Distributed egress: north-south traffic Example
Scenario objective
The FortiGate CNF instance inspects all traffic outbound to the internet.
Before deployment of FortiGate CNF
The Before deployment of FortiGate CNF traffic flow is as follows:
-
Workload resources are situated in
Private Subnet
(10.1.3.0/24). -
Outbound traffic goes from
Private Subnet
to theNAT Gateway
located inPublic Subnet
(10.1.2.0/24). -
Traffic then passes out through the
Internet Gateway
.
Routing tables
The routing tables are defined as follows.
Public Subnet route table
Destination | Target |
---|---|
0.0.0.0/0 | Internet Gateway |
Private Subnet route table
Destination | Target |
---|---|
10.1.0.0/16 | Local |
After deployment of FortiGate CNF
The after topology traffic flow is as follows:
-
Workload resources are situated in
Private Subnet
(10.1.3.0/24). -
Outbound traffic goes from
Private Subnet
to theGWLBe
located inCNF Endpoint Subnet
(10.1.1.0/24). -
Traffic is sent to the FortiGate CNF instance for inspection.
-
FortiGate CNF sends traffic back to the
GWLBe
. -
The GWLBe forwards the traffic to the
NAT Gateway
located inPublic Subnet
(10.1.2.0/24). -
Traffic then passes out through the
Internet Gateway
.
To deploy the FortiGate CNF instance in this scenario:
-
In AWS, add a subnet
CNF Endpoint Subnet
(10.1.1.0/24) and the associated route table:Destination Target 10.1.0.0/16 Local 0.0.0.0/0 NAT Gateway -
In FortiGate CNF, deploy a GWLBe to this subnet.
-
In AWS, add a route to the
Public Subnet
route table to route all traffic to the GWLBe.Destination Target 10.1.0.0/16 GWLBe 0.0.0.0/0 Internet Gateway -
In AWS, add a route to the
Private Subnet
route table to route all traffic to the GWLBe.Destination Target 10.1.0.0/16 Local 0.0.0.0/0
GWLBe