Skip to main content
magodcab
Staff
magodcab
Staff
July 24, 2025

Other ways to protect your cloud-native application workloads in AWS

  • July 24, 2025
  • 0 replies
  • 3725 views

 

While AWS provides a strong foundation of native security tools, organizations often seek additional layers of protection to meet specific compliance, visibility, or threat prevention needs. This is where  FortiGate and FortiWeb solutions come into play. FortiGate is Fortinet’s flagship Next-Generation Firewall (NGFW) solution, designed to provide comprehensive, intelligent, and high-performance security for network whether on-premises, in the cloud, or across hybrid environments like AWS, offers advanced threat protection, secure VPN access, and deep traffic inspection, making it ideal for securing VPCs and hybrid cloud environments, for this scenario securing network traffic to and from fargate tasks by inspecting traffic at the VPC level, enforcing segmentation, and blocking malicious activity through deep packet inspection and threat intelligence. Meanwhile, FortiWeb is a specialized web application firewall (WAF) designed to protect web applications such as Fargate-hosted APIs and web services or applications from known and unknown threats, including OWASP Top 10 vulnerabilities, bot attacks, and zero-day exploits. Both solutions integrate seamlessly with AWS infrastructure, offering auto-scaling, centralized management, and support for automation via AWS CloudFormation and Terraform. By incorporating FortiGate and FortiWeb into your cloud-native architecture, you can significantly enhance your security posture and ensure consistent protection across your workloads.

This article is the initial part of a broader blog series focused on securing diverse workloads in AWS using Fortinet solutions. Each post in the series explores how FortiGate and FortiWeb can be applied to different AWS services and architectures from traditional EC2 instances to serverless functions (lambda) and containers (ECS and Fargate). Whether you're running microservices on Fargate, APIs on Lambda, or Kubernetes clusters on EKS, this series provides practical insights and architectural guidance to help you build a consistent and resilient security posture across your cloud environment.

The following diagrams are the proposed infrastructure to completely protect your ECS fargate application


Use case 1

This diagram illustrates the recommended security architecture for applications that include file upload functionality. To ensure robust protection against potential threats, it is advised to deploy a FortiGate firewall at the network perimeter, positioned in front of the internet-facing interface. This setup acts as the first line of defense, including deep inspection of uploaded files, preventing attacks using file-based exploits targeted to application servers or containers, filtering and inspecting incoming traffic before it reaches the FortiWeb web application firewall. FortiWeb then provides specialized protection for web applications, to safeguard against web-based attacks such as malware injection, cross-site scripting (XSS), botnet protection and SQL injection. Together, FortiGate and FortiWeb form a layered security approach that significantly enhances the resilience of applications handling file uploads.

magodcab_0-1752871082440.png

 

Use case 2

Below diagram presents a use case focused on securing both outbound and inbound traffic in a containerized environment using AWS Fargate. For outbound traffic originating from Fargate containers to the internet, FortiGate is deployed to provide advanced threat protection, traffic filtering, and policy enforcement, ensuring that only safe and authorized communications are allowed to specific URLs. Simultaneously, for inbound traffic targeting web applications, FortiWeb is positioned to deliver specialized web application firewall (WAF) capabilities. It inspects and protects against common web threats as said earlier such as SQL injection, cross-site scripting (XSS), and other OWASP Top 10 vulnerabilities. This dual-layered approach ensures comprehensive security coverage for both egress and ingress traffic in modern cloud-native application architectures.

magodcab_1-1752871082442.png

 

 

The previously discussed use cases are all built upon a foundational architecture that aligns with industry best practices for securing modern applications. This approach emphasizes layered security, combining FortiGate for network-level protection and FortiWeb for application-layer defense. By following this model, organizations can significantly reduce their exposure to both known and emerging threats.

magodcab_2-1752871082447.png

 

 

 

The following steps are for reference only:

