Fortinet black logo

Cookbook

SD-WAN cloud on-ramp

Copy Link
Copy Doc ID 4e2e9371-e0d6-11ea-96b9-00505692583a:357448
Download PDF

In this example, you configure a connection to a new cloud deployment that has some remote servers. SD-WAN is used to steer traffic through the required overlay tunnel.

The on-premise FortiGate has two internet connections, each with a single VPN connection. The two VPN gateways are configured on the cloud for redundancy, one terminating at the FortiGate-VM, and the other at the native AWS VPN Gateway.

This example uses AWS as the Infrastructure as a Service (IaaS) provider, but the same configuration can also apply to other services. A full mesh VPN setup is not shown, but can be added later if required.

To connect to the servers that are behind the cloud FortiGate-VM, virtual IP addresses (VIPs) are configured on port2 to map to the servers:

  • VPN traffic terminating on port1 is routed to the VIP on port2 to access the web servers.
  • VPN traffic terminating on the VPN gateway accesses the VIPs on port2 directly.

There are four major steps to configure this setup:

  1. Configuring the VPN overlay between the HQ FortiGate and cloud FortiGate-VM
  2. Configuring the VPN overlay between the HQ FortiGate and AWS native VPN gateway
  3. Configuring the VIP to access the remote servers
  4. Configuring the SD-WAN to steer traffic between the overlays

After the configuration is complete, verify the traffic to ensure that the configuration is working as expected, see Verifying the traffic.

In this example, you configure a connection to a new cloud deployment that has some remote servers. SD-WAN is used to steer traffic through the required overlay tunnel.

The on-premise FortiGate has two internet connections, each with a single VPN connection. The two VPN gateways are configured on the cloud for redundancy, one terminating at the FortiGate-VM, and the other at the native AWS VPN Gateway.

This example uses AWS as the Infrastructure as a Service (IaaS) provider, but the same configuration can also apply to other services. A full mesh VPN setup is not shown, but can be added later if required.

To connect to the servers that are behind the cloud FortiGate-VM, virtual IP addresses (VIPs) are configured on port2 to map to the servers:

  • VPN traffic terminating on port1 is routed to the VIP on port2 to access the web servers.
  • VPN traffic terminating on the VPN gateway accesses the VIPs on port2 directly.

There are four major steps to configure this setup:

  1. Configuring the VPN overlay between the HQ FortiGate and cloud FortiGate-VM
  2. Configuring the VPN overlay between the HQ FortiGate and AWS native VPN gateway
  3. Configuring the VIP to access the remote servers
  4. Configuring the SD-WAN to steer traffic between the overlays

After the configuration is complete, verify the traffic to ensure that the configuration is working as expected, see Verifying the traffic.