Fortinet black logo

New Features

Multitenancy support with AWS GWLB enhancement 7.0.4

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:299990
Download PDF

Multitenancy support with AWS GWLB enhancement 7.0.4

To better support multitenancy with AWS gateway load balancer (GWLB), this enhancement adds support to identify incoming traffic using virtual private cloud (VPC) endpoint IDs in the GENEVE header to forward traffic to the appropriate virtual domain (VDOM) tenant.

You configure the VPC endpoint (VPCE) to VDOM mapping under the following CLI commands:

config aws vpce

edit <id>

set name <VPCE name>

set endpoint-id <VPCE ID>

set vdom <VDOM name>

next

end

This guide assumes that you have previously configured a GWLB environment. The following shows the topology for this deployment:

To configure multitenancy support with AWS GWLB:
  1. Configure the GENEVE interface in VDOM 1:
    config system geneve
        edit "g1"
            set interface "port2"
            set type ppp
            set remote-ip 10.2.1.199
        next
    end
  2. Configure the GENEVE interface in VDOM 2:
    config system geneve
        edit "g2"
            set interface "port2"
            set type ppp
            set remote-ip 10.2.1.199
        next
    end
  3. Configure a static route and firewall policy in VDOM 1:

    config router static edit 1 set device "g1" next end config firewall policy edit 1 set srcintf "g1" set dstintf "g1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" next end

  4. Configure a static route and firewall policy in VDOM 2:

    config router static edit 1 set device "g2" next end config firewall policy edit 1 set srcintf "g2" set dstintf "g2" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" next end

  5. Configure the AWS VPCE in the global VDOM:

    config aws vpce edit 1 set name "tenant1" set endpoint-id "fac3dcc5b40ca0b9" set vdom "vdom1" next edit 2 set name "tenant2" set endpoint-id "07392059b988e86af" set vdom "vdom2" next end

  6. Ensure that the FortiGate routes traffic from different VPCE IDs to different VDOMs as desired. The following shows an example of the desired output:
    diagnose sniffer packet any icmp 4
    Using Original Sniffing Mode
    interfaces=[any]
    filters=[icmp]
    5.330846 g1 in 10.1.1.10 -> 8.8.8.8: icmp: echo request
    5.330882 g1 out 10.1.1.10 -> 8.8.8.8: icmp: echo request
    5.339186 g1 in 8.8.8.8 -> 10.1.1.10: icmp: echo reply
    5.339210 g1 out 8.8.8.8 -> 10.1.1.10: icmp: echo reply
    7.785495 g2 in 10.1.2.10 -> 8.8.8.8: icmp: echo request
    7.785533 g2 out 10.1.2.10 -> 8.8.8.8: icmp: echo request
    7.794251 g2 in 8.8.8.8 -> 10.1.2.10: icmp: echo reply
    7.794273 g2 out 8.8.8.8 -> 10.1.2.10: icmp: echo reply

Multitenancy support with AWS GWLB enhancement 7.0.4

To better support multitenancy with AWS gateway load balancer (GWLB), this enhancement adds support to identify incoming traffic using virtual private cloud (VPC) endpoint IDs in the GENEVE header to forward traffic to the appropriate virtual domain (VDOM) tenant.

You configure the VPC endpoint (VPCE) to VDOM mapping under the following CLI commands:

config aws vpce

edit <id>

set name <VPCE name>

set endpoint-id <VPCE ID>

set vdom <VDOM name>

next

end

This guide assumes that you have previously configured a GWLB environment. The following shows the topology for this deployment:

To configure multitenancy support with AWS GWLB:
  1. Configure the GENEVE interface in VDOM 1:
    config system geneve
        edit "g1"
            set interface "port2"
            set type ppp
            set remote-ip 10.2.1.199
        next
    end
  2. Configure the GENEVE interface in VDOM 2:
    config system geneve
        edit "g2"
            set interface "port2"
            set type ppp
            set remote-ip 10.2.1.199
        next
    end
  3. Configure a static route and firewall policy in VDOM 1:

    config router static edit 1 set device "g1" next end config firewall policy edit 1 set srcintf "g1" set dstintf "g1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" next end

  4. Configure a static route and firewall policy in VDOM 2:

    config router static edit 1 set device "g2" next end config firewall policy edit 1 set srcintf "g2" set dstintf "g2" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" next end

  5. Configure the AWS VPCE in the global VDOM:

    config aws vpce edit 1 set name "tenant1" set endpoint-id "fac3dcc5b40ca0b9" set vdom "vdom1" next edit 2 set name "tenant2" set endpoint-id "07392059b988e86af" set vdom "vdom2" next end

  6. Ensure that the FortiGate routes traffic from different VPCE IDs to different VDOMs as desired. The following shows an example of the desired output:
    diagnose sniffer packet any icmp 4
    Using Original Sniffing Mode
    interfaces=[any]
    filters=[icmp]
    5.330846 g1 in 10.1.1.10 -> 8.8.8.8: icmp: echo request
    5.330882 g1 out 10.1.1.10 -> 8.8.8.8: icmp: echo request
    5.339186 g1 in 8.8.8.8 -> 10.1.1.10: icmp: echo reply
    5.339210 g1 out 8.8.8.8 -> 10.1.1.10: icmp: echo reply
    7.785495 g2 in 10.1.2.10 -> 8.8.8.8: icmp: echo request
    7.785533 g2 out 10.1.2.10 -> 8.8.8.8: icmp: echo request
    7.794251 g2 in 8.8.8.8 -> 10.1.2.10: icmp: echo reply
    7.794273 g2 out 8.8.8.8 -> 10.1.2.10: icmp: echo reply