East-west security inspection between two customer VPCs
This document illustrates east-west security inspection for traffic flowing between two customer virtual private clouds (VPC). Though you can configure AWS resources and FortiGates to route and inspect all traffic (not only east-west traffic), this document focuses on the configuration of security inspection specifically for east-west traffic between two customer VPCs leveraging transit gateway (TGW) and gateway load balancer (GWLB).
Route tables illustrates the AWS VPC, TGW, and GWLB route table configuration to achieve inspection of traffic flowing between the Application subnets via the FortiGate in the security VPC. |
This guide assumes that you have already created the following and they are in place as the diagram shows:
- Customer A and B VPCs
- Security VPC
- FortiGate with at least one management network interface and elastic IP address assigned
- Application instances
The guide describes configuring additional network interfaces to handle data traffic. The following describes the two VPC types in this deployment:
VPC |
Description |
---|---|
Customer |
Where customer workloads are deployed. The customer VPCs each have one availability zone (AZ) with an application-purposed subnet where you deploy application workloads where the FortiGate must inspect the traffic. |
Security |
Where the FortiGate is deployed. You create the GWLB in this VPC. The security VPC AZ also includes the following subnets:
|