When  failover occurs on a FortiGate HA cluster within the same availability zone, the secondary node takes over. During failover, the secondary IP addresses, which are configured for port1 and port2 on the primary unit, move to the secondary unit. The elastic IP assigned to the port1 secondary IP address of the primary unit also moves to the secondary unit. The routing table is updated to forward traffic through the secondary unit. All sessions are synchronized. IPsec phase1 and phase2 are also synchronized and continue to operate during and after the failover.

The AWS SDN updates are performed by the slave unit by initiating API calls from the HA management interface through the AWS internet gateway. The HA management interfaces must be in a public subnet because the AWS EC2 API is only accessible publicly.

The secondary IPs assigned to port1 and port2 are moved from FGT-1 to FGT-2, along with any elastic IPs. Additionally, the routing table in the private subnet is updated to forward all traffic to FGT-2. FGT-2 initiates all SDN updates by performing API calls through its management interface through the AWS internet gateway