-
Notifications
You must be signed in to change notification settings - Fork 190
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add gateway load balancer for single vm deployment
Change-Id: I3b3f537209027dff989a98508fd64653bd65d763
- Loading branch information
1 parent
5b67003
commit 5e14b26
Showing
10 changed files
with
769 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
# Deployment of a FortiGate-VM (BYOL/PAYG) on the AWS with GWLB integration | ||
## Introduction | ||
A Terraform script to deploy a FortiGate-VM on AWS with Gateway Load Balancer intergration. | ||
|
||
## Requirements | ||
* [Terraform](https://learn.hashicorp.com/terraform/getting-started/install.html) >= 0.13.5 | ||
* Terraform Provider AWS >= 3.22.0 | ||
* Terraform Provider Template >= 2.2.0 | ||
* FOS Version >= 6.4.4 | ||
|
||
## Deployment overview | ||
Terraform deploys the following components: | ||
- 2 AWS VPCs | ||
- Customer VPC with 2 public subnets and 2 private subnets split two different AZs | ||
- 1 Internet Gateway | ||
- 1 Route table with edge association with Internet Gateway, and 2 internal route with target to Gateway Load Balancer Endpoint. | ||
- 1 Route table with private subnet association, and default route with target to Gateway Load Balancer Endpoint. | ||
- 1 Route table with public subnet association, and default route with target to Internet Gateway. | ||
- FGT VPC with 1 public and 1 private subnet in one AZ. | ||
- 1 Internet Gateway | ||
- 1 Route table with private subnet association, and default route with target to FortiGate private port. | ||
- 1 Route table with public subnet association, and default route with target to Internet Gateway. | ||
- One FortiGate-VM instance with 2 NICs : port1 on public subnet and port2 on private subnet | ||
- port2 will be in its own FG-traffic vdom. | ||
- A geneve interface will be created base on port2 during bootstrap and this will be the interface where traffic will received from the Gateway Load Balancer. | ||
- Two Network Security Group rules: one for external, one for internal. | ||
- One Gateway Load Balancer with single target to one FortiGate. | ||
|
||
## Topology overview | ||
Customer VPC (20.1.0.0/16) | ||
public-az1 (20.1.0.0/24) | ||
private-az1 (20.1.1.0/24) | ||
public-az2 (20.1.2.0/24) | ||
private-az2 (20.1.3.0/24) | ||
Security VPC (10.1.0.0/16) | ||
public (10.1.0.0/24) | ||
private (10.1.1.0/24) | ||
|
||
FortiGate VM is deployed in Security VPC on both public and private subnet | ||
Server(s) are deployed in the private subnet in the Customer VPC in different AZ. | ||
|
||
Ingress traffic to the Server(s) located in the private subnet in Customer VPC will be routed to GWLB, redirect to FortiGate-VM's geneve interface and send back out to GWLB endpoint. | ||
Egress traffic from the Server(s) located in the private subnet in Customer VPC will be routed to GWLB and redirect to FortiGate-VM's geneve interface and send back out to GWLB endpoint. | ||
|
||
![gateway-load-balancer-architecture](./gwlb-vpc.png?raw=true "Gateway Load Balancer Architecture") | ||
|
||
## Deployment | ||
To deploy the FortiGate-VM to AWS: | ||
1. Clone the repository. | ||
2. Customize variables in the `terraform.tfvars` and `variables.tf` file as needed. | ||
3. Initialize the providers and modules: | ||
```sh | ||
$ cd XXXXX | ||
$ terraform init | ||
``` | ||
4. Submit the Terraform plan: | ||
```sh | ||
$ terraform plan | ||
``` | ||
5. Verify output. | ||
6. Confirm and apply the plan: | ||
```sh | ||
$ terraform apply | ||
``` | ||
7. If output is satisfactory, type `yes`. | ||
|
||
Output will include the information necessary to log in to the FortiGate-VM instances: | ||
```sh | ||
Outputs: | ||
|
||
CustomerVPC = <Customer VPC> | ||
FGTPublicIP = <FGT Public IP> | ||
FGTVPC = <FGT VPC> | ||
LoadBalancerPrivateIP = <Private Load Balancer IP> | ||
Password = <FGT Password> | ||
Username = <FGT Username> | ||
``` | ||
|
||
## Destroy the instance | ||
To destroy the instance, use the command: | ||
```sh | ||
$ terraform destroy | ||
``` | ||
|
||
# Support | ||
Fortinet-provided scripts in this and other GitHub projects do not fall under the regular Fortinet technical support scope and are not supported by FortiCare Support Services. | ||
For direct issues, please refer to the [Issues](https://github.com/fortinet/fortigate-terraform-deploy/issues) tab of this GitHub project. | ||
