Fortinet black logo

AWS Administration Guide

Home FortiGate Public Cloud 7.0.0 AWS Administration Guide

East-west egress route table

7.0.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Copy Link
Copy Doc ID e129c4eb-867b-11eb-9995-00505692583a:23543
Download PDF

East-west egress route table

Ensure that the east-west egress route table is configured as follows:

  • Link the customer application subnets on virtual private cloud (VPC) A and B to the security VPC via the transit gateway (TGW).
  • Route traffic from customer A VPC so that it must go through the security VPC to reach the customer B VPC.

The following shows the customer A VPC route table. You must configure the customer B VPC route table similarly:

Ensure that the TGW is attached to the designated TGW subnet in each availability zone of the security VPC. Designated TGW VPCs allow you to configure forward and reverse routes to and from the FortiGate without causing routing loops. The following shows the TGW subnet route table for the forward route:

Note

An ideal configuration would have multiple GW load balancer (GWLB) endpoints in each AZ and selectively route traffic for high availability. Due to the way routes are configured on AWS, you can configure a single GWLB endpoint for multiple FortiGates.

The following shows the GWLB endpoint subnet route table for the reverse route:

Previous
Next

East-west egress route table

Ensure that the east-west egress route table is configured as follows:

  • Link the customer application subnets on virtual private cloud (VPC) A and B to the security VPC via the transit gateway (TGW).
  • Route traffic from customer A VPC so that it must go through the security VPC to reach the customer B VPC.

The following shows the customer A VPC route table. You must configure the customer B VPC route table similarly:

Ensure that the TGW is attached to the designated TGW subnet in each availability zone of the security VPC. Designated TGW VPCs allow you to configure forward and reverse routes to and from the FortiGate without causing routing loops. The following shows the TGW subnet route table for the forward route:

Note

An ideal configuration would have multiple GW load balancer (GWLB) endpoints in each AZ and selectively route traffic for high availability. Due to the way routes are configured on AWS, you can configure a single GWLB endpoint for multiple FortiGates.

The following shows the GWLB endpoint subnet route table for the reverse route:

Previous
Next