Fortinet black logo

Administration Guide

Home FortiGate CNF Administration Guide

Centralized east-west, inter-VPC Example

Centralized east-west, inter-VPC Example

Scenario objective

Traffic between two VPCs, VPC A and VPC B, is inspected by a FortiGate CNF instance.

Before deployment of FortiGate CNF

In this scenario, traffic is between two VPCs, VPC A and VPC B, through a transit gateway.

The Before deployment of FortiGate CNF traffic flow is as follows:

  1. Traffic originates from Private Subnet (10.2.3.0/24) in VPC A (10.2.0.0/16) and goes to the AWS Transit Gateway located in TGW Subnet (10.1.6.0/24) in Inspection VPC (10.1.0.0/16).

  2. AWS Transit Gateway sends the traffic to Private Subnet (10.3.3.0/24) in VPC B (10.3.0.0/16).

Routing tables

The routing tables are defined as follows.

Private Subnet (VPC A) route table
Destination Target
10.2.0.0/16 Local

0.0.0.0/0

AWS Transit Gateway
Private Subnet AWS Transit Gateway (VPC A) route table
Destination Target

0.0.0.0/0

Inspection VPC
Private Subnet (VPC B) route table
Destination Target
10.3.0.0/16 Local

0.0.0.0/0

AWS Transit Gateway
Private Subnet AWS Transit Gateway (VPC B) route table
Destination Target

0.0.0.0/0

Inspection VPC
TGW Subnet route table
Destination Target
10.1.0.0/16 Local
AWS Transit Gateway route table
Destination Target
10.2.0.0/16 VPC A
10.3.0.0/16 VPC B

After deployment of FortiGate CNF

The After deployment of FortiGate CNF traffic flow is as follows:

  1. Traffic originates from Private Subnet (10.2.3.0/24) in VPC A (10.2.0.0/16) and goes to the AWS Transit Gateway located in TGW Subnet (10.1.6.0/24) in Inspection VPC (10.1.0.0/16).

  2. AWS Transit Gateway sends the traffic to the GWLBe located in CNF Endpoint Subnet (10.1.1.0/24).

  3. Traffic is sent to the FortiGate CNF instance for inspection.

  4. FortiGate CNF sends traffic back to the GWLBe.

  5. GWLBe sends the traffic to AWS Transit Gatway.

  6. AWS Transit Gateway forwards the traffic on to Private Subnet (10.3.3.0/24) in VPC B (10.3.0.0/16).

To deploy the FortiGate CNF instance in this scenario:

  1. In AWS, add a subnet CNF Endpoint Subnet in Inspection VPC along with the associated route table.

    Destination Target
    10.1.0.0/16 Local
    0.0.0.0/0 NAT Gateway

    10.0.0.0/8

    AWS Transit Gateway

  2. In FortiGate CNF, deploy a GWLBe to this subnet.

  3. In AWS, add a route to the Transit Gateway Subnet route table to route all traffic to the GWLBe.

    Destination Target
    10.1.0.0/16 Local

    0.0.0.0/8

    GWLBe

Previous
Next

Centralized east-west, inter-VPC Example

Scenario objective

Traffic between two VPCs, VPC A and VPC B, is inspected by a FortiGate CNF instance.

Before deployment of FortiGate CNF

In this scenario, traffic is between two VPCs, VPC A and VPC B, through a transit gateway.

The Before deployment of FortiGate CNF traffic flow is as follows:

  1. Traffic originates from Private Subnet (10.2.3.0/24) in VPC A (10.2.0.0/16) and goes to the AWS Transit Gateway located in TGW Subnet (10.1.6.0/24) in Inspection VPC (10.1.0.0/16).

  2. AWS Transit Gateway sends the traffic to Private Subnet (10.3.3.0/24) in VPC B (10.3.0.0/16).

Routing tables

The routing tables are defined as follows.

Private Subnet (VPC A) route table
Destination Target
10.2.0.0/16 Local

0.0.0.0/0

AWS Transit Gateway
Private Subnet AWS Transit Gateway (VPC A) route table
Destination Target

0.0.0.0/0

Inspection VPC
Private Subnet (VPC B) route table
Destination Target
10.3.0.0/16 Local

0.0.0.0/0

AWS Transit Gateway
Private Subnet AWS Transit Gateway (VPC B) route table
Destination Target

0.0.0.0/0

Inspection VPC
TGW Subnet route table
Destination Target
10.1.0.0/16 Local
AWS Transit Gateway route table
Destination Target
10.2.0.0/16 VPC A
10.3.0.0/16 VPC B

After deployment of FortiGate CNF

The After deployment of FortiGate CNF traffic flow is as follows:

  1. Traffic originates from Private Subnet (10.2.3.0/24) in VPC A (10.2.0.0/16) and goes to the AWS Transit Gateway located in TGW Subnet (10.1.6.0/24) in Inspection VPC (10.1.0.0/16).

  2. AWS Transit Gateway sends the traffic to the GWLBe located in CNF Endpoint Subnet (10.1.1.0/24).

  3. Traffic is sent to the FortiGate CNF instance for inspection.

  4. FortiGate CNF sends traffic back to the GWLBe.

  5. GWLBe sends the traffic to AWS Transit Gatway.

  6. AWS Transit Gateway forwards the traffic on to Private Subnet (10.3.3.0/24) in VPC B (10.3.0.0/16).

To deploy the FortiGate CNF instance in this scenario:

  1. In AWS, add a subnet CNF Endpoint Subnet in Inspection VPC along with the associated route table.

    Destination Target
    10.1.0.0/16 Local
    0.0.0.0/0 NAT Gateway

    10.0.0.0/8

    AWS Transit Gateway

  2. In FortiGate CNF, deploy a GWLBe to this subnet.

  3. In AWS, add a route to the Transit Gateway Subnet route table to route all traffic to the GWLBe.

    Destination Target
    10.1.0.0/16 Local

    0.0.0.0/8

    GWLBe

Previous
Next