Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • AWS Administration Guide

    Home FortiGate Public Cloud 7.2.0 AWS Administration Guide
    7.2.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    North-south security inspection to customer VPC

    North-south security inspection to customer VPC

    This guide assumes that the following are already created and in place as the diagram shows:

    • Customer VPC and subnets in all zones to be load balanced
    • Security VPC and subnets in all zones to be load balanced
    • FortiGate with at least one management network interface and elastic IP address assigned
    • Application instances

    The guide describes configuring additional network interfaces to handle data traffic. The following describes the two VPCs in this deployment:

    VPC

    Description

    Customer

    Where customer workloads are deployed. The customer VPC has four subnets (two in each availability zone (AZ)). Each AZ has an application-purposed subnet and a GWLB endpoint subnet:

    • Application-purposed subnet: deploy application workloads where the FortiGate must inspect the traffic.
    • GWLB endpoint subnet: deploy the GWLB endpoint so that traffic is redirected to the GWLB, which then redirects the traffic to the FortiGate for inspection.

    Security

    Where the FortiGate is deployed. You create the GWLB in this VPC.

    The following describes the traffic flow in this deployment:

    Traffic flow

    Description

    Inbound traffic

    With this configuration, the FortiGate inspects traffic that is destined for the application instances. The Internet gateway in the customer VPC is associated with an ingress route table. The route table directs the traffic for the application subnets through the GWLB endpoints (GWLBe) in its dedicated subnets. The traffic then goes through the GWLB in the security VPC, where it is encapsulated with Geneve protocol and sent to the FortiGate. The FortiGate inspects the traffic and redirects it to the application instances.

    Outbound traffic

    The route tables that the application subnets are associated with have a default route through the GWLB endpoints in their AZ. The traffic originating from the application instances is forwarded to the FortiGate through the GWLB. After inspection, the FortiGate sends the traffic to the Internet. You set static routes for all of these traffic redirects after deployment. See Post-deployment configuration.
    To add support for IPv6:

    See New – Gateway Load Balancer support for IPv6 for extending a current or new deployment to support IPv6.

    The following provides an overview of steps that you must complete:

    1. VPCs subnets that the GWLB exists in and that you will deploy the GWLBe to must have IPv6 enabled and a CIDR assigned. This means that your VPC and subnets must have IPv6 enabled before configuring GWLB IPv6 settings.
    2. GWLB must be in dual stack mode.
    3. Endpoint services must support IPv4 and IPv6.
    4. Endpoint must be in dual stack mode.
    5. FortiGates are not assigned an IPv6 address as they use IPv4 to send and receive traffic from the GENEVE tunnel.
    Previous
    Next

    North-south security inspection to customer VPC

    North-south security inspection to customer VPC

    This guide assumes that the following are already created and in place as the diagram shows:

    • Customer VPC and subnets in all zones to be load balanced
    • Security VPC and subnets in all zones to be load balanced
    • FortiGate with at least one management network interface and elastic IP address assigned
    • Application instances

    The guide describes configuring additional network interfaces to handle data traffic. The following describes the two VPCs in this deployment:

    VPC

    Description

    Customer

    Where customer workloads are deployed. The customer VPC has four subnets (two in each availability zone (AZ)). Each AZ has an application-purposed subnet and a GWLB endpoint subnet:

    • Application-purposed subnet: deploy application workloads where the FortiGate must inspect the traffic.
    • GWLB endpoint subnet: deploy the GWLB endpoint so that traffic is redirected to the GWLB, which then redirects the traffic to the FortiGate for inspection.

    Security

    Where the FortiGate is deployed. You create the GWLB in this VPC.

    The following describes the traffic flow in this deployment:

    Traffic flow

    Description

    Inbound traffic

    With this configuration, the FortiGate inspects traffic that is destined for the application instances. The Internet gateway in the customer VPC is associated with an ingress route table. The route table directs the traffic for the application subnets through the GWLB endpoints (GWLBe) in its dedicated subnets. The traffic then goes through the GWLB in the security VPC, where it is encapsulated with Geneve protocol and sent to the FortiGate. The FortiGate inspects the traffic and redirects it to the application instances.

    Outbound traffic

    The route tables that the application subnets are associated with have a default route through the GWLB endpoints in their AZ. The traffic originating from the application instances is forwarded to the FortiGate through the GWLB. After inspection, the FortiGate sends the traffic to the Internet. You set static routes for all of these traffic redirects after deployment. See Post-deployment configuration.
    To add support for IPv6:

    See New – Gateway Load Balancer support for IPv6 for extending a current or new deployment to support IPv6.

    The following provides an overview of steps that you must complete:

    1. VPCs subnets that the GWLB exists in and that you will deploy the GWLBe to must have IPv6 enabled and a CIDR assigned. This means that your VPC and subnets must have IPv6 enabled before configuring GWLB IPv6 settings.
    2. GWLB must be in dual stack mode.
    3. Endpoint services must support IPv4 and IPv6.
    4. Endpoint must be in dual stack mode.
    5. FortiGates are not assigned an IPv6 address as they use IPv4 to send and receive traffic from the GENEVE tunnel.
    Previous
    Next