Fortinet black logo

Administration Guide

Home FortiGate CNF Administration Guide

Centralized ingress: inspection before load balancer Example

Centralized ingress: inspection before load balancer Example

Scenario objective

Inbound traffic is inspected by a FortiGate CNF instance before passing to the load balancer.

Before deployment of FortiGate CNF

In this scenario, there is a dedicated VPC called Inspection VPC that contains the load balancer. The workloads are in different VPCs (VPC A and VPC B), and traffic between VPCs is routed through a transit gateway.

The Before deployment of FortiGate CNF traffic flow is as follows:

  1. Traffic originates from an external user and enters through the Internet Gateway.

  2. The Internet Gateway sends the traffic to the Load Balancer located in Public Subnet (10.1.2.0/24).

  3. The Load Balancer send the traffic to the AWS Transit Gateway located in TGW Subnet (10.1.6.0/24).

  4. The AWS Transit Gateway forwards the traffic to VPC A (10.2.0.0./16) or VPC B (10.3.0.0/16).

Routing tables

The routing tables are defined as follows.

Internet Gatway route table
Destination Target
10.1.0.0/16 Local
Public Subnet route table
Destination Target
10.1.0.0/16 Local

10.0.0.0/8

AWS Transit Gateway
TGW Subnet route table
Destination Target
10.1.0.0/16 Local
AWS Transit Gateway route table
Destination Target
10.1.0.0/16 Inspection VPC
10.2.0.0/16 VPC A
10.3.0.0/16 VPC B

After deployment of FortiGate CNF

The After deployment of FortiGate CNF traffic flow is as follows:

  1. Traffic originate from an external user and enters through the Internet Gateway.

  2. The Internet Gateway sends the traffic to the GWLBe located in CNF Endpoint Subnet (10.1.1.0/24).

  3. Traffic is sent to the FortiGate CNF instance for inspection.

  4. FortiGate CNF sends traffic back to the GWLBe.

  5. GWLBe sends traffic to the Load Balancer located in Public Subnet (10.1.2.0/24).

  6. The Load Balancer send the traffic to the AWS Transit Gateway located in TGW Subnet (10.1.6.0/24).

  7. The AWS Transit Gateway forwards the traffic to VPC A (10.2.0.0./16) or VPC B (10.3.0.0/16).

To deploy the FortiGate CNF instance in this scenario:

  1. In AWS, add a subnet CNF Endpoint Subnet in Inspection VPC along with the associated route table.

    Destination Target
    10.1.0.0/16 Local
    0.0.0.0/0 Internet Gateway

  2. In FortiGate CNF, deploy a GWLBe to this subnet.

  3. In AWS, add a route to the Internet Gateway route table to route all traffic to Public Subnet to the GWLBe.

    Destination Target
    10.1.0.0/16 Local
    10.1.2.0/24 GWLBe

  4. In AWS, add a route to the Public Subnet route table where the load balancer resides to route all traffic to the GWLBe.

    Destination Target
    10.1.0.0/16 Local

    10.0.0.0/8

    AWS Transit Gateway

    0.0.0.0/0

    GWLBe

Previous
Next

Centralized ingress: inspection before load balancer Example

Scenario objective

Inbound traffic is inspected by a FortiGate CNF instance before passing to the load balancer.

Before deployment of FortiGate CNF

In this scenario, there is a dedicated VPC called Inspection VPC that contains the load balancer. The workloads are in different VPCs (VPC A and VPC B), and traffic between VPCs is routed through a transit gateway.

The Before deployment of FortiGate CNF traffic flow is as follows:

  1. Traffic originates from an external user and enters through the Internet Gateway.

  2. The Internet Gateway sends the traffic to the Load Balancer located in Public Subnet (10.1.2.0/24).

  3. The Load Balancer send the traffic to the AWS Transit Gateway located in TGW Subnet (10.1.6.0/24).

  4. The AWS Transit Gateway forwards the traffic to VPC A (10.2.0.0./16) or VPC B (10.3.0.0/16).

Routing tables

The routing tables are defined as follows.

Internet Gatway route table
Destination Target
10.1.0.0/16 Local
Public Subnet route table
Destination Target
10.1.0.0/16 Local

10.0.0.0/8

AWS Transit Gateway
TGW Subnet route table
Destination Target
10.1.0.0/16 Local
AWS Transit Gateway route table
Destination Target
10.1.0.0/16 Inspection VPC
10.2.0.0/16 VPC A
10.3.0.0/16 VPC B

After deployment of FortiGate CNF

The After deployment of FortiGate CNF traffic flow is as follows:

  1. Traffic originate from an external user and enters through the Internet Gateway.

  2. The Internet Gateway sends the traffic to the GWLBe located in CNF Endpoint Subnet (10.1.1.0/24).

  3. Traffic is sent to the FortiGate CNF instance for inspection.

  4. FortiGate CNF sends traffic back to the GWLBe.

  5. GWLBe sends traffic to the Load Balancer located in Public Subnet (10.1.2.0/24).

  6. The Load Balancer send the traffic to the AWS Transit Gateway located in TGW Subnet (10.1.6.0/24).

  7. The AWS Transit Gateway forwards the traffic to VPC A (10.2.0.0./16) or VPC B (10.3.0.0/16).

To deploy the FortiGate CNF instance in this scenario:

  1. In AWS, add a subnet CNF Endpoint Subnet in Inspection VPC along with the associated route table.

    Destination Target
    10.1.0.0/16 Local
    0.0.0.0/0 Internet Gateway

  2. In FortiGate CNF, deploy a GWLBe to this subnet.

  3. In AWS, add a route to the Internet Gateway route table to route all traffic to Public Subnet to the GWLBe.

    Destination Target
    10.1.0.0/16 Local
    10.1.2.0/24 GWLBe

  4. In AWS, add a route to the Public Subnet route table where the load balancer resides to route all traffic to the GWLBe.

    Destination Target
    10.1.0.0/16 Local

    10.0.0.0/8

    AWS Transit Gateway

    0.0.0.0/0

    GWLBe

Previous
Next