Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JaskiratM
Staff & Editor
Staff & Editor

Created on ‎05-16-2023 07:47 AM Edited on ‎03-04-2025 04:21 AM By Community Manager

Article Id 256623

Technical Tip: How to add an SDN connector in FortiGate VM deployed in AWS VPC

Description

 

This article describes on adding an SDN connector in FortiGate VM deployed in AWS VPC and its use cases along with troubleshooting steps.

 

Scope

 

FortiGate VM deployed in AWS VPC. If it is not already deployed, follow the steps in Deploying FortiGate-VM from AWS marketplace - FortiGate Public Cloud AWS administration guide to set it up.

 

Solution

 

  1. For the FortiGate to change the AWS environment, an IAM role with appropriate policies (depending on use cases) needs to be assigned to the FortiGate VM. Go to IAM -> Roles and Create Role. Select AWS Service, check the EC2 box, and select Next.

 

JaskiratM_0-1684167614310.png

 

  1. Create a policy to set the allowed permissions for the IAM role. Select 'Create Policy' at the top right.

 

JaskiratM_1-1684167675253.png

 

Create a policy using JSON to give permissions to the IAM role that will be later assigned to the FortiGate VM.

JaskiratM_2-1684167675256.png

 

  1. The JSON rules can be added according to user needs, either by adding it manually or using the 'Edit statement' section at the right:

 

{

"Version": "2012-10-17",

"Statement": [

{

"Action": [

"ec2:Describe*",

"ec2:AssociateAddress",

"ec2:AssignPrivateIpAddresses",

"ec2:UnassignPrivateIpAddresses",

"ec2:ReplaceRoute",

"config:BatchGetResourceConfig",

"eks:DescribeCluster",

"eks:ListClusters"

],

"Resource": "*",

"Effect": "Allow"

}

]

}


The 'ACTION' field is responsible for providing various kinds of access FortiGate needs to be given to make changes in the AWS environment.

The 'Resource' field is responsible for what kind of resources is the FortiGate allowed to alter/Get.

 

Note: Both action 'eks' are optional for normal operation, but if they are removed, an error message will appear while debugging:

 

"curl response err, 403"

"not authorized to perform: eks:ListClusters on resource: arn:aws:eks:xyz"

 

If there is no such permission, the API will fail with an error message. However, this will not impact other dynamic address collection. See AWS Administration Guide - AWS EKS SDN connector.

 

After picking the appropriate JSON rules, select Create policy. Provide a name and add it to the IAM role, then select Next:

 

JaskiratM_4-1684167758474.png

 

  1. Provide a name to the role and select 'Create Role':

 

JaskiratM_5-1684167816500.png

 

  1. Attach the ROLE to the FortiGate VM deployed in AWS. Navigate to the EC2 Dashboard and select the FortiGate VM, right-click it, select Security, and select Modify IAM role:

 

JaskiratM_6-1684167881425.png


Select the IAM Role created in step 3 and select Update IAM role.

 

JaskiratM_7-1684167881432.png

 

  1. The next step is to add the SDN connector in FortiGate. Go to Security Fabric -> External Connectors -> Create-New -> Choose AWS-SDN:

 

JaskiratM_8-1684167943750.png


Now grab the VPC-id from the AWS EC2 dashboard:

JaskiratM_9-1684167943755.png


Fill that information into the FortiGate SDN wizard and select 'OK':

JaskiratM_10-1684167943757.png

 

Verification and Troubleshooting:

 

  1. To verify it is working, confirm that the GUI page of the external connectors in FortiGate shows the AWS-SDN connection is up:

 

JaskiratM_11-1684168005352.png

 

  1. If this does not show as green or if there is an error in the functionality of the SDN, use the following debug commands:

 

diagnose debug application awsd -1
diag debug en

 

JaskiratM_12-1684168005355.png


The debug outputs and the JSON policies defined in the ROLE allow the FortiGate to learn the VPC endpoints, and additionally provide access to alter the AWS environment using the API.

 

  1. Moreover, diag test commands can be used to troubleshoot issues in the SDN connector:

 

JaskiratM_13-1684168005355.png

 

Usage:

There can be many use cases for AWS-SDN depending upon requirements, but some of the most common ones are listed below:

 

  1. Address updates: Addresses in the AWS environment can be learned and changed dynamically in the FortiGate.

 

This can be achieved by referring to the following documents:

 

  1. HA failover: SDN can also be used to move the Floating ELASTIC IP from the primary to slave in case of failover, and also make changes to the Route tables. For this, a specific JSON policy needs to be configured as follows:


{

"Version": "2012-10-17",

"Statement": [
{

"Action": [

"ec2:Describe*",

"ec2:AssociateAddress",

"ec2:AssignPrivateIpAddresses",

"ec2:UnassignPrivateIpAddresses",

"ec2:ReplaceRoute"

],

"Resource": "*",

"Effect": "Allow"

}

]

}


Consult AWS administration guide - Updating the route table and adding an IAM policy to implement a successful failover.

  1. To access a cloud server using an SDN connector via VPN, see AWS administration guide - Accessing a cloud server using an SDN connector via VPN.
Labels:
1650
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.