Fortinet black logo

Administration Guide

Home FortiGate CNF Administration Guide

Centralized egress Example

Centralized egress Example

Scenario objective

Outbound traffic to the internet from a private subnet in VPC A or VPC B is inspected by a FortiGate CNF instance.

Before deployment of FortiGate CNF

In this scenario, the workload is located in a private subnet in VPC A or VPC B. The traffic is outbound to internet.

The Before deployment of FortiGate CNF traffic flow is as follows:

  1. Traffic originates in compute resources located in VPC A (10.2.0.0/16) or VPC B (10.3.0.0/16) and goes to AWS Transit Gateway located in TGW Subnet (10.1.6.0/24) in Inspection VPC (10.1.0.0/16).

  2. AWS Transit Gateway sends the traffic to the NAT Gateway located in Public Subnet (10.1.2.0/24).

  3. NAT Gateway forwards the traffic on to the Internet Gateway.

  4. The Internet Gateway sends the traffic to the external user.

Routing tables

The routing tables are defined as follows.

VPC A Private Subnet route table
Destination Target
10.2.0.0/16 Local

0.0.0.0/0

AWS Transit Gateway
Public Subnet route table
Destination Target
10.1.0.0/16 Local

0.0.0.0/0

Internet Gateway
TGW Subnet route table
Destination Target
10.1.0.0/16 Local
AWS Transit Gateway route table
Destination Target
0.0.0.0/16 Inspection VPC
10.2.0.0/16 VPC A
10.3.0.0/16 VPC B

After deployment of FortiGate CNF

The After deployment of FortiGate CNF traffic flow is as follows:

  1. Traffic originates in compute resources located in VPC A (10.2.0.0/16) or VPC B (10.3.0.0/16) and goes to AWS Transit Gateway located in TGW Subnet (10.1.6.0/24) in Inspection VPC (10.1.0.0/16).

  2. AWS Transit Gateway sends the traffic to the GWLBe located in CNF Endpoint Subnet (10.1.1.0/24).

  3. Traffic is sent to the FortiGate CNF instance for inspection.

  4. FortiGate CNF sends traffic back to the GWLBe.

  5. GWLBe sends traffic to the NAT Gateway located in Public Subnet (10.1.2.0/24).

  6. NAT Gateway forwards the traffic on to the Internet Gateway.

  7. The Internet Gateway send the traffic to the external user.

To deploy the FortiGate CNF instance in this scenario:

  1. In AWS, add a subnet CNF Endpoint Subnet in Inspection VPC along with the associated route table.

    Destination Target
    10.1.0.0/16 Local
    0.0.0.0/0 Internet Gateway

    10.0.0.0/8

    AWS Transit Gateway

  2. In FortiGate CNF, deploy a GWLBe to this subnet.

  3. In AWS, add a route to the Public Subnet route table where the NAT gateway resides to route all traffic to 10.0.0.0/8 to the GWLBe.

  4. Destination Target
    10.1.0.0/16 Local

    0.0.0.0/0

    Internet Gateway

    10.0.0.0/8

    GWLBe

  5. In AWS, add a route to the Transit Gateway Subnet route table to route all traffic to the GWLBe.

    Destination Target
    10.1.0.0/16 Local

    0.0.0.0/0

    GWLBe

Previous
Next

Centralized egress Example

Scenario objective

Outbound traffic to the internet from a private subnet in VPC A or VPC B is inspected by a FortiGate CNF instance.

Before deployment of FortiGate CNF

In this scenario, the workload is located in a private subnet in VPC A or VPC B. The traffic is outbound to internet.

The Before deployment of FortiGate CNF traffic flow is as follows:

  1. Traffic originates in compute resources located in VPC A (10.2.0.0/16) or VPC B (10.3.0.0/16) and goes to AWS Transit Gateway located in TGW Subnet (10.1.6.0/24) in Inspection VPC (10.1.0.0/16).

  2. AWS Transit Gateway sends the traffic to the NAT Gateway located in Public Subnet (10.1.2.0/24).

  3. NAT Gateway forwards the traffic on to the Internet Gateway.

  4. The Internet Gateway sends the traffic to the external user.

Routing tables

The routing tables are defined as follows.

VPC A Private Subnet route table
Destination Target
10.2.0.0/16 Local

0.0.0.0/0

AWS Transit Gateway
Public Subnet route table
Destination Target
10.1.0.0/16 Local

0.0.0.0/0

Internet Gateway
TGW Subnet route table
Destination Target
10.1.0.0/16 Local
AWS Transit Gateway route table
Destination Target
0.0.0.0/16 Inspection VPC
10.2.0.0/16 VPC A
10.3.0.0/16 VPC B

After deployment of FortiGate CNF

The After deployment of FortiGate CNF traffic flow is as follows:

  1. Traffic originates in compute resources located in VPC A (10.2.0.0/16) or VPC B (10.3.0.0/16) and goes to AWS Transit Gateway located in TGW Subnet (10.1.6.0/24) in Inspection VPC (10.1.0.0/16).

  2. AWS Transit Gateway sends the traffic to the GWLBe located in CNF Endpoint Subnet (10.1.1.0/24).

  3. Traffic is sent to the FortiGate CNF instance for inspection.

  4. FortiGate CNF sends traffic back to the GWLBe.

  5. GWLBe sends traffic to the NAT Gateway located in Public Subnet (10.1.2.0/24).

  6. NAT Gateway forwards the traffic on to the Internet Gateway.

  7. The Internet Gateway send the traffic to the external user.

To deploy the FortiGate CNF instance in this scenario:

  1. In AWS, add a subnet CNF Endpoint Subnet in Inspection VPC along with the associated route table.

    Destination Target
    10.1.0.0/16 Local
    0.0.0.0/0 Internet Gateway

    10.0.0.0/8

    AWS Transit Gateway

  2. In FortiGate CNF, deploy a GWLBe to this subnet.

  3. In AWS, add a route to the Public Subnet route table where the NAT gateway resides to route all traffic to 10.0.0.0/8 to the GWLBe.

  4. Destination Target
    10.1.0.0/16 Local

    0.0.0.0/0

    Internet Gateway

    10.0.0.0/8

    GWLBe

  5. In AWS, add a route to the Transit Gateway Subnet route table to route all traffic to the GWLBe.

    Destination Target
    10.1.0.0/16 Local

    0.0.0.0/0

    GWLBe

Previous
Next