Configuring the VPN overlay between the HQ FortiGate and AWS native VPN gateway

This example uses static routing. It is assumed that the AWS VPN Gateway is already configured, and that proper routing is applied on the corresponding subnet.

Verify the AWS configuration

See Creating routing tables and associate subnets in the AWS Administration Guide for configuration details.

To check the AWS configuration:
  1. Go to Virtual Private Network (VPN) > Customer Gateways to confirm that the customer gateway defines the FortiGate IP address as its Gateway IP address, in this case

  2. Go to Virtual Private Network (VPN) > Virtual Private Gateways to confirm that a virtual private gateway (VPG) has been created. In this case it is attached to the Cloud_onRamp VPC that contains the FortiGate and servers.

  3. Go to Virtual Private Network (VPN) > Site-to-Site VPN Connections to confirm that site-to-site VPN connections have been created and attached to the customer gateway and virtual private gateway.

    If Routing Options is Static, the IP prefix of the remote subnet on the HQ FortiGate ( is entered here.

    AWS site-to-site VPN always creates two VPN tunnels for redundancy. In this example, only Tunnel 1 is used.

  4. Click Download Configuration to download the FortiGate's tunnel configurations. The configuration can be referred to when configuring the FortiGate VPN.
  5. The new VPG is attached to your VPC, but to successfully route traffic to the VPG, proper routing must be defined. Go to Virtual Private Cloud > Subnets, select the Cloud-OnRamp-VPN, and select the Route Table tab to verify that there are at least two routes to send traffic over the VPG.

    • defines the tunnel IP address. Health check traffic originating from the FortiGate will come from this IP range.
    • defines the remote subnet from the HQ FortiGate.
    • Both routes point to the just created VPG vgw-04xxxx.
  6. On the cloud FortiGate-VM EC2 instances, ensure that port1 and port2 both have Source/Dest. Check set to false. This allows the FortiGate to accept and route traffic to and from a different network.

    If you launched the instance from the AWS marketplace, this setting defaults to true.

Configure routing to the VPG on the cloud FortiGate-VM

To configure routing to the VPG on the cloud FortiGate-VM: