Skip to content

Commit

Permalink
Add GWLB setup with transit gateway
Browse files Browse the repository at this point in the history 
Change-Id: I9792216189e521011f1a24a132536d1005d3fe34
  • Loading branch information
@mobilesuitzero
mobilesuitzero committed Feb 11, 2021
1 parent 5e14b26 commit 758782e
Show file tree
Hide file tree
Showing 12 changed files with 1,500 additions and 0 deletions.
113 changes: 113 additions & 0 deletions aws/6.4/gwlb-transit/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,113 @@
# Deployment of FortiGate-VM (BYOL/PAYG) on the AWS with GWLB integration and Transit Gateway
## Introduction
A Terraform script to deploy a FortiGate-VM on AWS with Gateway Load Balancer intergration.

## Requirements
* [Terraform](https://learn.hashicorp.com/terraform/getting-started/install.html) >= 0.13.5
* Terraform Provider AWS >= 3.22.0
* Terraform Provider Template >= 2.2.0
* FOS Version >= 6.4.4

## Deployment overview
Terraform deploys the following components:
- 3 AWS VPCs
- Customer VPC with 2 public subnets and 2 private subnets split two different AZs
- 1 Internet Gateway
- 1 Route table with edge association with Internet Gateway, and 2 internal routes with target to Gateway Load Balancer Endpoint.
- 1 Route table with private subnet association, 1 default route with target to Gateway Load Balancer Endpoint, and 1 route with target to transit gateway.
- 1 Route table with public subnet association, and default route with target to Internet Gateway.
- Customer2 VPC with 2 public subnets and 2 private subnets split two different AZs
- 1 Internet Gateway
- 1 Route table with edge association with Internet Gateway, and 2 internal route with target to Gateway Load Balancer Endpoint.
- 1 Route table with private subnet association, 1 default route with target to Gateway Load Balancer Endpoint, and 1 route with target to transit gateway.
- 1 Route table with public subnet association, and default route with target to Internet Gateway.
- FGT VPC with 1 public, 1 private, 1 gwlb, and 1 transit gateway subnet in one AZ. And, have two different AZs.
- 1 Internet Gateway
- 1 Route table with private subnet association.
- 1 Route table with public subnet association, 1 default route with target to Internet Gateway, 2 customer vpc destinations route with target to Gateway Load Balancer Endpoint.
- 1 Route table with gwlb subnet association, and 2 customer vpc destination route with target to transit gateway.
- 1 Route table with transit gateway subnet association, and 1 default with with target to Gateway Load Balancer Endpoint.
- One FortiGate-VM instance with 2 NICs : port1 on public subnet and port2 on private subnet in one AZ, and another one in different AZ.
- port2 will be in its own FG-traffic vdom.
- A geneve interface will be created base on port2 during bootstrap and this will be the interface where traffic will received from the Gateway Load Balancer.
- Two Network Security Group rules: one for external, one for internal.
- One Gateway Load Balancer with targets to FortiGates in each AZ.


## Topology overview
Customer VPC (20.1.0.0/16)
public-az1 (20.1.0.0/24)
private-az1 (20.1.1.0/24)
public-az2 (20.1.2.0/24)
private-az2 (20.1.3.0/24)
Customer 2 VPC (30.1.0.0/16)
public-az1 (30.1.0.0/24)
private-az1 (30.1.1.0/24)
public-az2 (30.1.2.0/24)
private-az2 (30.1.3.0/24)
FortiGate Security VPC (10.1.0.0/16)
public-az1 (10.1.0.0/24)
private-az1 (10.1.1.0/24)
transit-az1 (10.1.2.0/24)
gwlb-az1 (10.1.3.0/24)
public-az2 (10.1.4.0/24)
private-az2 (10.1.5.0/24)
transit-az2 (10.1.6.0/24)
gwlb-az2 (10.1.7.0/24)

FortiGate VM(s) are deployed in Security VPC on both public and private subnet in different AZs.
Server(s) are deployed in the private subnet in the Customer VPC and Customer 2 VPC in different AZs

Ingress traffic to the Server(s) located in the private subnet in Customer VPC/Customer 2 VPC will be routed to GWLB, redirect to FortiGate-VM's geneve interface and send back out to GWLB endpoint.
Egress traffic from the Server(s) located in the private subnet in Customer VPC/Customer 2 VPC will be routed to GWLB and redirect to FortiGate-VM's geneve interface and send back out to GWLB endpoint.
East/West traffic to each Customer VPC will be routed to transit gateway, and to GWLB, redirected to FortiGate-VM's geneve interface, and then back out and to the destinated VPC.

## Deployment
To deploy the FortiGate-VM(s) to AWS:
1. Clone the repository.
2. Customize variables in the `terraform.tfvars` and `variables.tf` file as needed.
3. Initialize the providers and modules:
```sh
$ cd XXXXX
$ terraform init
```
4. Submit the Terraform plan:
```sh
$ terraform plan
```
5. Verify output.
6. Confirm and apply the plan:
```sh
$ terraform apply
```
7. If output is satisfactory, type `yes`.

Output will include the information necessary to log in to the FortiGate-VM instances:
```sh
Outputs:

CustomerVPC = <Customer VPC>
FGT1-Password = <FGT 1 Password>
FGT2-Password = <FGT 2 Password>
FGT2PublicIP = <FGT 2 Public IP>
FGTPublicIP = <FGT 1 Public IP>
FGTVPC = <FGT Security VPC>
LoadBalancerPrivateIP = <Private Load Balancer IP>
LoadBalancerPrivateIP2 = <Private Load Balancer IP>
Username = <FGT Username>

```

## Destroy the instance
To destroy the instance, use the command:
```sh
$ terraform destroy
```

# Support
Fortinet-provided scripts in this and other GitHub projects do not fall under the regular Fortinet technical support scope and are not supported by FortiCare Support Services.
For direct issues, please refer to the [Issues](https://github.com/fortinet/fortigate-terraform-deploy/issues) tab of this GitHub project.
For other questions related to this project, contact [[email protected]](mailto:[email protected]).

