reference deployment

Fortinet FortiGate EC2 Auto Scaling on AWS

Midrange next-generation firewalls for multilayered security

This Quick Start deploys the Fortinet FortiGate EC2 Auto Scaling reference architecture into a new or existing virtual private cloud (VPC) on the Amazon Web Services (AWS) Cloud. It's for IT infrastructure architects, administrators, DevOps professionals, and others who plan to implement or extend Fortinet’s Security Fabric workloads on the AWS Cloud.

FortiGate midrange next-generation firewalls provide high-performance, multilayered advanced security and visibility to protect against cyberattacks while reducing complexity. FortiGate firewalls are built with security processors to enable threat protection and performance for Secure Sockets Layer (SSL)–encrypted traffic.

Multiple FortiGate instances form Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling groups to provide efficient clustering at times of high workloads. FortiGate instances can be scaled out automatically according to predefined workload levels. When a spike in traffic occurs, FortiGate instances are automatically added to the Amazon EC2 Auto Scaling group. EC2 Auto Scaling is achieved by using FortiGate-native high-availability features that synchronize operating-system configurations across multiple FortiGate instances at the time of scale-out events.

By integrating FortiAnalyzer, this reference architecture consolidates logging and reporting for your FortiGate cluster.

cisco logo

This Quick Start was developed by Fortinet in collaboration with AWS. Fortinet is an AWS Partner.

AWS Service Catalog administrators can add this architecture to their own catalog.  

  •  What you'll build
  •  How to deploy
  •  Cost and licenses
  •  What you'll build
  • The Quick Start sets up the following:

    • A highly available architecture that spans two Availability Zones.*
    • A VPC configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*
    • An internet gateway to provide access to the internet.*
    • In the public subnets:
      • A FortiAnalyzer instance, which consolidates logging and reporting for your FortiGate cluster.
      • Within the FortiGate cluster, Amazon EC2 Auto Scaling groups of FortiGate instances that use Bring Your Own License model (BYOL) licenses or on-demand licenses. This cluster contains the following:
        • Two or more FortiGate instances, which complement AWS security groups (not shown). Security groups provide intrusion protection, web filtering, and threat detection to help protect your services from cyberattacks. Each instance also provides VPN access for authorized users.
        • A main FortiGate instance, which acts as a NAT gateway, allowing outbound internet access for resources in the private subnets.*
    • A public Network Load Balancer that distributes inbound traffic across the FortiGate instances.
    • (Optional) A private Network Load Balancer that distributes inbound traffic across the workload instances that you want to protect from outside access.
    • AWS Lambda, which provides the core Amazon EC2 Auto Scaling functionality between FortiGate instances.
    • Amazon Simple Storage Service (Amazon S3) to host artifacts for Lambda functions and logs.
    • Amazon DynamoDB to store information about Amazon EC2 Auto Scaling condition states.

    * The template that deploys the Quick Start into an existing VPC skips the tasks marked by asterisks and prompts you for your existing VPC configuration.

  •  How to deploy
  • To deploy Fortinet FortiGate EC2 Auto Scaling on AWS, follow the instructions in the deployment guide. The deployment process, which takes about 10 minutes, includes these steps:

    1. If you don't already have an AWS account, sign up at, and sign in to your account.
    2. Subscribe to one or more FortiGate Amazon Machine Images (AMIs) in AWS Marketplace.
    3. Launch the Quick Start, choosing from the following options:
    4. Test the deployment.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using this Quick Start.

    The AWS CloudFormation templates for this Quick Start include configuration parameters that you can customize. Some of the settings, such as instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy the Quick Start, create AWS Cost and Usage Reports to deliver billing metrics to an S3 bucket in your account. These reports provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, see What are AWS Cost and Usage Reports?

    This Quick Start can deploy FortiGate on-demand or BYOL instances. You pay an hourly fee based on the EC2 instance type. A license is required for each FortiGate BYOL instance you might use.

    This Quick Start requires a subscription to one or more of the following AMIs available in AWS Marketplace: