Fortinet black logo

Administration Guide

Home FortiGate CNF Administration Guide

Distributed inter-VPC east-west traffic Example

Distributed inter-VPC east-west traffic Example

Scenario objective

Traffic between multiple VPCs is inspected by a FortiGate CNF instance.

Before deployment of FortiGate CNF

The traffic in this scenario is east-west between two VPCs. A transit gateway attached to the VPC is needed for this to work. The traffic is between VPC A and VPC B, or VPC A and VPC C.

The Before deployment of FortiGate CNF traffic flow is as follows:

  1. Traffic originates from computer resources located in Private Subnet 1 in VPC A (10.1.3.0/24) and goes to AWS Transit Gateway located in TGW Subnet (10.1.6.0/24).

  2. AWS Transit Gateway forwards the traffic to VPC B (10.2.0.0/16) or VPC C (10.3.0.0/16).

Routing tables

The routing tables are defined as follows.

Private Subnet route table
Destination Target
10.1.0.0/16 Local
TGW Subnet route table
Destination Target
10.1.0.0/16 Local
AWS Transit Gateway route table
Destination Target
10.1.0.0/16 VPC A
10.2.0.0/16 VPC B
10.3.0.0/16 VPC C

After deployment of FortiGate CNF

The After deployment of FortiGate CNF topology traffic flow is as follows:

  1. Traffic originates from computer resources located in Private Subnet 1 in VPC A (10.1.3.0/24) and goes to the GWLBe located in CNF Endpoint Subnet (10.1.1.0/24).

  2. Traffic is sent to the FortiGate CNF instance for inspection.

  3. FortiGate CNF sends traffic back to the GWLBe.

  4. Traffic goes to AWS Transit Gateway located in TGW Subnet (10.1.6.0/24).

  5. AWS Transit Gateway forwards the traffic to VPC B (10.2.0.0/16) or VPC C (10.3.0.0/16).

To deploy the FortiGate CNF instance in this scenario:

  1. In AWS, add a subnet CNF Endpoint Subnet in VPC A along with the associated route table.

    Destination Target
    10.1.0.0/16 Local
    10.0.0.0/8 AWS Transit Gateway

  2. In FortiGate CNF, deploy a GWLBe to this subnet.

  3. In AWS, add a route to the Private Subnet 1 route table to route all traffic to 10.0.0.0/8 to the GWLBe.

    Destination Target
    10.1.0.0/16 Local

    10.0.0.0/8

    GWLBe

  4. In AWS, add a route to the TGW subnet route table to route all traffic to Private Subnet 1 to the GWLBe.

    Destination Target
    10.1.0.0/16 Local

    10.1.3.0/24

    GWLBe

Previous
Next

Distributed inter-VPC east-west traffic Example

Scenario objective

Traffic between multiple VPCs is inspected by a FortiGate CNF instance.

Before deployment of FortiGate CNF

The traffic in this scenario is east-west between two VPCs. A transit gateway attached to the VPC is needed for this to work. The traffic is between VPC A and VPC B, or VPC A and VPC C.

The Before deployment of FortiGate CNF traffic flow is as follows:

  1. Traffic originates from computer resources located in Private Subnet 1 in VPC A (10.1.3.0/24) and goes to AWS Transit Gateway located in TGW Subnet (10.1.6.0/24).

  2. AWS Transit Gateway forwards the traffic to VPC B (10.2.0.0/16) or VPC C (10.3.0.0/16).

Routing tables

The routing tables are defined as follows.

Private Subnet route table
Destination Target
10.1.0.0/16 Local
TGW Subnet route table
Destination Target
10.1.0.0/16 Local
AWS Transit Gateway route table
Destination Target
10.1.0.0/16 VPC A
10.2.0.0/16 VPC B
10.3.0.0/16 VPC C

After deployment of FortiGate CNF

The After deployment of FortiGate CNF topology traffic flow is as follows:

  1. Traffic originates from computer resources located in Private Subnet 1 in VPC A (10.1.3.0/24) and goes to the GWLBe located in CNF Endpoint Subnet (10.1.1.0/24).

  2. Traffic is sent to the FortiGate CNF instance for inspection.

  3. FortiGate CNF sends traffic back to the GWLBe.

  4. Traffic goes to AWS Transit Gateway located in TGW Subnet (10.1.6.0/24).

  5. AWS Transit Gateway forwards the traffic to VPC B (10.2.0.0/16) or VPC C (10.3.0.0/16).

To deploy the FortiGate CNF instance in this scenario:

  1. In AWS, add a subnet CNF Endpoint Subnet in VPC A along with the associated route table.

    Destination Target
    10.1.0.0/16 Local
    10.0.0.0/8 AWS Transit Gateway

  2. In FortiGate CNF, deploy a GWLBe to this subnet.

  3. In AWS, add a route to the Private Subnet 1 route table to route all traffic to 10.0.0.0/8 to the GWLBe.

    Destination Target
    10.1.0.0/16 Local

    10.0.0.0/8

    GWLBe

  4. In AWS, add a route to the TGW subnet route table to route all traffic to Private Subnet 1 to the GWLBe.

    Destination Target
    10.1.0.0/16 Local

    10.1.3.0/24

    GWLBe

Previous
Next