Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

SD-WAN cloud on-ramp

In this example, you configure a connection to a new cloud deployment that has some remote servers. SD-WAN is used to steer traffic through the required overlay tunnel.

The on-premise FortiGate has two internet connections, each with a single VPN connection. The two VPN gateways are configured on the cloud for redundancy, one terminating at the FortiGate-VM, and the other at the native AWS VPN Gateway.

This example uses AWS as the Infrastructure as a Service (IaaS) provider, but the same configuration can also apply to other services. A full mesh VPN setup is not shown, but can be added later if required.

To connect to the servers that are behind the cloud FortiGate-VM, virtual IP addresses (VIPs) are configured on port2 to map to the servers:

  • VPN traffic terminating on port1 is routed to the VIP on port2 to access the web servers.
  • VPN traffic terminating on the VPN gateway accesses the VIPs on port2 directly.

There are four major steps to configure this setup:

  1. Configuring the VPN overlay between the HQ FortiGate and cloud FortiGate-VM
  2. Configuring the VPN overlay between the HQ FortiGate and AWS native VPN gateway
  3. Configuring the VIP to access the remote servers
  4. Configuring the SD-WAN to steer traffic between the overlays

After the configuration is complete, verify the traffic to ensure that the configuration is working as expected, see Verifying the traffic.

SD-WAN cloud on-ramp

In this example, you configure a connection to a new cloud deployment that has some remote servers. SD-WAN is used to steer traffic through the required overlay tunnel.

The on-premise FortiGate has two internet connections, each with a single VPN connection. The two VPN gateways are configured on the cloud for redundancy, one terminating at the FortiGate-VM, and the other at the native AWS VPN Gateway.

This example uses AWS as the Infrastructure as a Service (IaaS) provider, but the same configuration can also apply to other services. A full mesh VPN setup is not shown, but can be added later if required.

To connect to the servers that are behind the cloud FortiGate-VM, virtual IP addresses (VIPs) are configured on port2 to map to the servers:

  • VPN traffic terminating on port1 is routed to the VIP on port2 to access the web servers.
  • VPN traffic terminating on the VPN gateway accesses the VIPs on port2 directly.

There are four major steps to configure this setup:

  1. Configuring the VPN overlay between the HQ FortiGate and cloud FortiGate-VM
  2. Configuring the VPN overlay between the HQ FortiGate and AWS native VPN gateway
  3. Configuring the VIP to access the remote servers
  4. Configuring the SD-WAN to steer traffic between the overlays

After the configuration is complete, verify the traffic to ensure that the configuration is working as expected, see Verifying the traffic.