|
The automation performs a complete environment cleanup, dynamically regenerates the Terraform configuration, and deploys the complete HA stack with both External and Internal Load Balancers ('load balancer sandwich' model).
The solution builds the standard FortiGate HA Load Balancer Sandwich topology used by Fortinet reference architectures.
It automates the creation of:
- VPC networks for management, public, private, and HA-sync interfaces.
- FortiGate Active/Passive VM instances across two zones.
- Internal and External Load Balancers (ILB/ELB) for HA failover.
- Cloud NAT and firewall rules for management and Internet access.
Reference Topology (conceptual):
|
External Load Balancer (ELB)
- fgt-ha-fwdrule-port2-ilb
- fgt-ha-bes-elb-euw1
|
│
│ Public subnet (10.0.1.0/24).
│
FortiGate Active (zone b)
- port1: mgmt (10.0.0.3)
- port2: public (10.0.1.2)
- port3: private (10.0.2.3)
- port4: hasync (10.0.3.2) |
│
FortiGate Passive (zone d)
- port1: mgmt (10.0.0.2)
- port2: public (10.0.1.4)
- port3: private (10.0.2.4)
- port4: hasync (10.0.3.3) |
│
│ Internal subnet (10.0.2.0/24).
▼
Internal Load Balancer (ILB)
- fgt-ha-fwdrule-port3-ilb
- fgt-ha-bes-ilb-euw1 |
Mgmt access via public EIPs (port1).
Health check: HTTP/8008.
Cloud NAT provides Internet connectivity.
Script: deploy_fgt_ha_gcp_interactive.ps1.
The PowerShell script is fully interactive. It guides the user through GCP project and region input, performs dependency-aware cleanup, and then launches Terraform to deploy the cluster.
Below is an explanation of the functions of each section:
Initialization and Context Setup - the script starts by collecting user input interactively:
Powershell:
Enter your GCP project ID:
Enter GCP region (e.g. europe-west1):
Enter comma-separated zones (e.g. europe-west1-b,europe-west1-d):
```
It then sets up global variables (`$project`, `$region`, `$zones`, `$workdir`) and prints a summary.
This ensures Terraform and gcloud commands run in the correct GCP context.
Cleanup Phase (Self-Healing Environment):
Purpose:
Remove any stale resources from previous deployments:
- Deletes old FortiGate-VM instances and their disks.
- Deletes IP addresses, routes, firewall rules, backend services, forwarding rules, and health checks.
- Removes Cloud Routers, NATs, subnets, and networks created by Terraform.
This ensures a clean environment and prevents 'resource already exists' errors.
Example cleanup commands used:
powershell
gcloud compute instances delete fgt-ha-vm-fgt1-euw1b --zone=europe-west1-b --quiet
gcloud compute forwarding-rules delete fgt-ha-fwdrule-port2-ilb --region=europe-west1 --quiet
gcloud compute backend-services delete fgt-ha-bes-elb-euw1 --region=europe-west1 --quiet
Environment Preparation:
This section configures gcloud defaults and enables required APIs automatically:
powershell
gcloud config set project $project
gcloud config set compute/region $region
gcloud config set compute/zone $zones[0]
gcloud services enable compute.googleapis.com iam.googleapis.com cloudresourcemanager.googleapis.co
It then prepares a Terraform working directory (e.g., 'C:\fgt-ha').
Terraform File Generation:
The script dynamically generates the following files:
- providers.tf: Specifies the Terraform and Google providers, along with their respective versions.
- variables.tf: Defines project, region, subnet ranges, FortiGate image, and admin CIDR.
- main.tf: Declares networks, subnets, and the Fortinet HA module call.
Each section of the main.tf builds one layer of the architecture:
|
Section
|
Function
|
|
google_compute_network
|
Creates 4 VPCs (mgmt, public, private, hasync)
|
|
google_compute_subnetwork
|
Creates /24 subnets for each network
|
|
module "fortigate_ha_ap"
|
Deploys both HA instances and GCP load balancers
|
|
outputs
|
Prints FortiGate public IPs and GUI URLs
|
Example of the module call:
hcl
module "fortigate_ha_ap" {
source = "git::https://github.com/fortinet/terraform-google-fgt-ha-ap-lb.git?ref=main"
region = var.region
zones = var.zones
prefix = var.prefix
machine_type = var.machine_type
image = var.image
subnets = [
google_compute_subnetwork.mgmt.name,
google_compute_subnetwork.public.name,
google_compute_subnetwork.private.name,
google_compute_subnetwork.hasync.name
]
healthcheck_port = 8008
}
Terraform Execution:
After the files are written, the script automatically initialises, validates, and applies Terraform:
powershell
terraform init -upgrade
terraform validate
terraform apply -auto-approve
This step may take 8-12 minutes, depending on zone capacity.
Upon completion, Terraform outputs the management IPs and HA cluster information.
Example output:
fortigate_gui_public_ips = ["X.X.X.X", "Y.Y.Y.Y"]
fortigate_gui_urls = [
"https://X.X.X.X",
"https://Y.Y.Y.Y"
]
Public IPs are masked for security reasons.
Login and Verification.
Access each FortiGate GUI using the printed URLs.
The initial login credentials are:
|
Field
|
Value
|
| Username |
admin |
| Password |
GCP Instance ID (get via ´gcloud compute instances describe´)
|
After logging in, verify HA synchronization:
get system ha status
Expected output:
Mode: a-p
Primary: fgt-ha-vm-fgt1-euw1b
Secondary: fgt-ha-vm-fgt2-euw1d
HA Health Status: OK
How each script section works (summary).
|
Section
|
Purpose
|
|
Initialisation
|
Collects project and region details, sets environment variables.
|
|
Cleanup
|
Removes all previous FortiGate and Terraform artifacts in dependency order.
|
|
Preparation
|
Configures gcloud defaults, enables APIs, and creates a clean workspace.
|
|
Terraform Generation
|
Writes configuration files automatically for reproducible builds.
|
|
Terraform Apply
|
Executes the actual deployment of FortiGate HA resources.
|
|
Output
|
Prints GUI IPs and HA details for post-deployment access.
|
Notes:
- The script is safe to rerun multiple times; it rebuilds the entire HA stack from scratch.
- Default region: europe-west1, zones b and d.
- Uses health check port 8008 for FortiGate FGCP monitoring.
- Automatically provisions NAT, ILB, ELB, and firewall rules.
- Output URLs can be used immediately to access the FortiGate GUIs.
|
