FortiGate cluster in Google Cloud is usually deployed behind a external pass-through network load balancer (NLB). In some cases though it might be desireable to add an Application Load Balancer instead of NLB to leverage Cloud Armor or global nature of ALB. This repo contains a demo terraform template to deploy such environment.
NOTE: this template uses PAYG licenses for FortiGates. If you wish to use your own BYOL licenses add them to module parameters in main.tf or add FortiFlex tokens to flex variable
FortiGates in this demo are deployed in a standard active-passive HA cluster between external and internal pass-through network load balancers. On the internal part you will find a single Ubuntu VM instance hosting an nginx web server. On external side this template adds an Application Load Balancer on a dedicated public IP address with HTTP protocol redirected to HTTPS and a simple security policy attached.
This module has no prerequisites except for enabled Compute API. It will create all the needed resources including VPC Networks, VMs, load balancers, etc. Make sure your project quota allows to create additional 3 VPCs (default quota is 5).
- HTTP(S) request from Internet is handled by ALB and passed to the active FortiGate instance with SNAT
- FortiGate DNATs connection to the web server VM. SNAT is also applied to ensure the return packet will be sent back to FortiGate instance and not directly to ALB address
- Return packet is sent to FortiGate instance which originally processed the packet initiating the connection (mind that because of SNAT, the ILB and custom route in internal VPC are ignored)
- FortiGate forwards the return packet back to ALB
The easiest way to deploy terraform to GCP is using Cloud Shell:
- Open Cloud Shell from Google Cloud console
- Clone this repository:
git clone https://github.com/bartekmo/ftnt-demo-gcp-alb.git - Change to repo directory:
cd ftnt-demo-gcp-alb - Initialize terraform:
terraform init - Deploy:
terraform apply - After deployment completes terraform will output information about connectivity similar to this:
alb_address = "34.128.164.174"
fgt_management_address = "34.65.215.143"
fgt_password = "398635541547203305"
Open your web browser and go to http://[alb_address] (replacing [alb_address] with the value from outputs, obviously). You should be redirected to HTTPS connection (you will notice because your web browser will warn about invalid certificate) and show the default nginx web page.
Open Google Cloud console to explore the settings of NLB and ALB. Note that they use two different backends (regional and global, respectively).
Use FGT management address and password from terraform outputs to connect to FortiGate web console (on standard HTTPS port). All connections should be visible in Log&Report > Forward Traffic. Explore the firewall policy in Policy&Objects > Firewall Policy and DNAT settings in Policy&Objects > Virtual IPs.
After you're done remember to run terraform destroy to delete all resources used in this demo.
- if you cannot reach the web server, restart it. In some cases wb server might not provision properly
- to verify the connections on the FortiGate use the management address and initial password from outputs to connect to primary FortiGate management console or CLI
- this template uses a factory branch of FortiGate HA module. In some time this branch will be likely merged to main and I might forget to update this repo. If terraform complains it cannot find the module to import, try removing "?ref=v1.1" from module's source parameter in main.tf file