  • Deploy your Fargate application: Creating an application using AWS Fargate involves several steps, typically within the context of Amazon ECS (Elastic Container Service) or Amazon EKS (Elastic Kubernetes Service). Here's a high-level overview of the steps using Amazon ECS with Fargate, which is the most common approach:
    • Develop your application and containerize it using Docker.

magodcab_3-1752871082455.png

 

magodcab_4-1752871082466.png

 

  • Now build your tailored image using below command:
    docker build -t welcome-to-docker .

magodcab_5-1752871082473.png

 

  • Next run it and check the frontend application using below command:

docker run -d -p 8088:3000 --name welcome-to-docker welcome-to-docker

magodcab_6-1752871082480.png

 

  • Push the image to a container registry like Amazon Elastic Container Registry (ECR)
  • Get credentials for temporary AdministratorAccess

magodcab_7-1752871082485.png

 

magodcab_8-1752871082488.png

 

magodcab_9-1752871082493.png

  • Copy Values the access key and secret access key to configure later
  • Create a repository

magodcab_10-1752871082501.png

 

  •  Use on your local machine the following command: aws configure and paste the values as require the configure command

magodcab_11-1752871082504.png

  • Next, use the following command:
    aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com

magodcab_7-1753108164559.png

 

  • Push the image you have created before, using this command:

docker images

magodcab_8-1753108260898.png

 

docker tag <tag-id> XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/fargate-test-repo:version1

magodcab_9-1753108260899.png

 

docker push XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/fargate-test-repo:version1

magodcab_10-1753108337610.png

 

magodcab_11-1753108337615.png

  • Create an ECS cluster and create a Fargate ECS application
  • Create an ECS Cluster

 

magodcab_12-1753108427634.png

  • Create a Task Role

magodcab_13-1753108493042.png

 

magodcab_14-1753108493046.png

 

magodcab_15-1753108493050.png

 

magodcab_16-1753108493055.png

 

magodcab_17-1753108493058.png

 

magodcab_18-1753108493061.png

 

  • Create a Task Definition

magodcab_2-1753109231362.png

magodcab_19-1753108564449.png

 

Set Linux/X86_64

Set CPU = .25 vCPU and .5 GB to Memory

Use ecsTaskExecutionRole

magodcab_20-1753108564455.png

 

magodcab_21-1753108564462.png

 

  • Use image URI XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/fargate-test-repo:version1 where XXXXXXXXXX must be replaced by your own account number

Use container port 3000

magodcab_25-1753108648706.png

 

  • Create security group (named DemoAppECS-sg) allowing TCP 3000 traffic for inbound and all traffic for outbound

magodcab_26-1753108708996.png

 

magodcab_27-1753108708997.png

 

  • Create a Public service application

magodcab_28-1753108783373.png

 

magodcab_29-1753108783378.png

 

magodcab_30-1753108783386.png

 

  • Set the VPC and public subnets, segurity group created previously and turn ON public IP
 

magodcab_31-1753108830006.png

 

 

magodcab_32-1753108830014.png

  • Test Application on your browser (this is public for application checking only, later will be deleted)

magodcab_0-1753109231350.png

  • Create a private service application

magodcab_1-1753109231356.png

magodcab_3-1753109231366.png

 

  • Set the VPC and private subnets, segurity group created previously and turn OFF public IP (for this step you must warranty internet access to private subnets)magodcab_4-1753109311628.png

 

  • After successful deployment, gather the IP of created container

magodcab_5-1753109311634.png

  • Deploy an application load balancer within VPC and private subnets
  • Create an internal ALB and target group

magodcab_7-1753109394172.png

 

magodcab_8-1753109394177.png

 

 

magodcab_9-1753109394181.png

 

magodcab_10-1753109394185.png

 

Note: In some cases if customer doesn’t have FortiWeb VM deployed in your AWS environment you can strengthen your cloud security with Fortinet managed rules, for more information please check below links:

