The communication between vswitch in different zones has to go through vrouter according to the associated routing table. We'll use "mgmt" for fortigate traffic that access aliyun metadata service (acs). The switch named "external" is for internet facing, while "internal" is for protected traffic, and "ha" is for clustering traffic. Assign vswitch CIDR blocks by following the cookbook. Create Alibaba Cloud Resource Create VPCĬreate a VPC for the FortiGate A-P by following this guideĤ switches in Tokyo Zone A, 4 Switches in Tokyo Zone B. To plan your VPC CIDR, you will need 1 VPC, 1 Region, two zones, and computing optimized instances which support 4NICs. Prerequisite 5: Plan Your VPC, Region, Zone and Instance Type To run Fortigate A-P, you will need an instance that able to support at least 4 NICs.Ībove you will find this instance type is only available in zone ap-northeast-1b. You can also use aliyun cli to get region id and also the availability zone for the required instance type. If you are using the GUI, you can use it to select the AZ zone, but if you use CLI or terraform, you need to find the AZ zone for the InstanceType. So you have to check which AZ zone has the computer instance type you needed. Write down the region id and image id if you use terraform or cli to provision resource.Īlibaba Cloud does not always have the same computer instance in different AZ zones. Prerequisite 4: Get Fortigate from Alibaba Cloud Marketplaceįind Fortigate image from the Alibaba Cloud Marketplace and locate Fortigate images. You can also use Aliyun GUI to deploy the resource. For example, you can use terraform script to provision all resource by using Generate your Access/Secret Combination if you want to use terraform or aliyuncli to deploy/manage resources. Prerequisite 3: Generate your Access/Secret Combination If you are accessing through a RAM account, you should have at least AliyunVPCFullAccess, AliyunECSFullAccess, AliyunRAMFullAccess, AliyunEIPFullAccess privileges. You should have an Alibaba Cloud account, or access to one through a RAM account. Prerequisite 2: Alibaba Cloud account or RAM account
#AWS FORTIGATE VM HA LICENSE#
Once you have the licenses, Activate your BYOL license at to register your license, and download the license file. Here is a list of items needed before proceeding with the configuration. When FGT2 becomes master, web server will use FGT2 for traffic in/out. For whatever reason, if Heartbeat messages is not received from peer, FGT2 will assume master role, and associate itself with EIP3 and change VPC default route to 10.0.22.12 for vswitch internal to new Master.Ī Web Server with IP (10.0.12.109) represents protected traffic in AZ1. On the right, FGT2, is slave (passive) and not forwarding any client traffic.īoth FGTs are in an HA Cluster with unicast heartbeat messages via port3. On the left, FGT1, is Master as it is configured with a higher priority. In our setup, two FGT are in different AZ zones but in a single Region. In this 3-part article series, we will show you in detail the steps for deploying and configuring Fortinet FortiGate (FGT) A-P High Availability (HA) on Alibaba Cloud between availability zones (AZ). Get Fortinet FortiGate on Alibaba Cloud by visiting our Marketplace:įortinet FortiGate (PAYG) Next-Generation Firewall (4 vCPUs)įortinet FortiGate (PAYG) Next-Generation Firewall (8 vCPUs)