-
Notifications
You must be signed in to change notification settings - Fork 190
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Change-Id: I9792216189e521011f1a24a132536d1005d3fe34
- Loading branch information
1 parent
5e14b26
commit 758782e
Showing
12 changed files
with
1,500 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,113 @@ | ||
# Deployment of FortiGate-VM (BYOL/PAYG) on the AWS with GWLB integration and Transit Gateway | ||
## Introduction | ||
A Terraform script to deploy a FortiGate-VM on AWS with Gateway Load Balancer intergration. | ||
|
||
## Requirements | ||
* [Terraform](https://learn.hashicorp.com/terraform/getting-started/install.html) >= 0.13.5 | ||
* Terraform Provider AWS >= 3.22.0 | ||
* Terraform Provider Template >= 2.2.0 | ||
* FOS Version >= 6.4.4 | ||
|
||
## Deployment overview | ||
Terraform deploys the following components: | ||
- 3 AWS VPCs | ||
- Customer VPC with 2 public subnets and 2 private subnets split two different AZs | ||
- 1 Internet Gateway | ||
- 1 Route table with edge association with Internet Gateway, and 2 internal routes with target to Gateway Load Balancer Endpoint. | ||
- 1 Route table with private subnet association, 1 default route with target to Gateway Load Balancer Endpoint, and 1 route with target to transit gateway. | ||
- 1 Route table with public subnet association, and default route with target to Internet Gateway. | ||
- Customer2 VPC with 2 public subnets and 2 private subnets split two different AZs | ||
- 1 Internet Gateway | ||
- 1 Route table with edge association with Internet Gateway, and 2 internal route with target to Gateway Load Balancer Endpoint. | ||
- 1 Route table with private subnet association, 1 default route with target to Gateway Load Balancer Endpoint, and 1 route with target to transit gateway. | ||
- 1 Route table with public subnet association, and default route with target to Internet Gateway. | ||
- FGT VPC with 1 public, 1 private, 1 gwlb, and 1 transit gateway subnet in one AZ. And, have two different AZs. | ||
- 1 Internet Gateway | ||
- 1 Route table with private subnet association. | ||
- 1 Route table with public subnet association, 1 default route with target to Internet Gateway, 2 customer vpc destinations route with target to Gateway Load Balancer Endpoint. | ||
- 1 Route table with gwlb subnet association, and 2 customer vpc destination route with target to transit gateway. | ||
- 1 Route table with transit gateway subnet association, and 1 default with with target to Gateway Load Balancer Endpoint. | ||
- One FortiGate-VM instance with 2 NICs : port1 on public subnet and port2 on private subnet in one AZ, and another one in different AZ. | ||
- port2 will be in its own FG-traffic vdom. | ||
- A geneve interface will be created base on port2 during bootstrap and this will be the interface where traffic will received from the Gateway Load Balancer. | ||
- Two Network Security Group rules: one for external, one for internal. | ||
- One Gateway Load Balancer with targets to FortiGates in each AZ. | ||
|
||
|
||
## Topology overview | ||
Customer VPC (20.1.0.0/16) | ||
public-az1 (20.1.0.0/24) | ||
private-az1 (20.1.1.0/24) | ||
public-az2 (20.1.2.0/24) | ||
private-az2 (20.1.3.0/24) | ||
Customer 2 VPC (30.1.0.0/16) | ||
public-az1 (30.1.0.0/24) | ||
private-az1 (30.1.1.0/24) | ||
public-az2 (30.1.2.0/24) | ||
private-az2 (30.1.3.0/24) | ||
FortiGate Security VPC (10.1.0.0/16) | ||
public-az1 (10.1.0.0/24) | ||
private-az1 (10.1.1.0/24) | ||
transit-az1 (10.1.2.0/24) | ||
gwlb-az1 (10.1.3.0/24) | ||
public-az2 (10.1.4.0/24) | ||
private-az2 (10.1.5.0/24) | ||
transit-az2 (10.1.6.0/24) | ||
gwlb-az2 (10.1.7.0/24) | ||
|
||
FortiGate VM(s) are deployed in Security VPC on both public and private subnet in different AZs. | ||
Server(s) are deployed in the private subnet in the Customer VPC and Customer 2 VPC in different AZs | ||
|
||
Ingress traffic to the Server(s) located in the private subnet in Customer VPC/Customer 2 VPC will be routed to GWLB, redirect to FortiGate-VM's geneve interface and send back out to GWLB endpoint. | ||