 

magodcab_11-1753109394189.png

 

magodcab_12-1753109394191.png

magodcab_13-1753109394194.png

  • Register target IP gathered from previous step and click on “include as pending below”

magodcab_15-1753109504679.png

 

magodcab_16-1753109504681.png

magodcab_17-1753109504687.png

 

  • Come back to ALB page wizard and set the previously created target group

magodcab_18-1753109504692.png

 

  • Wait until target group becomes healthy

magodcab_19-1753109504697.png

  • Gather DNS name of application load balancer

magodcab_20-1753109504704.png

  • Open your FortiWeb console and register the new Fargate application load balancer DNS name on a new server pool
  • Check connectivity from Fortiweb to gathered container IP

magodcab_21-1753109504705.png

  • Check connectivity from Fortiweb to load balancer DNS as well

magodcab_22-1753109504707.png

magodcab_23-1753109504712.png

 

magodcab_24-1753109504716.png

 

magodcab_25-1753109504721.png

  • Create a server policy changing port number if desired

magodcab_26-1753109504726.png

  • Set a proper web protection profile according to application and security needs and select from policy

magodcab_27-1753109504730.png

  • Create a new fargate application service but now selecting all private subnets and without public IP, and associating the created load balancer for new containers being registered automatically on target group
  • Create a new task definition now pointing to private subnets of your desired VPC

magodcab_31-1753110056444.png

 

magodcab_32-1753110056449.png

 

magodcab_33-1753110056454.png

magodcab_34-1753110056459.png

magodcab_35-1753110056463.png

 

magodcab_36-1753110056464.png

  • From FortiGate create a VIP for external Fortiweb IP using port TCP 8081
  • Create VIP for Fortiweb

magodcab_39-1753110180114.png

  • Create Firewall Rule for FortiWeb public access through FortiGate

magodcab_40-1753110180119.png

 

magodcab_41-1753110180123.png

  • Test your application from browser

magodcab_42-1753110180128.png

  • Check traffic logs on FortiGate and FortiWeb consoles to ensure traffic is being inspected
  • FortiGate traffic logs

magodcab_43-1753110279594.png

  • FortiWeb attack logs

magodcab_44-1753110279605.png

 

  • Do some Tunning on FortiWeb console according to your application behavior (if needed)
  • Go Live changing your application DNS pointing to FortiGate public IP address.
  • Delete Fargate public service created on previous step

Takeaways:

  1. Layered Security Architecture is Essential

Deploying FortiGate and FortiWeb in tandem provides a comprehensive security posture:

  • FortiGate acts as the first line of defense, filtering and inspecting both inbound and outbound traffic at the network level.
  • FortiWeb offers deep application-layer protection, especially critical for features like file uploads and web interfaces.
  1. Cloud-Native Environments Require Tailored Protection:

In containerized environments like AWS Fargate, it's crucial to:

  • Secure outbound traffic from containers using FortiGate to prevent data exfiltration or malicious communication.
  • Protect inbound application traffic with FortiWeb to mitigate layer 7 web-based threats.
  1. Follow Best Practices and Official Guidance:
  • Please note that this blog outlines several design options intended solely for validation and conceptual understanding. These examples are not meant for direct use in production environments. For real-world deployments, we strongly recommend that customers engage with our cloud consulting services team to ensure proper design, configuration, and security alignment with organizational requirements and best practices. For more information you can check out the link below link:

https://www.fortinet.com/resources/security-consulting-services

Referencies:

AWS Fargate: https://aws.amazon.com/es/blogs/compute/building-deploying-and-operating-containerized-applications-with-aws-fargate/
AWS ECR:  https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-create.html

AWS Image push: https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-push.html

FortiWeb admin guide: https://docs.fortinet.com/document/fortiweb/7.4.8/administration-guide/60895/introduction

FortiGate admin guide: https://docs.fortinet.com/document/fortigate/7.4.8/administration-guide/954635/getting-started

Terms & ConditionsAccessibility statement