Distributed inter-subnet east-west traffic in one AZ Example
Scenario objective
Traffic between two subnets in the same availability zone (AZ) in one VPC is inspected by a FortiGate CNF instance.
Before deployment of FortiGate CNF
Traffic in this scenario is east-west within the same availability zone (AZ) in a region. All routes are local routes.
The Before deployment of FortiGate CNF traffic flow is as follows:
-
Traffic originates from compute resources located in
Private Subnet 1
(10.1.3.0/24). -
Traffic goes to compute resources located in
Private Subnet 2
(10.1.4.0/24).
Routing tables
The routing tables are defined as follows.
Private Subnet 1 route table
Destination | Target |
---|---|
10.1.0.0/16 | Local |
Private Subnet 2 route table
Destination | Target |
---|---|
10.1.0.0/16 | Local |
After deployment of FortiGate CNF
The After deployment of FortiGate CNF topology traffic flow is as follows:
-
Ttraffic goes from
Private Subnet 1
(10.1.3.0/24) to theGWLBe
located inCNF Endpoint Subnet
(10.1.1.0/24). -
Traffic is sent to the FortiGate CNF instance for inspection.
-
FortiGate CNF sends traffic back to the
GWLBe
. -
The GWLBe forwards the traffic to
Private Subnet 2
(10.1.4.0/24).
To deploy the FortiGate CNF instance in this scenario:
-
In AWS, add a subnet
CNF Endpoint Subnet
(10.1.1.0/24) and the associated route table.Destination Target 10.1.0.0/16 Local -
In FortiGate CNF, deploy a GWLBe to this subnet.
-
In AWS, add a route to the
Private Subnet 1
route table to route all traffic going toPrivate Subnet 2
to the GWLBe.Destination Target 10.1.0.0/16 Local 10.1.4.0/24
GWLBe
-
In AWS, add a route to the
Private Subnet 2
route table to route all traffic going toPrivate Subnet 1
to the GWLBe.Destination Target 10.1.0.0/16 Local 10.1.3.0/24
GWLBe