Egress traffic from the Server(s) located in the private subnet in Customer VPC/Customer 2 VPC will be routed to GWLB and redirect to FortiGate-VM's geneve interface and send back out to GWLB endpoint. | ||
East/West traffic to each Customer VPC will be routed to transit gateway, and to GWLB, redirected to FortiGate-VM's geneve interface, and then back out and to the destinated VPC. | ||
|
||
## Deployment | ||
To deploy the FortiGate-VM(s) to AWS: | ||
1. Clone the repository. | ||
2. Customize variables in the `terraform.tfvars` and `variables.tf` file as needed. | ||
3. Initialize the providers and modules: | ||
```sh | ||
$ cd XXXXX | ||
$ terraform init | ||
``` | ||
4. Submit the Terraform plan: | ||
```sh | ||
$ terraform plan | ||
``` | ||
5. Verify output. | ||
6. Confirm and apply the plan: | ||
```sh | ||
$ terraform apply | ||
``` | ||
7. If output is satisfactory, type `yes`. | ||
|
||
Output will include the information necessary to log in to the FortiGate-VM instances: | ||
```sh | ||
Outputs: | ||
|
||
CustomerVPC = <Customer VPC> | ||
FGT1-Password = <FGT 1 Password> | ||
FGT2-Password = <FGT 2 Password> | ||
FGT2PublicIP = <FGT 2 Public IP> | ||
FGTPublicIP = <FGT 1 Public IP> | ||
FGTVPC = <FGT Security VPC> | ||
LoadBalancerPrivateIP = <Private Load Balancer IP> | ||
LoadBalancerPrivateIP2 = <Private Load Balancer IP> | ||
Username = <FGT Username> | ||
|
||
``` | ||
|
||
## Destroy the instance | ||
To destroy the instance, use the command: | ||
```sh | ||
$ terraform destroy | ||
``` | ||
|
||
# Support | ||
Fortinet-provided scripts in this and other GitHub projects do not fall under the regular Fortinet technical support scope and are not supported by FortiCare Support Services. | ||
For direct issues, please refer to the [Issues](https://github.com/fortinet/fortigate-terraform-deploy/issues) tab of this GitHub project. | ||
For other questions related to this project, contact [[email protected]](mailto:[email protected]). | ||
|
||
## License | ||
[License](https://github.com/fortinet/fortigate-terraform-deploy/blob/master/LICENSE) © Fortinet Technologies. All rights reserved. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,82 @@ | ||
Content-Type: multipart/mixed; boundary="==AWS==" | ||
MIME-Version: 1.0 | ||
|
||
--==AWS== | ||
Content-Type: text/x-shellscript; charset="us-ascii" | ||
MIME-Version: 1.0 | ||
|
||
config system global | ||
set hostname FGTVM-GWLB | ||
set admin-sport ${adminsport} | ||
end | ||
config system interface | ||
edit port1 | ||
set alias public | ||
set mode dhcp | ||
set allowaccess ping https ssh fgfm | ||
next | ||
edit port2 | ||
set alias private | ||
set mode dhcp | ||
set allowaccess ping https ssh fgfm probe-response | ||
set defaultgw disable | ||
next | ||
end | ||
config system probe-response | ||
set mode http-probe | ||
end | ||
config system global | ||
set vdom-mode split-vdom | ||
end | ||
config global | ||
config system interface | ||
edit port2 | ||
set vdom FG-traffic | ||
next | ||
end | ||
end | ||
config vdom | ||
edit FG-traffic | ||
config system geneve | ||
edit "awsgeneve" | ||
set interface "port2" | ||
set type ppp | ||
set remote-ip ${endpointip} | ||
next | ||
end | ||
config firewall policy | ||
edit 1 | ||
set name "test" | ||
set srcintf "awsgeneve" | ||
set dstintf "awsgeneve" | ||
set srcaddr "all" | ||
set dstaddr "all" | ||
set action accept | ||
set schedule "always" | ||
set service "ALL" | ||
set logtraffic all | ||
next | ||
end | ||
config router static | ||
edit 1 | ||
set device awsgeneve | ||
next | ||
edit 2 | ||
set device port2 | ||
set dst ${cidr} | ||
set gateway ${gateway} | ||
next | ||
end | ||
|
||
|
||
%{ if type == "byol" } | ||
--==AWS== | ||
Content-Type: text/plain; charset="us-ascii" | ||
MIME-Version: 1.0 | ||
Content-Transfer-Encoding: 7bit | ||
Content-Disposition: attachment; filename="license" | ||
|
||
${file(license_file)} | ||
|
||
%{ endif } | ||
--==AWS==-- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,97 @@ | ||
// FGTVM instance | ||
|
||
resource "aws_network_interface" "eth0" { | ||
description = "fgtvm-port1" | ||
subnet_id = aws_subnet.publicsubnetaz1.id | ||
} | ||
|
||
resource "aws_network_interface" "eth1" { | ||
