Topology:

In this example:
The architecture of the FortiGate HA is the HA Active Passive SDN connector. Inside the VPC, there is an Availability Zone 1.

• FGT-1 and FGT-2 are deployed as an HA Active Passive cluster inside Availability Zone 1.
• FGT-1 is the Primary FortiGate and FGT-2 is the Secondary FortiGate.
  
  

During the Failover:

1. The secondary IP addresses configured on port 1 and port 2 of the FGT-1 are moved to port 1 and port 2 of the FGT-2.
2. The Elastic IP is assigned (Secondary Address) to port 1 of the FGT-1 and is moved to port 1 of the FGT-2.
3. A route update is done in the routing table of the private subnet where the EC2 instance is hosted. Initially, the traffic is routed via ENI (port 2) of the FGT-1 but as failover has occurred now it will route the traffic via the ENI (port 2) of FGT-2
4. The FGT-2 performs the AWS SDN updates by sending API calls via the HA management interface (port 4).
5. From the HA management interface (FGT-2 port 4) the API calls are sent through the AWS internet gateway to the internet.

Note:

Ensure the HA management interfaces are in public subnets as the AWS EC2 API calls are accessed publicly. After a Failover, FGT-2 becomes the primary by taking over the FGT-1.