Fortinet black logo

AWS Administration Guide

Home FortiGate Public Cloud 7.2.0 AWS Administration Guide
7.2.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0

Multitenancy support with AWS GWLB

Multitenancy support with AWS GWLB

To better support multitenancy with AWS gateway load balancer (GWLB), this enhancement adds support to identify incoming traffic using virtual private cloud (VPC) endpoint IDs in the GENEVE header to forward traffic to the appropriate virtual domain (VDOM) tenant.

The VPC endpoint (VPCE) to VDOM mapping is configured under the following CLI commands:

config aws vpce

edit <id>

set name <VPCE name>

set endpoint-id <VPCE ID>

set vdom <VDOM name>

next

end

This guide assumes that you have previously configured a GWLB environment. The following shows the topology for this deployment:

This feature is available with FortiOS 7.0.4 and later versions.

To configure multitenancy support with AWS GWLB:
  1. Configure the GENEVE interface in VDOM 1:
    config system geneve
    edit "g1"
        set interface "port2"
        set type ppp
        set remote-ip 10.2.1.199
    next
end
  2. Configure the GENEVE interface in VDOM 2:
    config system geneve
    edit "g2"
        set interface "port2"
        set type ppp
        set remote-ip 10.2.1.199
    next
end
  3. Configure a static route and firewall policy in VDOM 1: 
    config router static
    edit 1
        set device "g1"
    next
end
config firewall policy
    edit 1
        set srcintf "g1"
        set dstintf "g1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
    next
end
  4. Configure a static route and firewall policy in VDOM 2: 
    config router static
    edit 1
        set device "g2"
    next
end
config firewall policy
    edit 1
        set srcintf "g2"
        set dstintf "g2"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
    next
end
  5. Configure the AWS VPCE in the global VDOM: 
    config aws vpce
    edit 1
        set name "tenant1"
        set endpoint-id "fac3dcc5b40ca0b9"
        set vdom "vdom1"
    next
    edit 2
        set name "tenant2"
        set endpoint-id "07392059b988e86af"
        set vdom "vdom2"
    next
end
  6. Ensure that the FortiGate routes traffic from different VPCE IDs to different VDOMs as desired. The following shows an example of the desired output: 
    diagnose sniffer packet any icmp 4
Using Original Sniffing Mode
interfaces=[any]
filters=[icmp]
5.330846 g1 in 10.1.1.10 -> 8.8.8.8: icmp: echo request
5.330882 g1 out 10.1.1.10 -> 8.8.8.8: icmp: echo request
5.339186 g1 in 8.8.8.8 -> 10.1.1.10: icmp: echo reply
5.339210 g1 out 8.8.8.8 -> 10.1.1.10: icmp: echo reply
7.785495 g2 in 10.1.2.10 -> 8.8.8.8: icmp: echo request
7.785533 g2 out 10.1.2.10 -> 8.8.8.8: icmp: echo request
7.794251 g2 in 8.8.8.8 -> 10.1.2.10: icmp: echo reply
7.794273 g2 out 8.8.8.8 -> 10.1.2.10: icmp: echo reply
Previous
Next

Multitenancy support with AWS GWLB

To better support multitenancy with AWS gateway load balancer (GWLB), this enhancement adds support to identify incoming traffic using virtual private cloud (VPC) endpoint IDs in the GENEVE header to forward traffic to the appropriate virtual domain (VDOM) tenant.

The VPC endpoint (VPCE) to VDOM mapping is configured under the following CLI commands:

config aws vpce

edit <id>

set name <VPCE name>

set endpoint-id <VPCE ID>

set vdom <VDOM name>

next

end

This guide assumes that you have previously configured a GWLB environment. The following shows the topology for this deployment:

This feature is available with FortiOS 7.0.4 and later versions.

To configure multitenancy support with AWS GWLB:
  1. Configure the GENEVE interface in VDOM 1:
    config system geneve
    edit "g1"
        set interface "port2"
        set type ppp
        set remote-ip 10.2.1.199
    next
end
  2. Configure the GENEVE interface in VDOM 2:
    config system geneve
    edit "g2"
        set interface "port2"
        set type ppp
        set remote-ip 10.2.1.199
    next
end
  3. Configure a static route and firewall policy in VDOM 1: 
    config router static
    edit 1
        set device "g1"
    next
end
config firewall policy
    edit 1
        set srcintf "g1"
        set dstintf "g1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
    next
end
  4. Configure a static route and firewall policy in VDOM 2: 
    config router static
    edit 1
        set device "g2"
    next
end
config firewall policy
    edit 1
        set srcintf "g2"
        set dstintf "g2"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
    next
end
  5. Configure the AWS VPCE in the global VDOM: 
    config aws vpce
    edit 1
        set name "tenant1"
        set endpoint-id "fac3dcc5b40ca0b9"
        set vdom "vdom1"
    next
    edit 2
        set name "tenant2"
        set endpoint-id "07392059b988e86af"
        set vdom "vdom2"
    next
end
  6. Ensure that the FortiGate routes traffic from different VPCE IDs to different VDOMs as desired. The following shows an example of the desired output: 
    diagnose sniffer packet any icmp 4
Using Original Sniffing Mode
interfaces=[any]
filters=[icmp]
5.330846 g1 in 10.1.1.10 -> 8.8.8.8: icmp: echo request
5.330882 g1 out 10.1.1.10 -> 8.8.8.8: icmp: echo request
5.339186 g1 in 8.8.8.8 -> 10.1.1.10: icmp: echo reply
5.339210 g1 out 8.8.8.8 -> 10.1.1.10: icmp: echo reply
7.785495 g2 in 10.1.2.10 -> 8.8.8.8: icmp: echo request
7.785533 g2 out 10.1.2.10 -> 8.8.8.8: icmp: echo request
7.794251 g2 in 8.8.8.8 -> 10.1.2.10: icmp: echo reply
7.794273 g2 out 8.8.8.8 -> 10.1.2.10: icmp: echo reply
Previous
Next