Fortinet Document Library

Version:


Table of Contents

AWS Administration Guide

7.0.0
Download PDF
Copy Link

East-west security inspection between two customer VPCs

The following shows the topology for this deployment, which uses GWLB for east-west security inspection between two customer VPCs:

This guide assumes that the following are already created and in place as the diagram shows:

  • Customer A and B VPCs
  • Security VPC
  • FortiGate with at least one management network interface and elastic IP address assigned
  • Application instances

The guide describes configuring additional network interfaces to handle data traffic. The following describes the two VPC types in this deployment:

VPC

Description

Customer

Where customer workloads are deployed. The customer VPCs each have one AZ with an application-purposed subnet where you deploy application workloads where the FortiGate must inspect the traffic.

Security

Where the FortiGate is deployed. You create the GWLB in this VPC. The security VPC AZ also includes the following subnets:

  • GWLB endpoint subnet: deploy the GWLB endpoint so that traffic is redirected to the GWLB, which then redirects the traffic to the FortiGate for inspection.
  • TGW subnet: deploy the transit gateway (TGW) and associated resources, which allows connection of the customer VPCs to the security VPC.

East-west security inspection between two customer VPCs

The following shows the topology for this deployment, which uses GWLB for east-west security inspection between two customer VPCs:

This guide assumes that the following are already created and in place as the diagram shows:

  • Customer A and B VPCs
  • Security VPC
  • FortiGate with at least one management network interface and elastic IP address assigned
  • Application instances

The guide describes configuring additional network interfaces to handle data traffic. The following describes the two VPC types in this deployment:

VPC

Description

Customer

Where customer workloads are deployed. The customer VPCs each have one AZ with an application-purposed subnet where you deploy application workloads where the FortiGate must inspect the traffic.

Security

Where the FortiGate is deployed. You create the GWLB in this VPC. The security VPC AZ also includes the following subnets:

  • GWLB endpoint subnet: deploy the GWLB endpoint so that traffic is redirected to the GWLB, which then redirects the traffic to the FortiGate for inspection.
  • TGW subnet: deploy the transit gateway (TGW) and associated resources, which allows connection of the customer VPCs to the security VPC.