Distributed inter-subnet east-west traffic between AZ Example
Scenario objective
Traffic between two availability zones (AZ) in one VPC is inspected by a FortiGate CNF instance.
Before deployment of FortiGate CNF
The traffic in this scenario is east-west between two availability zones (AZ) in the same AWS region. All routes are local routes.
The Before deployment of FortiGate CNF traffic flow is as follows:
-
Traffic originates from compute resources located in
Private SubnetinAvailability Zone 1(10.1.3.0/24). -
Traffic goes to compute resources located in
Private SubnetinAvailability Zone 2(10.1.4.0/24).
Routing tables
The routing tables are defined as follows.
Private Subnet (Availability Zone 1) route table
| Destination | Target |
|---|---|
| 10.1.0.0/16 | Local |
Private Subnet (Availability Zone 2) route table
| Destination | Target |
|---|---|
| 10.1.0.0/16 | Local |
After deployment of FortiGate CNF
The After deployment of FortiGate CNF topology traffic flow is as follows:
-
Ttraffic goes from
Private SubnetinAvailability Zone 1(10.1.3.0/24) to theGWLBelocated inCNF Endpoint SubnetinAvailability Zone 1(10.1.1.0/24). -
Traffic is sent to the FortiGate CNF instance for inspection.
-
FortiGate CNF sends traffic back to the
GWLBe. -
The GWLBe forwards the traffic to
Private SubnetinAvailability Zone 2(10.1.4.0/24).
To deploy the FortiGate CNF instance in this scenario:
-
In AWS, add a subnet
CNF Endpoint Subnetin one of the AZs along with the associated route table.Destination Target 10.1.0.0/16 Local -
In FortiGate CNF, deploy a GWLBe to this subnet.
-
In AWS, add a route to the
Private SubnetinAvailability Zone 1route table to route all traffic going toPrivate SubnetinAvailability Zone 2to the GWLBe.Destination Target 10.1.0.0/16 Local 10.1.4.0/24
GWLBe
-
In AWS, add a route to the
Private SubnetinAvailability Zone 2route table to route all traffic toPrivate SubnetinAvailability Zone 1to the GWLBe.Destination Target 10.1.0.0/16 Local 10.1.3.0/24
GWLBe