Ensure that the east-west egress route table is configured as follows:
- Link the customer application subnets on VPC A and B to the security VPC via the TGW.
- Route traffic from customer A VPC so that it must go through the security VPC to reach the customer B VPC.
The following shows the customer A VPC route table. You must configure the customer B VPC route table similarly:
Ensure that the TGW is attached to the designated TGW subnet in each AZ of the security VPC. Designated TGW VPCs allow you to configure forward and reverse routes to and from the FortiGate without causing routing loops. The following shows the TGW subnet route table for the forward route:
An ideal configuration would have multiple GWLB endpoints in each AZ and selectively route traffic for high availability. Due to the way routes are configured on AWS, you can configure a single GWLB endpoint for multiple FortiGates.
The following shows the GWLB endpoint subnet route table for the reverse route: