autoscale_reference/4_1_internet_egress/index.htmlOverview The FortiGate autoscale solution provides two distinct architectures for internet egress traffic, each optimized for different operational requirements and cost considerations. Option 1: Elastic IP (EIP) per Instance Each FortiGate instance in the autoscale group receives a dedicated Elastic IP address. All traffic destined for the public internet is source-NATed behind the instance’s assigned EIP. Configuration access_internet_mode = "eip" Architecture Behavior In EIP mode, the architecture routes all internet-bound traffic to port2 (the public interface). The route table for the public subnet directs traffic to the Internet Gateway (IGW), where automatic source NAT to the associated EIP occurs.https://fortinetcloudcse.github.io/fortinet-ui-terraform/3_example_templates/3_2_autoscale_template/autoscale_reference/4_2_firewall_architecture/index.htmlMon, 01 Jan 0001 00:00:00 +0000https://fortinetcloudcse.github.io/fortinet-ui-terraform/3_example_templates/3_2_autoscale_template/autoscale_reference/4_2_firewall_architecture/index.htmlOverview FortiGate instances can operate in single-arm (1-ARM) or dual-arm (2-ARM) network configurations, fundamentally changing traffic flow patterns through the firewall. Configuration firewall_policy_mode = "1-arm" # or "2-arm" 2-ARM Configuration (Recommended for Most Deployments) Architecture Overview The 2-ARM configuration deploys FortiGate instances with distinct “trusted” (private) and “untrusted” (public) interfaces, providing clear network segmentation. Traffic Flow: Traffic arrives at GWLB Endpoints (GWLBe) in the inspection VPC GWLB load-balances traffic across healthy FortiGate instances Traffic encapsulated in Geneve tunnels arrives at FortiGate port1 (data plane) FortiGate inspects traffic and applies security policies Internet-bound traffic exits via port2 (public interface) Port2 traffic is source-NATed via EIP or NAT Gateway Return traffic follows reverse path back through Geneve tunnels Interface Assignments port1: Data plane interface for GWLB connectivity (Geneve tunnel termination) port2: Public interface for internet egress (with optional dedicated management when enabled) Network Interfaces Visualizationhttps://fortinetcloudcse.github.io/fortinet-ui-terraform/3_example_templates/3_2_autoscale_template/autoscale_reference/4_3_management_isolation/index.htmlMon, 01 Jan 0001 00:00:00 +0000https://fortinetcloudcse.github.io/fortinet-ui-terraform/3_example_templates/3_2_autoscale_template/autoscale_reference/4_3_management_isolation/index.htmlOverview The FortiGate autoscale solution provides multiple approaches to isolating management traffic from data plane traffic, ranging from shared interfaces to complete physical network separation. This page covers three progressive levels of management isolation, allowing you to choose the appropriate security posture for your deployment requirements. Option 1: Combined Data + Management (Default) Architecture Overview In the default configuration, port2 serves dual purposes: Data plane: Internet egress for inspected traffic (in 2-ARM mode) Management plane: GUI, SSH, SNMP access Configuration enable_dedicated_management_eni = false enable_dedicated_management_vpc = false Characteristics Simplest configuration: No additional interfaces or VPCs required Lower cost: Minimal infrastructure overhead Shared security groups: Same rules govern data and management traffic Single failure domain: Management access tied to data plane availability When to Use Development and testing environments Proof-of-concept deployments Budget-constrained projects Simple architectures without compliance requirements Option 2: Dedicated Management ENI Architecture Overview Port2 is removed from the data plane and dedicated exclusively to management functions. FortiOS configures the interface with set dedicated-to management, placing it in an isolated VRF with independent routing.https://fortinetcloudcse.github.io/fortinet-ui-terraform/3_example_templates/3_2_autoscale_template/autoscale_reference/4_4_licensing_options/index.htmlMon, 01 Jan 0001 00:00:00 +0000https://fortinetcloudcse.github.io/fortinet-ui-terraform/3_example_templates/3_2_autoscale_template/autoscale_reference/4_4_licensing_options/index.htmlOverview The FortiGate autoscale solution supports three distinct licensing models, each optimized for different use cases, cost structures, and operational requirements. You can use a single licensing model or combine them in hybrid configurations for optimal cost efficiency. Licensing Model Comparison Factor BYOL FortiFlex PAYG Total Cost (12 months) Lowest Medium Highest Upfront Investment High Medium None License Management Manual (files) API-driven None Flexibility Low High Highest Capacity Constraints Yes (license pool) Soft (point balance) None Best For Long-term, predictable Variable, flexible Short-term, simple Setup Complexity Medium High Lowest Option 1: BYOL (Bring Your Own License) Overview BYOL uses traditional FortiGate-VM license files that you purchase from Fortinet or resellers. The template automates license distribution through S3 bucket storage and Lambda-based assignment.https://fortinetcloudcse.github.io/fortinet-ui-terraform/3_example_templates/3_2_autoscale_template/autoscale_reference/4_5_fortimanager_integration/index.htmlMon, 01 Jan 0001 00:00:00 +0000https://fortinetcloudcse.github.io/fortinet-ui-terraform/3_example_templates/3_2_autoscale_template/autoscale_reference/4_5_fortimanager_integration/index.htmlOverview The template supports optional integration with FortiManager for