Fortinet black logo

AWS Administration Guide

East-west security inspection between two customer VPCs

Copy Link
Copy Doc ID e129c4eb-867b-11eb-9995-00505692583a:185298
Download PDF

East-west security inspection between two customer VPCs

This document illustrates east-west security inspection for traffic flowing between two customer virtual private clouds (VPC). Though you can configure AWS resources and FortiGates to route and inspect all traffic (not only east-west traffic), this document focuses on the configuration of security inspection specifically for east-west traffic between two customer VPCs leveraging transit gateway (TGW) and gateway load balancer (GWLB).

Note

Route tables illustrates the AWS VPC, TGW, and GWLB route table configuration to achieve inspection of traffic flowing between the Application subnets via the FortiGate in the security VPC.

This guide assumes that you have already created the following and they are in place as the diagram shows:

  • Customer A and B VPCs
  • Security VPC
  • FortiGate with at least one management network interface and elastic IP address assigned
  • Application instances

The guide describes configuring additional network interfaces to handle data traffic. The following describes the two VPC types in this deployment:

VPC

Description

Customer

Where customer workloads are deployed. The customer VPCs each have one availability zone (AZ) with an application-purposed subnet where you deploy application workloads where the FortiGate must inspect the traffic.

Security

Where the FortiGate is deployed. You create the GWLB in this VPC. The security VPC AZ also includes the following subnets:

  • GWLB endpoint subnet: deploy the GWLB endpoint so that traffic is redirected to the GWLB, which then redirects the traffic to the FortiGate for inspection.
  • TGW subnet: deploy the TGW and associated resources, which allows connection of the customer VPCs to the security VPC.

East-west security inspection between two customer VPCs

This document illustrates east-west security inspection for traffic flowing between two customer virtual private clouds (VPC). Though you can configure AWS resources and FortiGates to route and inspect all traffic (not only east-west traffic), this document focuses on the configuration of security inspection specifically for east-west traffic between two customer VPCs leveraging transit gateway (TGW) and gateway load balancer (GWLB).

Note

Route tables illustrates the AWS VPC, TGW, and GWLB route table configuration to achieve inspection of traffic flowing between the Application subnets via the FortiGate in the security VPC.

This guide assumes that you have already created the following and they are in place as the diagram shows:

  • Customer A and B VPCs
  • Security VPC
  • FortiGate with at least one management network interface and elastic IP address assigned
  • Application instances

The guide describes configuring additional network interfaces to handle data traffic. The following describes the two VPC types in this deployment:

VPC

Description

Customer

Where customer workloads are deployed. The customer VPCs each have one availability zone (AZ) with an application-purposed subnet where you deploy application workloads where the FortiGate must inspect the traffic.

Security

Where the FortiGate is deployed. You create the GWLB in this VPC. The security VPC AZ also includes the following subnets:

  • GWLB endpoint subnet: deploy the GWLB endpoint so that traffic is redirected to the GWLB, which then redirects the traffic to the FortiGate for inspection.
  • TGW subnet: deploy the TGW and associated resources, which allows connection of the customer VPCs to the security VPC.