Post-deployment configuration
You must create a Geneve interface on the FortiGate to handle traffic between the FortiGate and GWLB.
To create the Geneve interface:
- Go to EC2 Dashboard > Network & Security > Network Interfaces. Copy the Primary private IPv4 address value for the GWLB interface created in the security VPC. There is one GWLB interface for each availability zone (AZ). Ensure to use the IPv4 for the GWLB interface in the same zone as the FortiGate being configured.
- This example creates separate VDOMs via the split VDOM feature to handle traffic from the application VPC. Enable the multi-VDOM feature:
config system global
set vdom-mode multi-vdom
end
FortiOS prompts you to log in again to enable the multi-VDOM feature.
-
Create a new VDOM:
config vdom
edit FG-traffic
end
- Enable probe response on port 2 on both FortiGate instances. This allows LB health check to function:
config vdom
edit FG-traffic
config system interface
edit "port2"
set vdom "FG-traffic"
set alias private
set mode dhcp
set allowaccess ping https ssh fgfm probe-response
set defaultgw disable
next
end
end
- Create Geneve interfaces:
config vdom
edit "FG-traffic"
config system geneve
edit "awsgeneve"
set interface "port2"
set type ppp
set remote-ip <GWLB_interface_ip (from step 1)>
next
end
next
end
- Setting a higher priority on static routes for Geneve interfaces is recommended to avoid unintended functionality:
config router static
edit 2
set priority 100
set device "awsgeneve"
next
end
-
Configure IPv6 routing:
config router static6
edit 2
set device "awsgeneve"
next
end
-
In a scenario where the load balancer is in a different subnet than the FortiGate interface, configure the following static route to avoid health check failures:
config router static
edit 3
set device port2
set dst <loadbal_subnet>
set gateway <local_gateway>
next
end
To configure egress routes:
If the current VDOM has multiple interfaces, you must add egress routes to ensure that traffic entering through the Geneve interfaces egress through the same interface.
The following provides commands for configuring egress routes for IPv4:
config router policy
edit 1
set input-device "awsgeneve"
set src "0.0.0.0/0.0.0.0"
set dst "10.10.2.0/255.255.254.0"
set output-device "awsgeneve"
next
end
The following provides commands for configuring egress routes for IPv6:
config router policy6
edit 1
set input-device "awsgeneve"
set src "::0"
set dst <IPv6 Subnet associated to Customer APP Subnet>
set output-device "awsgeneve"
next
end