autoscale_template - FortiGate Terraform Web UI

Autoscale Reference

Mon, 01 Jan 0001 00:00:00 +0000

Detailed explanations of autoscale template components, configuration options, and architectural considerations. Tip New to FortiGate AWS deployments? Start with the Getting Started guide to deploy your first environment using the Web UI. Return here for deeper architectural understanding. What You’ll Learn This section covers the major architectural elements available in the autoscale_template: Internet Egress Options: Choose between EIP or NAT Gateway architectures Firewall Architecture: Understand 1-ARM vs 2-ARM configurations Management Isolation: Configure dedicated management ENI and VPC options Licensing: Manage BYOL licenses and integrate FortiFlex API FortiManager Integration: Enable centralized management and policy orchestration Capacity Planning: Configure autoscale group sizing and scaling strategies (AutoScale only) Primary Protection: Implement scale-in protection for configuration stability (AutoScale only) Additional Options: Fine-tune instance specifications and advanced settings Each component page includes:

UI Deployment

Mon, 01 Jan 0001 00:00:00 +0000

Overview This guide walks you through configuring the autoscale_template using the Web UI. This template deploys FortiGate autoscale groups with Gateway Load Balancer for elastic scaling. Warning Prerequisites: Deploy existing_vpc_resources first with AutoScale Deployment mode enabled Record the cp, env, and tgw_name values from existing_vpc_resources outputs Step 1: Select Template Open the UI at http://localhost:3000 In the Template dropdown at the top, select autoscale_template The form will load with inherited values from existing_vpc_resources {{% notice note %}} TODO: Add diagram - template-dropdown-autoscale

Deployment Guide

Mon, 01 Jan 0001 00:00:00 +0000

Step-by-Step Deployment Prerequisites AWS account with appropriate permissions Terraform 1.0 or later installed AWS CLI configured with credentials SSH keypair created in target AWS region FortiGate licenses (if using BYOL) or FortiFlex account (if using FortiFlex) existing_vpc_resources deployed (if using lab environment) Step 1: Navigate to Template Directory cd fortinet-ui-terraform/terraform/aws/autoscale_template Step 2: Create terraform.tfvars cp terraform.tfvars.example terraform.tfvars Step 3: Configure Core Variables Region and Availability Zones

Post-Deployment Configuration

Mon, 01 Jan 0001 00:00:00 +0000

Post-Deployment Configuration Configure TGW Route Tables If you enabled enable_tgw_attachment = true, configure Transit Gateway route tables to route traffic through inspection VPC: For Centralized Egress Spoke VPC route table (route internet traffic to inspection VPC): # Get inspection VPC TGW attachment ID INSPECT_ATTACH_ID=$(aws ec2 describe-transit-gateway-attachments \ --filters "Name=resource-type,Values=vpc" \ "Name=tag:Name,Values=*inspection*" \ --query 'TransitGatewayAttachments[0].TransitGatewayAttachmentId' \ --output text) # Add default route to spoke route table aws ec2 create-transit-gateway-route \ --destination-cidr-block 0.0.0.0/0 \ --transit-gateway-route-table-id \ --transit-gateway-attachment-id $INSPECT_ATTACH_ID Inspection VPC route table (route spoke traffic to internet):

Operations & Troubleshooting

Mon, 01 Jan 0001 00:00:00 +0000

Monitoring and Operations CloudWatch Metrics Key metrics to monitor: # CPU utilization (triggers autoscaling) aws cloudwatch get-metric-statistics \ --namespace AWS/EC2 \ --metric-name CPUUtilization \ --dimensions Name=AutoScalingGroupName,Value= \ --start-time 2024-01-01T00:00:00Z \ --end-time 2024-01-02T00:00:00Z \ --period 3600 \ --statistics Average # Network throughput aws cloudwatch get-metric-statistics \ --namespace AWS/EC2 \ --metric-name NetworkIn \ --dimensions Name=AutoScalingGroupName,Value= \ --start-time 2024-01-01T00:00:00Z \ --end-time 2024-01-02T00:00:00Z \ --period 3600 \ --statistics Sum Lambda Function Logs Monitor license assignment and lifecycle events:

Reference

Mon, 01 Jan 0001 00:00:00 +0000

Outputs Reference Important outputs from the template: terraform output Output Description Use Case inspection_vpc_id ID of inspection VPC VPC peering, routing configuration inspection_vpc_cidr CIDR of inspection VPC Route table configuration gwlb_arn Gateway Load Balancer ARN GWLB endpoint creation gwlb_endpoint_az1_id GWLB endpoint ID in AZ1 Spoke VPC route tables gwlb_endpoint_az2_id GWLB endpoint ID in AZ2 Spoke VPC route tables fortigate_autoscale_group_name BYOL ASG name CloudWatch, monitoring fortigate_ondemand_autoscale_group_name PAYG ASG name CloudWatch, monitoring lambda_function_name Lifecycle Lambda function name CloudWatch logs, debugging dynamodb_table_name License tracking table name License management s3_bucket_name License storage bucket name License management tgw_attachment_id TGW attachment ID TGW routing configuration Best Practices Pre-Deployment Plan capacity thoroughly: Use Autoscale Group Capacity guidance Test in dev/test first: Validate configuration before production Document customizations: Maintain runbook of configuration decisions Review security groups: Ensure least-privilege access Coordinate with network team: Verify CIDR allocations don’t conflict During Deployment Monitor Lambda logs: Watch for errors during instance launch Verify license assignments: Check first instance gets licensed before scaling Test connectivity incrementally: Validate routing at each step Document public IPs: Save instance IPs for troubleshooting access Post-Deployment Configure firewall policies immediately: Don’t leave FortiGates in pass-through mode Enable security profiles: IPS, Application Control, Web Filtering Set up monitoring: CloudWatch alarms, FortiGate logging Test failover scenarios: Verify autoscaling behavior Document recovery procedures: Maintain runbook for common issues Ongoing Operations Monitor autoscale events: Review CloudWatch metrics weekly Update FortiOS regularly: Test updates in dev first Review firewall logs: Look for blocked traffic patterns Optimize scaling thresholds: Adjust based on observed traffic Plan capacity additions: Add licenses/entitlements before needed Cleanup Destroying the Deployment To destroy the autoscale_template infrastructure: