This article outlines the need to allow UDP port 4789 in the security group when forming HA in the cloud using a custom security group.
Scope
FortiGate.
Solution
Diagram:
Deploying FortiGate-VM A-P HA on AWS within one zone
By default, the security group allows all the traffic from all protocol/port ranges as below:
If the custom security group is not allowed to permit the VXLAN traffic( UDP port 4789), the HA will not be formed
Below are the Packet captures stating that not receiving any ARP entry replies from the other unit.
When using the custom Security group, it is essential to permit VXLAN traffic (UDP port 4789) to form the HA.