How to route multiple public IP addresses traffic through Fortigate in AWS

I'm not sure how you can accomplish what you want to do without changing your architecture.

You need to change your web servers so that they are behind the FortiGate which is an inherent architectural change.

A pretty decent (yet simple) reference architecture and configuration describing what you want to do is here: https://docs.fortinet.com/document/fortigate-public-cloud/7.2.0/aws-administration-guide/619591/single-fortigate-vm-deployment

https://docs.fortinet.com/document/fortigate-public-cloud/7.2.0/aws-administration-guide/619591/single-fortigate-vm-deployment

Hello Graham, Thank you for the update. I completely understand the public subnet & protected subnet concept in new implementations. However, my requirement is little different as I mentioned previously.

Let's correlate it with traditional based networking & now cloud networking too, where we'll have multiple web servers which needs to be accessed by the internet users & each web server has its only individual public/elastic IP. I need that to be routed through the Fortigate like a web server hosted in DMZ. The problem if you put them in a protected subnet is that the servers will no longer be able to use its individual public IP's & needs to use only WAN IP as VIP with port forwarding which is not a feasible solution if you have multiple web servers running on same destination ports. There should be a way like we have in traditional based networking where you have a public IP pool & you nat them at Firewall end for each web server.

Im no AWS expert but this should be possible of course. People do it all the time. I’m not sure exactly how but possibly using multiple IP addresses on an interface? 

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/MultipleIP.html

Thanks, Graham, for your quick reply, the doc shows adding multiple IPs on an instance; however, my requirement is completely different as I informed previously. Definitely yes, there should be some solution. Looking forward a solution from someone on this forum, thanks much for your inputs.

Hello mwissa/Graham, I understand what you are saying; but it didn't work out. Let me put it in this way for example.

VPC1: CIDR 192.168.0.0/16

Public Subnet: 192.168.0.0/24, FGT WAN interface IP: 192.168.0.50 (public IP 203.10.10.10)

Web servers already hosted in public subnet: 192.168.0.100 (public IP 203.10.10.111 on port 443), 192.168.0.101 (public IP 203.10.10.112 on port 443), 192.168.0.102 (public IP 203.10.10.113 on port 443) and multiple IPs for multiple web servers

Route for public subnet pointed towards IGW

Private Subnet: 192.168.1.0/24, FGT LAN interface IP: 192.168.1.50

Internal servers: 192.168.1.100, 192.168.1.101, 192.168.1.102 (works all on 443)

Route for private subnet pointed towards FGT LAN interface

1. Even if you create secondary public IP on Fortigate it will be mapped to its secondary interface which will not fulfill the requirement

2. Even if I move all those web servers in public subnet to private subnet, then I need to do a specific VIP configuration for each and every server with FGT WAN interface associated elastic IP address.

E.g Anything to come from WAN interface to reach 192.168.1.100 source port 8443, destination port 443, 192.168.1.101 source port 8444 destination port 443.

I already have public IPs to the servers and creating multiple VIPs with different source port is not an ideal solution for me, I just want to route those n number of public IPs provided for web servers via the Firewall just like a DMZ setup.

Thank you everyone for your inputs, I figured it out. Understood in other way around, all I need to do is create secondary IP's (as many as required) for Fortigate WAN subnet, then map an elastic IP. Followed by mapping WAN and LAN private IP VIP's and allow the rules, so we are doing a double-NAT here to accomplish this.