description = "fgtvm-port2" | ||
subnet_id = aws_subnet.privatesubnetaz1.id | ||
source_dest_check = false | ||
} | ||
|
||
data "aws_network_interface" "eth1" { | ||
id = aws_network_interface.eth1.id | ||
} | ||
|
||
// | ||
data "aws_network_interface" "vpcendpointip" { | ||
depends_on = [aws_vpc_endpoint.gwlbendpoint] | ||
filter { | ||
name = "vpc-id" | ||
values = ["${aws_vpc.fgtvm-vpc.id}"] | ||
} | ||
filter { | ||
name = "status" | ||
values = ["in-use"] | ||
} | ||
filter { | ||
name = "description" | ||
values = ["*ELB*"] | ||
} | ||
filter { | ||
name = "availability-zone" | ||
values = ["${var.az1}"] | ||
} | ||
} | ||
|
||
resource "aws_network_interface_sg_attachment" "publicattachment" { | ||
depends_on = [aws_network_interface.eth0] | ||
security_group_id = aws_security_group.public_allow.id | ||
network_interface_id = aws_network_interface.eth0.id | ||
} | ||
|
||
resource "aws_network_interface_sg_attachment" "internalattachment" { | ||
depends_on = [aws_network_interface.eth1] | ||
security_group_id = aws_security_group.allow_all.id | ||
network_interface_id = aws_network_interface.eth1.id | ||
} | ||
|
||
|
||
resource "aws_instance" "fgtvm" { | ||
ami = var.license_type == "byol" ? var.fgtvmbyolami[var.region] : var.fgtvmami[var.region] | ||
instance_type = var.size | ||
availability_zone = var.az1 | ||
key_name = var.keyname | ||
user_data = data.template_file.FortiGate.rendered | ||
|
||
root_block_device { | ||
volume_type = "standard" | ||
volume_size = "2" | ||
} | ||
|
||
ebs_block_device { | ||
device_name = "/dev/sdb" | ||
volume_size = "30" | ||
volume_type = "standard" | ||
} | ||
|
||
network_interface { | ||
network_interface_id = aws_network_interface.eth0.id | ||
device_index = 0 | ||
} | ||
|
||
network_interface { | ||
network_interface_id = aws_network_interface.eth1.id | ||
device_index = 1 | ||
} | ||
|
||
tags = { | ||
Name = "FortiGateVM" | ||
} | ||
} | ||
|
||
|
||
data "template_file" "FortiGate" { | ||
template = "${file("${var.bootstrap-fgtvm}")}" | ||
vars = { | ||
type = "${var.license_type}" | ||
license_file = "${var.license}" | ||
adminsport = "${var.adminsport}" | ||
cidr = "${var.privatecidraz2}" | ||
gateway = cidrhost(var.privatecidraz1, 1) | ||
endpointip = "${data.aws_network_interface.vpcendpointip.private_ip}" | ||
} | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,82 @@ | ||
Content-Type: multipart/mixed; boundary="==AWS==" | ||
MIME-Version: 1.0 | ||
|
||
--==AWS== | ||
Content-Type: text/x-shellscript; charset="us-ascii" | ||
MIME-Version: 1.0 | ||
|
||
config system global | ||
set hostname FGTVM-GWLB2 | ||
set admin-sport ${adminsport} | ||
end | ||
config system interface | ||
edit port1 | ||
set alias public | ||
set mode dhcp | ||
set allowaccess ping https ssh fgfm | ||
next | ||
edit port2 | ||
set alias private | ||
set mode dhcp | ||
set allowaccess ping https ssh fgfm probe-response | ||
set defaultgw disable | ||
next | ||
end | ||
config system probe-response | ||
set mode http-probe | ||
end | ||
config system global | ||
set vdom-mode split-vdom | ||
end | ||
config global | ||
config system interface | ||
edit port2 | ||
set vdom FG-traffic | ||
next | ||
end | ||
end | ||
config vdom | ||
edit FG-traffic | ||
config system geneve | ||
edit "awsgeneve" | ||
set interface "port2" | ||
set type ppp | ||
set remote-ip ${endpointip} | ||
next | ||
end | ||
config firewall policy | ||
edit 1 | ||
set name "test" | ||
set srcintf "awsgeneve" | ||
set dstintf "awsgeneve" | ||
set srcaddr "all" | ||
set dstaddr "all" | ||
set action accept | ||
set schedule "always" | ||
set service "ALL" | ||
set logtraffic all | ||
next | ||
end | ||
config router static | ||
edit 1 | ||
set device awsgeneve | ||
next | ||
edit 2 | ||
set device port2 | ||
set dst ${cidr} | ||
set gateway ${gateway} | ||
next | ||
end | ||
|
||
|
||
%{ if type == "byol" } | ||
--==AWS== | ||
Content-Type: text/plain; charset="us-ascii" | ||
MIME-Version: 1.0 | ||
Content-Transfer-Encoding: 7bit | ||
Content-Disposition: attachment; filename="license" | ||
|
||
${file(license_file)} | ||
|
||
%{ endif } | ||
--==AWS==-- |
Oops, something went wrong.