Centralized ingress: inspection before load balancer Example
Scenario objective
Inbound traffic is inspected by a FortiGate CNF instance before passing to the load balancer.
Before deployment of FortiGate CNF
In this scenario, there is a dedicated VPC called Inspection VPC
that contains the load balancer. The workloads are in different VPCs (VPC A
and VPC B
), and traffic between VPCs is routed through a transit gateway.
The Before deployment of FortiGate CNF traffic flow is as follows:
-
Traffic originates from an external user and enters through the
Internet Gateway
. -
The Internet Gateway sends the traffic to the
Load Balancer
located inPublic Subnet
(10.1.2.0/24). -
The
Load Balancer
send the traffic to theAWS Transit Gateway
located inTGW Subnet
(10.1.6.0/24). -
The
AWS Transit Gateway
forwards the traffic toVPC A
(10.2.0.0./16) orVPC B
(10.3.0.0/16).
Routing tables
The routing tables are defined as follows.
Internet Gatway route table
Destination | Target |
---|---|
10.1.0.0/16 | Local |
Public Subnet route table
Destination | Target |
---|---|
10.1.0.0/16 | Local |
10.0.0.0/8 |
AWS Transit Gateway |
TGW Subnet route table
Destination | Target |
---|---|
10.1.0.0/16 | Local |
AWS Transit Gateway route table
Destination | Target |
---|---|
10.1.0.0/16 | Inspection VPC |
10.2.0.0/16 | VPC A |
10.3.0.0/16 | VPC B |
After deployment of FortiGate CNF
The After deployment of FortiGate CNF traffic flow is as follows:
-
Traffic originate from an external user and enters through the
Internet Gateway
. -
The Internet Gateway sends the traffic to the
GWLBe
located inCNF Endpoint Subnet
(10.1.1.0/24). -
Traffic is sent to the FortiGate CNF instance for inspection.
-
FortiGate CNF sends traffic back to the
GWLBe
. -
GWLBe sends traffic to the
Load Balancer
located inPublic Subnet
(10.1.2.0/24). -
The
Load Balancer
send the traffic to theAWS Transit Gateway
located inTGW Subnet
(10.1.6.0/24). -
The
AWS Transit Gateway
forwards the traffic toVPC A
(10.2.0.0./16) orVPC B
(10.3.0.0/16).
To deploy the FortiGate CNF instance in this scenario:
-
In AWS, add a subnet
CNF Endpoint Subnet
inInspection VPC
along with the associated route table.Destination Target 10.1.0.0/16 Local 0.0.0.0/0 Internet Gateway -
In FortiGate CNF, deploy a GWLBe to this subnet.
-
In AWS, add a route to the
Internet Gateway
route table to route all traffic toPublic Subnet
to the GWLBe.Destination Target 10.1.0.0/16 Local 10.1.2.0/24 GWLBe -
In AWS, add a route to the
Public Subnet
route table where the load balancer resides to route all traffic to the GWLBe.Destination Target 10.1.0.0/16 Local 10.0.0.0/8
AWS Transit Gateway
0.0.0.0/0
GWLBe