Updating the route table and adding an IAM policy
To update the route table and add an IAM policy:
- Update the route table:
- After configuring the internal network ports, you must route all internal traffic to the elastic network interface (ENI) of the primary FortiGate-VM port2. In the AWS console, open the Elastic Cloud Compute service.
- Select Instances, then select the primary FortiGate-VM.
- On the Description tab, select port2 (eth1) and copy the interface ID.
- Save the content into a text editor.
- In the AWS console, open the VPC service.
- Select Route Tables, then select the Sec_VPC_TGW route table.
- On the Routes tab, click the Edit Routes button.
- Add the following route:
Destination
Target
0.0.0.0/0
Paste the ENI ID of port2 of the primary FortiGate.
- Click Save.
- Ensure that the Sec_VPC_TGW route table has the following routes:
Destination
Target
10.1.1.0/24
Transit Gateway (TGW)
10.2.1.0/24
TGW
0.0.0.0/0
ENI ID of port2 of the primary FortiGate.
10.0.0.0/16
Local. Depends on the security VPC network settings.
Check that the TGW subnets (security VPC TGW subnets) for both availability zones A and B are associated with this routing table.
- Both firewalls need an IAM policy attached to make API calls to AWS to move the elastic IP address on port1 and network interface on port2 between primary and secondary FortiGate-VMs. Go to the AMI service and create a role with the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*",
"ec2:AssociateAddress",
"ec2:AssignPrivateIpAddresses",
"ec2:UnassignPrivateIpAddresses",
"ec2:ReplaceRoute"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
- Attach the AMI role to both FortiGate-VMs by selecting the FortiGate EC2 instance and selecting Attach/Replace IAM Role in the Actions menu.