## License
[License](https://github.com/fortinet/fortigate-terraform-deploy/blob/master/LICENSE) © Fortinet Technologies. All rights reserved.
82 changes: 82 additions & 0 deletions aws/6.4/gwlb-transit/fgtvm.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
Content-Type: multipart/mixed; boundary="==AWS=="
MIME-Version: 1.0

--==AWS==
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0

config system global
set hostname FGTVM-GWLB
set admin-sport ${adminsport}
end
config system interface
edit port1
set alias public
set mode dhcp
set allowaccess ping https ssh fgfm
next
edit port2
set alias private
set mode dhcp
set allowaccess ping https ssh fgfm probe-response
set defaultgw disable
next
end
config system probe-response
set mode http-probe
end
config system global
set vdom-mode split-vdom
end
config global
config system interface
edit port2
set vdom FG-traffic
next
end
end
config vdom
edit FG-traffic
config system geneve
edit "awsgeneve"
set interface "port2"
set type ppp
set remote-ip ${endpointip}
next
end
config firewall policy
edit 1
set name "test"
set srcintf "awsgeneve"
set dstintf "awsgeneve"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
config router static
edit 1
set device awsgeneve
next
edit 2
set device port2
set dst ${cidr}
set gateway ${gateway}
next
end


%{ if type == "byol" }
--==AWS==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="license"

${file(license_file)}

%{ endif }
--==AWS==--
97 changes: 97 additions & 0 deletions aws/6.4/gwlb-transit/fgtvm.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
// FGTVM instance

resource "aws_network_interface" "eth0" {
description = "fgtvm-port1"
subnet_id = aws_subnet.publicsubnetaz1.id
}

resource "aws_network_interface" "eth1" {
description = "fgtvm-port2"
subnet_id = aws_subnet.privatesubnetaz1.id
source_dest_check = false
}

data "aws_network_interface" "eth1" {
id = aws_network_interface.eth1.id
}

//
data "aws_network_interface" "vpcendpointip" {
depends_on = [aws_vpc_endpoint.gwlbendpoint]
filter {
name = "vpc-id"
values = ["${aws_vpc.fgtvm-vpc.id}"]
}
filter {
name = "status"
values = ["in-use"]
}
filter {
name = "description"
values = ["*ELB*"]
}
filter {
name = "availability-zone"
values = ["${var.az1}"]
}
}

resource "aws_network_interface_sg_attachment" "publicattachment" {
depends_on = [aws_network_interface.eth0]
security_group_id = aws_security_group.public_allow.id
network_interface_id = aws_network_interface.eth0.id
}

resource "aws_network_interface_sg_attachment" "internalattachment" {
depends_on = [aws_network_interface.eth1]
security_group_id = aws_security_group.allow_all.id
network_interface_id = aws_network_interface.eth1.id
}


resource "aws_instance" "fgtvm" {
ami = var.license_type == "byol" ? var.fgtvmbyolami[var.region] : var.fgtvmami[var.region]
instance_type = var.size
availability_zone = var.az1
key_name = var.keyname
user_data = data.template_file.FortiGate.rendered

root_block_device {
volume_type = "standard"
volume_size = "2"
}

ebs_block_device {
device_name = "/dev/sdb"
volume_size = "30"
volume_type = "standard"
}

network_interface {
network_interface_id = aws_network_interface.eth0.id
device_index = 0
}

network_interface {
network_interface_id = aws_network_interface.eth1.id
device_index = 1
}

tags = {
Name = "FortiGateVM"
}
}


data "template_file" "FortiGate" {
template = "${file("${var.bootstrap-fgtvm}")}"
vars = {
type = "${var.license_type}"
license_file = "${var.license}"
adminsport = "${var.adminsport}"
cidr = "${var.privatecidraz2}"
gateway = cidrhost(var.privatecidraz1, 1)
endpointip = "${data.aws_network_interface.vpcendpointip.private_ip}"
}
}

82 changes: 82 additions & 0 deletions aws/6.4/gwlb-transit/fgtvm2.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
Content-Type: multipart/mixed; boundary="==AWS=="
MIME-Version: 1.0

--==AWS==
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0

config system global
set hostname FGTVM-GWLB2
set admin-sport ${adminsport}
end
config system interface
edit port1
set alias public
set mode dhcp
set allowaccess ping https ssh fgfm
next
edit port2
set alias private
set mode dhcp
set allowaccess ping https ssh fgfm probe-response
set defaultgw disable
next
end
config system probe-response
set mode http-probe
end
config system global
set vdom-mode split-vdom
end
config global
config system interface
edit port2
set vdom FG-traffic
next
end
end
config vdom
edit FG-traffic
config system geneve
edit "awsgeneve"
set interface "port2"
set type ppp
set remote-ip ${endpointip}
next
end
config firewall policy
edit 1
set name "test"
set srcintf "awsgeneve"
set dstintf "awsgeneve"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
config router static
edit 1
set device awsgeneve
next
edit 2
set device port2
set dst ${cidr}
set gateway ${gateway}
next
end


%{ if type == "byol" }
--==AWS==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="license"

${file(license_file)}

%{ endif }
--==AWS==--
Loading

0 comments on commit 758782e

Please sign in to comment.