Fortinet black logo

AWS Administration Guide

Post-deployment configuration

Copy Link
Copy Doc ID e129c4eb-867b-11eb-9995-00505692583a:337773
Download PDF

Post-deployment configuration

You must create a Geneve interface on the FortiGate to handle traffic between the FortiGate and GWLB.

To create the Geneve interface:
  1. Go to EC2 Dashboard > Network & Security > Network Interfaces. Copy the Primary private IPv4 address value for the GWLB interface created in the security VPC. There is one GWLB interface for each availability zone (AZ). Ensure to use the IPv4 for the GWLB interface in the same zone as the FortiGate being configured.
  2. This example creates separate VDOMs via the split VDOM feature to handle traffic from the application VPC. Enable the multi-VDOM feature:

    config system global

    set vdom-mode multi-vdom

    end

    Note

    FortiOS prompts you to log in again to enable the multi-VDOM feature.

  3. Create a new VDOM:

    config vdom

    edit FG-traffic

    end

  4. Enable probe response on port 2 on both FortiGate instances. This allows LB health check to function:

    config vdom

    edit FG-traffic

    config system interface

    edit "port2"

    set vdom "FG-traffic"

    set alias private

    set mode dhcp

    set allowaccess ping https ssh fgfm probe-response

    set defaultgw disable

    next

    end

    end

  5. Create Geneve interfaces:

    config vdom

    edit "FG-traffic"

    config system geneve

    edit "awsgeneve"

    set interface "port2"

    set type ppp

    set remote-ip <GWLB_interface_ip (from step 1)>

    next

    end

    next

    end

  6. Setting a higher priority on static routes for Geneve interfaces is recommended to avoid unintended functionality:

    config router static

    edit 2

    set priority 100

    set device "awsgeneve"

    next

    end

  7. Configure IPv6 routing:

    config router static6

    edit 2

    set device "awsgeneve"

    next

    end

  8. In a scenario where the load balancer is in a different subnet than the FortiGate interface, configure the following static route to avoid health check failures:

    config router static

    edit 3

    set device port2

    set dst <loadbal_subnet>

    set gateway <local_gateway>

    next

    end

To configure egress routes:

If the current VDOM has multiple interfaces, you must add egress routes to ensure that traffic entering through the Geneve interfaces egress through the same interface.

The following provides commands for configuring egress routes for IPv4:

config router policy

edit 1

set input-device "awsgeneve"

set src "0.0.0.0/0.0.0.0"

set dst "10.10.2.0/255.255.254.0"

set output-device "awsgeneve"

next

end

The following provides commands for configuring egress routes for IPv6:

config router policy6

edit 1

set input-device "awsgeneve"

set src "::0"

set dst <IPv6 Subnet associated to Customer APP Subnet>

set output-device "awsgeneve"

next

end

Post-deployment configuration

You must create a Geneve interface on the FortiGate to handle traffic between the FortiGate and GWLB.

To create the Geneve interface:
  1. Go to EC2 Dashboard > Network & Security > Network Interfaces. Copy the Primary private IPv4 address value for the GWLB interface created in the security VPC. There is one GWLB interface for each availability zone (AZ). Ensure to use the IPv4 for the GWLB interface in the same zone as the FortiGate being configured.
  2. This example creates separate VDOMs via the split VDOM feature to handle traffic from the application VPC. Enable the multi-VDOM feature:

    config system global

    set vdom-mode multi-vdom

    end

    Note

    FortiOS prompts you to log in again to enable the multi-VDOM feature.

  3. Create a new VDOM:

    config vdom

    edit FG-traffic

    end

  4. Enable probe response on port 2 on both FortiGate instances. This allows LB health check to function:

    config vdom

    edit FG-traffic

    config system interface

    edit "port2"

    set vdom "FG-traffic"

    set alias private

    set mode dhcp

    set allowaccess ping https ssh fgfm probe-response

    set defaultgw disable

    next

    end

    end

  5. Create Geneve interfaces:

    config vdom

    edit "FG-traffic"

    config system geneve

    edit "awsgeneve"

    set interface "port2"

    set type ppp

    set remote-ip <GWLB_interface_ip (from step 1)>

    next

    end

    next

    end

  6. Setting a higher priority on static routes for Geneve interfaces is recommended to avoid unintended functionality:

    config router static

    edit 2

    set priority 100

    set device "awsgeneve"

    next

    end

  7. Configure IPv6 routing:

    config router static6

    edit 2

    set device "awsgeneve"

    next

    end

  8. In a scenario where the load balancer is in a different subnet than the FortiGate interface, configure the following static route to avoid health check failures:

    config router static

    edit 3

    set device port2

    set dst <loadbal_subnet>

    set gateway <local_gateway>

    next

    end

To configure egress routes:

If the current VDOM has multiple interfaces, you must add egress routes to ensure that traffic entering through the Geneve interfaces egress through the same interface.

The following provides commands for configuring egress routes for IPv4:

config router policy

edit 1

set input-device "awsgeneve"

set src "0.0.0.0/0.0.0.0"

set dst "10.10.2.0/255.255.254.0"

set output-device "awsgeneve"

next

end

The following provides commands for configuring egress routes for IPv6:

config router policy6

edit 1

set input-device "awsgeneve"

set src "::0"

set dst <IPv6 Subnet associated to Customer APP Subnet>

set output-device "awsgeneve"

next

end