centralized management, policy orchestration, and configuration synchronization across the autoscale group. Configuration Enable FortiManager integration by setting the following variables in terraform.tfvars: enable_fortimanager_integration = true fortimanager_ip = "10.0.100.50" fortimanager_sn = "FMGVM0000000001" fortimanager_vrf_select = 1 Variable Definitions Variable Type Required Description enable_fortimanager_integration boolean Yes Master switch to enable/disable FortiManager integration fortimanager_ip string Yes FortiManager IP address or FQDN accessible from FortiGate management interfaces fortimanager_sn string Yes FortiManager serial number for device registration fortimanager_vrf_select number No VRF ID for routing to FortiManager (default: 0 for global VRF) How FortiManager Integration Works When enable_fortimanager_integration = true:https://fortinetcloudcse.github.io/fortinet-ui-terraform/3_example_templates/3_2_autoscale_template/autoscale_reference/4_6_autoscale_group_capacity/index.htmlMon, 01 Jan 0001 00:00:00 +0000https://fortinetcloudcse.github.io/fortinet-ui-terraform/3_example_templates/3_2_autoscale_template/autoscale_reference/4_6_autoscale_group_capacity/index.htmlOverview Configure the autoscale group size parameters to define minimum, maximum, and desired instance counts for both BYOL and on-demand (PAYG) autoscale groups. Configuration # BYOL ASG capacity asg_byol_asg_min_size = 1 asg_byol_asg_max_size = 2 asg_byol_asg_desired_size = 1 # On-Demand (PAYG) ASG capacity asg_ondemand_asg_min_size = 0 asg_ondemand_asg_max_size = 2 asg_ondemand_asg_desired_size = 0 Parameter Definitions Parameter Description Recommendations min_size Minimum number of instances ASG maintains Set to baseline capacity requirement max_size Maximum number of instances ASG can scale to Set based on peak traffic projections + 20% buffer desired_size Target number of instances ASG attempts to maintain Typically equals min_size for baseline capacity Capacity Planning Strategies Strategy 1: BYOL Baseline with PAYG Burst (Recommended) Objective: Optimize costs by using BYOL for steady-state traffic and PAYG for unpredictable spikeshttps://fortinetcloudcse.github.io/fortinet-ui-terraform/3_example_templates/3_2_autoscale_template/autoscale_reference/4_7_primary_scalein_protection/index.htmlMon, 01 Jan 0001 00:00:00 +0000https://fortinetcloudcse.github.io/fortinet-ui-terraform/3_example_templates/3_2_autoscale_template/autoscale_reference/4_7_primary_scalein_protection/index.htmlOverview Protect the primary FortiGate instance from scale-in events to maintain configuration synchronization stability and prevent unnecessary primary elections. Configuration primary_scalein_protection = true Why Protect the Primary Instance? In FortiGate autoscale architecture: Primary instance: Elected leader responsible for configuration management and HA sync Secondary instances: Receive configuration from primary via FortiGate-native HA synchronization Without scale-in protection: AWS autoscaling may select primary instance for termination during scale-in Remaining instances must elect new primary Configuration may be temporarily unavailable during election Potential for configuration loss if primary was processing updates With scale-in protection:https://fortinetcloudcse.github.io/fortinet-ui-terraform/3_example_templates/3_2_autoscale_template/autoscale_reference/4_8_additional_configuration/index.htmlMon, 01 Jan 0001 00:00:00 +0000https://fortinetcloudcse.github.io/fortinet-ui-terraform/3_example_templates/3_2_autoscale_template/autoscale_reference/4_8_additional_configuration/index.htmlOverview This section covers additional configuration options for fine-tuning FortiGate instance specifications and advanced deployment settings. FortiGate Instance Specifications Instance Type Selection fgt_instance_type = "c7gn.xlarge" Instance type selection considerations: c6i/c7i series: Intel-based compute-optimized (best for x86 workloads) c6g/c7g/c7gn series: AWS Graviton (ARM-based, excellent performance) Sizing: Choose vCPU count matching expected throughput requirements Common instance types for FortiGate: Instance Type vCPUs Memory Network Performance Best For c6i.large 2 4 GB Up to 12.5 Gbps Small deployments, dev/test c6i.xlarge 4 8 GB Up to 12.5 Gbps Standard production workloads c6i.2xlarge 8 16 GB Up to 12.5 Gbps High-throughput environments c7gn.xlarge 4 8 GB Up to 30 Gbps High-performance networking c7gn.2xlarge 8 16 GB Up to 30 Gbps Very high-performance networking FortiOS Version fortios_version = "7.4.5" Version specification options:https://fortinetcloudcse.github.io/fortinet-ui-terraform/3_example_templates/3_2_autoscale_template/autoscale_reference/4_9_summary/index.htmlMon, 01 Jan 0001 00:00:00 +0000https://fortinetcloudcse.github.io/fortinet-ui-terraform/3_example_templates/3_2_autoscale_template/autoscale_reference/4_9_summary/index.htmlOverview This summary provides a comprehensive reference of all solution components covered in this section, with quick decision guides and configuration references. Component Quick Reference 1. Internet Egress Options Option Hourly Cost Data Processing Monthly Cost (2 AZs) Source IP Best For EIP Mode $0.005/IP None ~$7.20 Variable Cost-sensitive, dev/test NAT Gateway $0.045/NAT x 2 $0.045/GB ~$65 base + data* Stable Production, compliance Data processing example: 1 TB/month = $45 additional cost Total NAT Gateway cost estimate: $65 (base) + $45 (1TB data) = $110/month for 2 AZs with 1TB egress access_internet_mode = "eip" # or "nat_gw" Key Decision: Do you need predictable source IPs for allowlisting (white-listing)?