Skip to main content
jeeva-spec
jeeva-spec
New Member
March 24, 2026
Question

Internet-facing ALB → FortiGate Firewall → Internal ALB (host-based routing for 5 apps) – Is this se

  • March 24, 2026
  • 2 replies
  • 192 views

Hello everyone,

We are currently in the design phase of an ingress security architecture in AWS and have not implemented anything yet. We are seeking guidance, reference architectures, and best practices to help us design this correctly.

Proposed Architecture (Under Consideration)

Internet → External NLB (TLS pass-through) → FortiGate-VM instances (inspection layer) → Internal ALB → Web applications

  • The external NLB would be internet-facing and handle TCP/TLS pass-through (no SSL termination).

  • Traffic would be forwarded to FortiGate-VM (NGFW) instances for inspection.

  • After inspection, traffic would be sent to an internal ALB, which would perform:

    • HTTPS termination

    • Host-based routing (e.g., app1.example.com, app2.example.com, etc.)

The internal ALB would route traffic to backend targets (EKS / ECS / EC2).

Goals

At the FortiGate layer, we aim to:

  • Apply web filtering policies

  • Perform deep SSL inspection (if feasible)

  • Allow only clean/validated traffic to reach the internal ALB

  • Allow specific domains, URLs, or paths across applications

Request for Community Support

As we are still in the design phase, we are seeking comprehensive guidance from the community on the following:

  • Validation of the proposed architecture

  • Recommendations for improvements or alternative approaches

  • Reference architectures (preferably production-proven designs)

  • Best practices for scalability, high availability, and day-to-day operations

 

Specific Questions

  1. Architecture viability

    • Is this NLB → FortiGate → internal ALB design recommended for production use?

    • Would this scale well as the number of applications increases?

  2. Inspection approach

    • Is SNI-based filtering (flow mode) sufficient for most use cases?

    • Or is proxy-based deep SSL inspection generally recommended?

  3. SSL inspection design

    • If deep inspection is required:

      • Should SSL be terminated at FortiGate and re-encrypted toward ALB?

      • What is the best practice for managing certificate trust?

  4. Client IP and routing

    • How should we handle client IP preservation in this setup?

    • What is the recommended approach to ensure symmetric routing?

  5. Scaling and high availability

    • Best practices for FortiGate Auto Scaling Group design

    • Handling session persistence and failover scenarios

Context

  • FortiOS versions: 7.4 / 7.6

  • Backend workloads: EKS, ECS, and EC2

  • Currently planning for 2 applications, with expected growth in the future

We would greatly appreciate any guidance, real-world experience, or documentation that can help us design this architecture correctly from the beginning.

Thank you in advance for your support.

2 replies

Stephen_G
Moderator
Stephen_G
Moderator
March 27, 2026

Hello jeeva-spec, 

 

Thank you for using the Community Forum. I will seek to get you some help. We will reply to this thread with an update as soon as possible. 

 

I recognise this is a broad topic. If anyone else has any ideas, feel free to contribute!

Regards,
Stephen_G - Fortinet Community Team
Stephen_G
Moderator
Stephen_G
Moderator
March 30, 2026

Hi jeeva-spec,

 

We're still looking to get you an answer or help. We'll respond as soon as we're able.

 

Thanks,

Stephen_G - Fortinet Community Team
Terms & ConditionsAccessibility statement