Fortinet Document Library

Version:


Table of Contents

AWS Administration Guide

6.4.0
Download PDF
Copy Link

North-south security inspection to customer VPC

This guide assumes that the following are already created and in place as the diagram shows:

  • Customer VPC
  • Security VPC
  • FortiGate with at least one management network interface and elastic IP address assigned
  • Application instances

The guide describes configuring additional network interfaces to handle data traffic. The following describes the two VPCs in this deployment:

VPC

Description

Customer

Where customer workloads are deployed. The customer VPC has four subnets (two in each availability zone (AZ)). Each AZ has an application-purposed subnet and a GWLB endpoint subnet:

  • Application-purposed subnet: deploy application workloads where the FortiGate must inspect the traffic.
  • GWLB endpoint subnet: deploy the GWLB endpoint so that traffic is redirected to the GWLB, which then redirects the traffic to the FortiGate for inspection.

Security

Where the FortiGate is deployed. You create the GWLB in this VPC.

The following describes the traffic flow in this deployment:

Traffic flow

Description

Inbound traffic

With this configuration, the FortiGate inspects traffic that is destined for the application instances. The Internet gateway in the customer VPC is associated with an ingress route table. The route table directs the traffic for the application subnets through the GWLB endpoints (GWLBe) in its dedicated subnets. The traffic then goes through the GWLB in the security VPC, where it is encapsulated with Geneve protocol and sent to the FortiGate. The FortiGate inspects the traffic and redirects it to the application instances.

Outbound traffic

The route tables that the application subnets are associated with have a default route through the GWLB endpoints in their AZ. The traffic originating from the application instances is forwarded to the FortiGate through the GWLB. After inspection, the FortiGate sends the traffic to the Internet. You set static routes for all of these traffic redirects after deployment. See Post-deployment configuration.

North-south security inspection to customer VPC

This guide assumes that the following are already created and in place as the diagram shows:

  • Customer VPC
  • Security VPC
  • FortiGate with at least one management network interface and elastic IP address assigned
  • Application instances

The guide describes configuring additional network interfaces to handle data traffic. The following describes the two VPCs in this deployment:

VPC

Description

Customer

Where customer workloads are deployed. The customer VPC has four subnets (two in each availability zone (AZ)). Each AZ has an application-purposed subnet and a GWLB endpoint subnet:

  • Application-purposed subnet: deploy application workloads where the FortiGate must inspect the traffic.
  • GWLB endpoint subnet: deploy the GWLB endpoint so that traffic is redirected to the GWLB, which then redirects the traffic to the FortiGate for inspection.

Security

Where the FortiGate is deployed. You create the GWLB in this VPC.

The following describes the traffic flow in this deployment:

Traffic flow

Description

Inbound traffic

With this configuration, the FortiGate inspects traffic that is destined for the application instances. The Internet gateway in the customer VPC is associated with an ingress route table. The route table directs the traffic for the application subnets through the GWLB endpoints (GWLBe) in its dedicated subnets. The traffic then goes through the GWLB in the security VPC, where it is encapsulated with Geneve protocol and sent to the FortiGate. The FortiGate inspects the traffic and redirects it to the application instances.

Outbound traffic

The route tables that the application subnets are associated with have a default route through the GWLB endpoints in their AZ. The traffic originating from the application instances is forwarded to the FortiGate through the GWLB. After inspection, the FortiGate sends the traffic to the Internet. You set static routes for all of these traffic redirects after deployment. See Post-deployment configuration.