Fortinet black logo

Administration Guide

Home FortiGate CNF Administration Guide

Deployment scenarios

Appendix A - Deployment scenarios

Traffic must be correctly routed through a FortiGate CNF instance in order to be inspected. The routing depends on your cloud workload architecture, with a virtually unlimited number of possibilities.

This section presents some typical deployment scenarios in AWS, with instructions on routing traffic to the FortiGate CNF instance. Follow the scenario that matches your architecture, or use the principles presented as a basis for a customized approach.

Broadly, AWS defines two types of security architecture in the context of FortiGate CNF:

  • Distributed: Each VPC is protected by a FortiGate CNF instance.

  • Centralized: Multiple VPCs are protected by a single FortiGate CNF instance. If you have workloads in multiple VPCs that require protection, this model may be a cleaner way to provide security than protecting each VPC separately in a distributed model. In the centralized model, all traffic is routed through a dedicated VPC called Inspection VPC. The GWLBe will be deployed in this VPC to send traffic to the FortiGate CNF instance. You will need to create this inspection VPC and typically a transit gateway is needed.

The primary consideration in planning your deployment is how to route traffic to the FortiGate CNF instance, rather than the archtecture of your application.

In each of these scenarios, we will present the following two diagrams:

  • Before deployment of FortiGate CNF: this topology shows the infrastructure before a FortiGate CNF instance is deployed.

  • After deployment of FortiGate CNF: this topology shows the changes you will implement to add the FortiGate CNF instance, with changes highlighted.

Examples

The following scenario examples are available:

Previous
Next

Appendix A - Deployment scenarios

Traffic must be correctly routed through a FortiGate CNF instance in order to be inspected. The routing depends on your cloud workload architecture, with a virtually unlimited number of possibilities.

This section presents some typical deployment scenarios in AWS, with instructions on routing traffic to the FortiGate CNF instance. Follow the scenario that matches your architecture, or use the principles presented as a basis for a customized approach.

Broadly, AWS defines two types of security architecture in the context of FortiGate CNF:

  • Distributed: Each VPC is protected by a FortiGate CNF instance.

  • Centralized: Multiple VPCs are protected by a single FortiGate CNF instance. If you have workloads in multiple VPCs that require protection, this model may be a cleaner way to provide security than protecting each VPC separately in a distributed model. In the centralized model, all traffic is routed through a dedicated VPC called Inspection VPC. The GWLBe will be deployed in this VPC to send traffic to the FortiGate CNF instance. You will need to create this inspection VPC and typically a transit gateway is needed.

The primary consideration in planning your deployment is how to route traffic to the FortiGate CNF instance, rather than the archtecture of your application.

In each of these scenarios, we will present the following two diagrams:

  • Before deployment of FortiGate CNF: this topology shows the infrastructure before a FortiGate CNF instance is deployed.

  • After deployment of FortiGate CNF: this topology shows the changes you will implement to add the FortiGate CNF instance, with changes highlighted.

Examples

The following scenario examples are available:

Previous
Next