For other questions related to this project, contact [[email protected]](mailto:[email protected]). | ||
|
||
## License | ||
[License](https://github.com/fortinet/fortigate-terraform-deploy/blob/master/LICENSE) © Fortinet Technologies. All rights reserved. | ||
|
||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
Content-Type: multipart/mixed; boundary="==AWS==" | ||
MIME-Version: 1.0 | ||
|
||
--==AWS== | ||
Content-Type: text/x-shellscript; charset="us-ascii" | ||
MIME-Version: 1.0 | ||
|
||
config system global | ||
set hostname FGTVM-GWLB | ||
set admin-sport ${adminsport} | ||
end | ||
config system interface | ||
edit port1 | ||
set alias public | ||
set mode dhcp | ||
set allowaccess ping https ssh fgfm | ||
next | ||
edit port2 | ||
set alias private | ||
set mode dhcp | ||
set allowaccess ping https ssh fgfm probe-response | ||
set defaultgw disable | ||
next | ||
end | ||
config system probe-response | ||
set mode http-probe | ||
end | ||
config system global | ||
set vdom-mode split-vdom | ||
end | ||
config global | ||
config system interface | ||
edit port2 | ||
set vdom FG-traffic | ||
next | ||
end | ||
end | ||
config vdom | ||
edit FG-traffic | ||
config system geneve | ||
edit "awsgeneve" | ||
set interface "port2" | ||
set type ppp | ||
set remote-ip ${endpointip} | ||
next | ||
end | ||
config firewall policy | ||
edit 1 | ||
set name "test" | ||
set srcintf "awsgeneve" | ||
set dstintf "awsgeneve" | ||
set srcaddr "all" | ||
set dstaddr "all" | ||
set action accept | ||
set schedule "always" | ||
set service "ALL" | ||
set logtraffic all | ||
next | ||
end | ||
config router static | ||
edit 1 | ||
set device awsgeneve | ||
next | ||
end | ||
|
||
|
||
%{ if type == "byol" } | ||
--==AWS== | ||
Content-Type: text/plain; charset="us-ascii" | ||
MIME-Version: 1.0 | ||
Content-Transfer-Encoding: 7bit | ||
Content-Disposition: attachment; filename="license" | ||
|
||
${file(license_file)} | ||
|
||
%{ endif } | ||
--==AWS==-- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
// FGTVM instance | ||
|
||
resource "aws_network_interface" "eth0" { | ||
description = "fgtvm-port1" | ||
subnet_id = aws_subnet.publicsubnetaz1.id | ||
} | ||
|
||
resource "aws_network_interface" "eth1" { | ||
description = "fgtvm-port2" | ||
subnet_id = aws_subnet.privatesubnetaz1.id | ||
source_dest_check = false | ||
} | ||
|
||
data "aws_network_interface" "eth1" { | ||
id = aws_network_interface.eth1.id | ||
} | ||
|
||
// | ||
data "aws_network_interface" "vpcendpointip" { | ||
depends_on = [aws_vpc_endpoint.gwlbendpoint] | ||
filter { | ||
name = "vpc-id" | ||
values = ["${aws_vpc.fgtvm-vpc.id}"] | ||
} | ||
filter { | ||
name = "status" | ||
values = ["in-use"] | ||
} | ||
filter { | ||
name = "description" | ||
values = ["*ELB*"] | ||
} | ||
} | ||
|
||
resource "aws_network_interface_sg_attachment" "publicattachment" { | ||
depends_on = [aws_network_interface.eth0] | ||
security_group_id = aws_security_group.public_allow.id | ||
network_interface_id = aws_network_interface.eth0.id | ||
} | ||
|
||
resource "aws_network_interface_sg_attachment" "internalattachment" { | ||
depends_on = [aws_network_interface.eth1] | ||
security_group_id = aws_security_group.allow_all.id | ||
network_interface_id = aws_network_interface.eth1.id | ||
} | ||
|
||
|
||
resource "aws_instance" "fgtvm" { | ||
ami = var.license_type == "byol" ? var.fgtvmbyolami[var.region] : var.fgtvmami[var.region] | ||
instance_type = var.size | ||
availability_zone = var.az1 | ||
key_name = var.keyname | ||
user_data = data.template_file.FortiGate.rendered | ||
|
||
root_block_device { | ||
volume_type = "standard" | ||
volume_size = "2" | ||
} | ||
|
||
ebs_block_device { | ||
device_name = "/dev/sdb" | ||
volume_size = "30" | ||
volume_type = "standard" | ||
} | ||
|
||
network_interface { | ||
network_interface_id = aws_network_interface.eth0.id | ||
device_index = 0 | ||
} | ||
|
||
network_interface { | ||
network_interface_id = aws_network_interface.eth1.id | ||
device_index = 1 | ||
} | ||
|
||
tags = { | ||
Name = "FortiGateVM" | ||
} | ||
} | ||
|
||
|
||
data "template_file" "FortiGate" { | ||
template = "${file("${var.bootstrap-fgtvm}")}" | ||
vars = { | ||
type = "${var.license_type}" | ||
license_file = "${var.license}" | ||
adminsport = "${var.adminsport}" | ||
endpointip = "${data.aws_network_interface.vpcendpointip.private_ip}" | ||
} | ||
} | ||
|
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Oops, something went wrong.