Centralized egress Example
Scenario objective
Outbound traffic to the internet from a private subnet in VPC A
or VPC B
is inspected by a FortiGate CNF instance.
Before deployment of FortiGate CNF
In this scenario, the workload is located in a private subnet in VPC A
or VPC B
. The traffic is outbound to internet.
The Before deployment of FortiGate CNF traffic flow is as follows:
-
Traffic originates in compute resources located in
VPC A
(10.2.0.0/16) orVPC B
(10.3.0.0/16) and goes toAWS Transit Gateway
located inTGW Subnet
(10.1.6.0/24) inInspection VPC
(10.1.0.0/16). -
AWS Transit Gateway
sends the traffic to theNAT Gateway
located inPublic Subnet
(10.1.2.0/24). -
NAT Gateway
forwards the traffic on to theInternet Gateway
. -
The Internet Gateway
sends the traffic to the external user.
Routing tables
The routing tables are defined as follows.
VPC A Private Subnet route table
Destination | Target |
---|---|
10.2.0.0/16 | Local |
0.0.0.0/0 |
AWS Transit Gateway |
Public Subnet route table
Destination | Target |
---|---|
10.1.0.0/16 | Local |
0.0.0.0/0 |
Internet Gateway |
TGW Subnet route table
Destination | Target |
---|---|
10.1.0.0/16 | Local |
AWS Transit Gateway route table
Destination | Target |
---|---|
0.0.0.0/16 | Inspection VPC |
10.2.0.0/16 | VPC A |
10.3.0.0/16 | VPC B |
After deployment of FortiGate CNF
The After deployment of FortiGate CNF traffic flow is as follows:
-
Traffic originates in compute resources located in
VPC A
(10.2.0.0/16) orVPC B
(10.3.0.0/16) and goes toAWS Transit Gateway
located inTGW Subnet
(10.1.6.0/24) inInspection VPC
(10.1.0.0/16). -
AWS Transit Gateway
sends the traffic to theGWLBe
located inCNF Endpoint Subnet
(10.1.1.0/24). -
Traffic is sent to the FortiGate CNF instance for inspection.
-
FortiGate CNF sends traffic back to the
GWLBe
. -
GWLBe sends traffic to the
NAT Gateway
located inPublic Subnet
(10.1.2.0/24). -
NAT Gateway
forwards the traffic on to theInternet Gateway
. -
The Internet Gateway
send the traffic to the external user.
To deploy the FortiGate CNF instance in this scenario:
-
In AWS, add a subnet
CNF Endpoint Subnet
inInspection VPC
along with the associated route table.Destination Target 10.1.0.0/16 Local 0.0.0.0/0 Internet Gateway 10.0.0.0/8
AWS Transit Gateway
-
In FortiGate CNF, deploy a GWLBe to this subnet.
-
In AWS, add a route to the
Public Subnet
route table where the NAT gateway resides to route all traffic to 10.0.0.0/8 to the GWLBe. -
Destination Target 10.1.0.0/16 Local 0.0.0.0/0
Internet Gateway
10.0.0.0/8
GWLBe
-
In AWS, add a route to the
Transit Gateway Subnet
route table to route all traffic to the GWLBe.Destination Target 10.1.0.0/16 Local 0.0.0.0/0
GWLBe