Creating the TGW and related resources
A transit gateway (TGW) is a transit hub that connects two virtual private clouds (VPC) or a VPC to an on-premise network. This scenario connects multiple Application VPCs to the Security VPC via a TGW. This ensures that any access to and from the Application VPC is routed via the Security VPC, where the FortiGates can inspect it.
To create the TGW and related resources:
- Create the TGW:
- In the AWS management console, go to VPC Dashboard > Transit Gateways > Transit Gateways.
- Click Create Transit Gateway.
- Configure the Name tag and Amazon side ASN fields with the desired values.
- Enable DNS support, VPN ECMP support, Default route table association, and Default route table propagation.
- In the CIDR field, enter the desired CIDR. In this example, the value is 10.100.0/16.
- Creating a TGW creates a TGW default route table. You can use this table as the default association and propagation route table for the TGW. Confirm that the table was created by going to VPC Dashboard > Transit Gateways > Transit Gateway Route Tables.
- You must create a TGW attachment to link separate VPCs and subnets to the newly created TGW. The two resources can belong to the same or different AWS accounts. This example assumes that both VPCs are in the same AWS account. Create the TGW attachment:
- Go to VPC Dashboard > Transit Gateways > Transit Gateway Attachments.
- Click Create Transit Gateway Attachment.
- From the Transit Gateway ID dropdown list, select the TGW you created in step 1.
- From the Attachment type dropdown list, select VPC.
- From the VPC ID dropdown list, select the VPC to attach to the TGW.
- In the Subnet IDs field, select the required subnet in the correct availability zone (AZ).
- Configure other fields as desired.
- Click Create Attachment.
- Repeat step 3 for the remaining three attachments. For the Security VPC attachment, ensure that you select the TGW subnet in both AZs.
- You must create a TGW connect attachment to help form a Generic Routing Encapsulation (GRE) tunnel on top of a VPC attachments. You then create Border Gateway Protocol (BGP) peers for each FortiGate in each AZ. By BGP peering the TGW and the FortiGate, you can send Customer VPC routes to the FortiGates in the Security VPC. Create the TGW connect attachment:
- Go to VPC Dashboard > Transit Gateways > Transit Gateway Attachments.
- Click Create Transit Gateway Attachment.
- From the Transit Gateway ID dropdown list, select the TGW you created in step 1.
- From the Attachment type dropdown list, select Connect.
- Configure the Attachment name tag field as desired.
- From the Transport Attachment ID dropdown list, select the TGW attachment over which to create the Connect attachment. This example selects the Security VPC attachment.
- Click Create Attachment.
- You must add peering connections for each AZ. Create the peers:
- Go to VPC Dashboard > Transit Gateways > Transit Gateway Attachments.
- Select the newly created connect attachment.
- On the Connect peers tab, click Create Connect peer.
- In the Peer GRE address field, enter the FortiGate port 2 IP address. You must create new connect peers for FortiGates in other AZs.
- In the BGP Inside CIDR blocks IPv4 field, configure a unique /29 block in the 169.254.x.x /16 CIDR range for each connect peer.
- In the BGP Inside CIDR blocks IPv6 field, configure a unique /125 block in the fd00: : /8 CIDR range for each connect peer if applicable.
- In the Peer ASN field, enter an existing ASN assigned in the network, or assign a private ASN in the range 64512-65534. This setup uses eBGP and the peer ASN must differ from the AWS default.
- Click Create.