Distributed inter-subnet east-west traffic between AZ Example
Scenario objective
Traffic between two availability zones (AZ) in one VPC is inspected by a FortiGate CNF instance.
Before deployment of FortiGate CNF
The traffic in this scenario is east-west between two availability zones (AZ) in the same AWS region. All routes are local routes.
The Before deployment of FortiGate CNF traffic flow is as follows:
-
Traffic originates from compute resources located in
Private Subnet
inAvailability Zone 1
(10.1.3.0/24). -
Traffic goes to compute resources located in
Private Subnet
inAvailability Zone 2
(10.1.4.0/24).
Routing tables
The routing tables are defined as follows.
Private Subnet (Availability Zone 1) route table
Destination | Target |
---|---|
10.1.0.0/16 | Local |
Private Subnet (Availability Zone 2) route table
Destination | Target |
---|---|
10.1.0.0/16 | Local |
After deployment of FortiGate CNF
The After deployment of FortiGate CNF topology traffic flow is as follows:
-
Ttraffic goes from
Private Subnet
inAvailability Zone 1
(10.1.3.0/24) to theGWLBe
located inCNF Endpoint Subnet
inAvailability Zone 1
(10.1.1.0/24). -
Traffic is sent to the FortiGate CNF instance for inspection.
-
FortiGate CNF sends traffic back to the
GWLBe
. -
The GWLBe forwards the traffic to
Private Subnet
inAvailability Zone 2
(10.1.4.0/24).
To deploy the FortiGate CNF instance in this scenario:
-
In AWS, add a subnet
CNF Endpoint Subnet
in one of the AZs along with the associated route table.Destination Target 10.1.0.0/16 Local -
In FortiGate CNF, deploy a GWLBe to this subnet.
-
In AWS, add a route to the
Private Subnet
inAvailability Zone 1
route table to route all traffic going toPrivate Subnet
inAvailability Zone 2
to the GWLBe.Destination Target 10.1.0.0/16 Local 10.1.4.0/24
GWLBe
-
In AWS, add a route to the
Private Subnet
inAvailability Zone 2
route table to route all traffic toPrivate Subnet
inAvailability Zone 1
to the GWLBe.Destination Target 10.1.0.0/16 Local 10.1.3.0/24
GWLBe