North-south security inspection to customer VPC
This guide assumes that the following are already created and in place as the diagram shows:
- Customer VPC
- Security VPC
- FortiGate with at least one management network interface and elastic IP address assigned
- Application instances
The guide describes configuring additional network interfaces to handle data traffic. The following describes the two VPCs in this deployment:
VPC |
Description |
---|---|
Customer |
Where customer workloads are deployed. The customer VPC has four subnets (two in each availability zone (AZ)). Each AZ has an application-purposed subnet and a GWLB endpoint subnet:
|
Security |
Where the FortiGate is deployed. You create the GWLB in this VPC. |
The following describes the traffic flow in this deployment:
Traffic flow |
Description |
---|---|
Inbound traffic |
With this configuration, the FortiGate inspects traffic that is destined for the application instances. The Internet gateway in the customer VPC is associated with an ingress route table. The route table directs the traffic for the application subnets through the GWLB endpoints (GWLBe) in its dedicated subnets. The traffic then goes through the GWLB in the security VPC, where it is encapsulated with Geneve protocol and sent to the FortiGate. The FortiGate inspects the traffic and redirects it to the application instances. |
Outbound traffic |
The route tables that the application subnets are associated with have a default route through the GWLB endpoints in their AZ. The traffic originating from the application instances is forwarded to the FortiGate through the GWLB. After inspection, the FortiGate sends the traffic to the Internet. You set static routes for all of these traffic redirects after deployment. See Post-deployment configuration. |