Fortinet black logo

AWS Administration Guide

Home FortiGate Public Cloud 6.4.0 AWS Administration Guide

East-west security inspection between two customer VPCs

6.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Copy Link
Copy Doc ID f4e6f33e-6876-11ea-9384-00505692583a:185298
Download PDF

East-west security inspection between two customer VPCs

The following shows the topology for this deployment, which uses GWLB for east-west security inspection between two customer VPCs:

This guide assumes that the following are already created and in place as the diagram shows:

  • Customer A and B VPCs
  • Security VPC
  • FortiGate with at least one management network interface and elastic IP address assigned
  • Application instances

The guide describes configuring additional network interfaces to handle data traffic. The following describes the two VPC types in this deployment:

VPC

Description

Customer

Where customer workloads are deployed. The customer VPCs each have one AZ with an application-purposed subnet where you deploy application workloads where the FortiGate must inspect the traffic.

Security

Where the FortiGate is deployed. You create the GWLB in this VPC. The security VPC AZ also includes the following subnets:

  • GWLB endpoint subnet: deploy the GWLB endpoint so that traffic is redirected to the GWLB, which then redirects the traffic to the FortiGate for inspection.
  • TGW subnet: deploy the transit gateway (TGW) and associated resources, which allows connection of the customer VPCs to the security VPC.
Previous
Next

East-west security inspection between two customer VPCs

The following shows the topology for this deployment, which uses GWLB for east-west security inspection between two customer VPCs:

This guide assumes that the following are already created and in place as the diagram shows:

  • Customer A and B VPCs
  • Security VPC
  • FortiGate with at least one management network interface and elastic IP address assigned
  • Application instances

The guide describes configuring additional network interfaces to handle data traffic. The following describes the two VPC types in this deployment:

VPC

Description

Customer

Where customer workloads are deployed. The customer VPCs each have one AZ with an application-purposed subnet where you deploy application workloads where the FortiGate must inspect the traffic.

Security

Where the FortiGate is deployed. You create the GWLB in this VPC. The security VPC AZ also includes the following subnets:

  • GWLB endpoint subnet: deploy the GWLB endpoint so that traffic is redirected to the GWLB, which then redirects the traffic to the FortiGate for inspection.
  • TGW subnet: deploy the transit gateway (TGW) and associated resources, which allows connection of the customer VPCs to the security VPC.
Previous
Next