Feature Introduction
AWS Cloud WAN
AWS Cloud WAN provides a central dashboard for making connections between your branch offices, data centers, and Amazon Virtual Private Clouds (Amazon VPCs)—building a global network with only a few clicks. You use network policies to automate network management and security tasks in one location. Cloud WAN generates a complete view of your on-premises and AWS networks to help you monitor network health, security, and performance.
Fortinet SD-WAN
Fortinet SDWAN (software-defined wide-area network) solution enables enterprises to transform and secure all WAN edges. Leveraging the Security-driven Networking approach that uses one operating system and one centralized management console, enterprises realize superior user experience, enhanced security posture effectiveness with converged networking and security, and achieve operational continuity and efficiency. Fortinet FortiGate delivers fast, scalable, and flexible Secure SD-WAN for cloud-first, security-sensitive, and global enterprises. Our Security-Driven Networking approach consolidates SD-WAN, next-generation firewall (NGFW), and advanced routing.
Example and Configuration Instructions
In this example, we choose three regions perform the test, separately in each region create 2 VPCs, Define different feature properties. Deploy web server as a test application in Business-VPC, deploy FortiGate as an SD-WAN access node in Fortinet-VPC. Network connectivity between VPCs is established through AWS Cloud WAN.
We deploy AWS Cloud WAN and Fortinet SD-WAN with minimal configuration operations enabled cloud-network convergence, connecting to the closest Fortinet SD-WAN access node deployed in AWS via FortiGate at the Singapore branch, verify the endpoint to have the best experience accessing all services deployed in AWS.
Design parameters:
|
Region |
Virginia |
Singapore |
Frankfurt |
|
VPC Name |
Business-VPC Fortinet-VPC |
Business-VPC Fortinet-VPC |
Business-VPC Fortinet-VPC |
|
Business-VPC CIDR |
10.0.1.0/24 |
10.0.2.0/24 |
10.0.3.0/24 |
|
Fortinet-VPC CIDR |
172.16.1.0/24 172.16.32.0/24 |
172.16.2.0/24 172.16.32.0/24 |
172.16.3.0/24 172.16.32.0/24 |
|
SD-WAN CIDR |
10.0.255.0/24 |
10.0.254.0/24 |
10.0.253.0/24 |
Architecture:
Deploy VPC
Create a VPC based on the design parameters
1、Virginia Configuration:
- Create a VPC named Business-VPC with a subnet address segment configured as 10.0.1.0/24
- Create a VPC named Fortinet-VPC with a subnet address segment configured as 172.16.1.0/24 and 172.16.32.0/24
2、Singapore Configuration:
- Create a VPC named Business-VPC with a subnet address segment configured as 10.0.2.0/24
- Create a VPC named Fortinet-VPC with a subnet address segment configured as 172.16.2.0/24 and 172.16.32.0/24
3、Frankfurt Configuration:
- Create a VPC named Business-VPC with a subnet address segment configured as 10.0.3.0/24
- Create a VPC named Fortinet-VPC with a subnet address segment configured as 172.16.3.0/24 and 172.16.32.0/24
Deploy Cloud WAN
Create a cloud wan based on example needs, Select AWS Cloud WAN in the left column of the VPC control page, click Network Manager to enter the Cloud WAN design and configuration page.
- Create a Global network named "Fortinet" as the root network unit
- Configure the Core networks of the root network unit
- Set "ASN range" to "64521-64529"
- Set "Edge locations", select Virginia, Singapore, Frankfurt
- Set "Segment name" to "sdwan"
- Configure Core network Policy
- Create an Argument policy rule
- Set "Rule number" to "200"
- Set "Attach to Segment" to "sdwan"
- Set "Attachment condition" type to "any"
- After creating a policy, click View and apply change set to send the configuration to make it take effect.
- Configure the Attachment for the Core network
- Create an Attachment named "Virginia-Business"
- Set "Edge location", select "Virginia"
- Set "Attachment type", select "VPC"
- Set "VPC Attachment", select "Business-VPC"
- Follow step 4 to create the appropriate attachments for the 6 VPCs in turn.
Deploy Business-VPC instance
Deploy a Linux instances in each Business-VPC in each Region and install Web Server for business testing.
- Virginia configuration:
- IP address 10.0.1.80
- Complete the Web Server deployment
- Singapore configuration:
- IP address 10.0.2.80
- Complete the Web Server deployment
- Frankfurt configuration:
- IP address 10.0.3.80
- Complete the Web Server deployment
Deploy Fortinet-VPC instance
Deploy a FortiGate instance in each Fortinet-VPC in each Region, allocate 2 NICs, one as a private connection to Business-VPC, and the other as a public connection to internet, and configure different address segments.
- Virginia configuration:
- Private connection IP address 172.16.1.254, Public connection IP address 172.16.32.254 (Binding EIP)
- Complete the FortiGate deployment and activate license
- Singapore configuration:
- Private connection IP address 172.16.2.254, Public connection IP address 172.16.32.254 (Binding EIP)
- Complete the FortiGate deployment and activate license
- Frankfurt configuration:
- Private connection IP address 172.16.3.254, Public connection IP address 172.16.32.254 (Binding EIP)
- Complete the FortiGate deployment and activate license
Deploy VPC routing
- Virginia configuration:
- Business-VPC, set the routing interface for target 10.0.0.0/22 and 172.16.0.0/22 as Core network
- Fortinet-VPC, set the routing interface for target 10.0.0.0/22 and 172.16.0.0/22 as Core network
- Singapore configuration:
- Business-VPC, set the routing interface for target 10.0.0.0/22 and 172.16.0.0/22 as Core network
- Fortinet-VPC, set the routing interface for target 10.0.0.0/22 and 172.16.0.0/22 as Core network
- Frankfurt configuration:
- Business-VPC, set the routing interface for target 10.0.0.0/22 and 172.16.0.0/22 as Core network
- Fortinet-VPC, set the routing interface for target 10.0.0.0/22 and 172.16.0.0/22 as Core network
Deploy SD-WAN access nodes
Virginia Configuration:
- Create an IPSec Tunnel named SD-WAN, template type select "Custom"
- Set "Remote Gateway", select "Dialup User"
- Set "Interface", select "port2"
- Set "Pre-shared Key" to 123456789
- Set "IKE Version", select "2"
- Set "Peer Options", select "Any peer ID"
- Configure the SD-WAN interface IP address and access permissions
- Set the Address IP" to 10.0.255.254
- Set The Remote IP/Netmask" to 10.0.255.254/24
- Set Administrative Access", select "Ping"
- Configure static route for access test services
- Set "Destination" to 10.0.0.0/22
- Set "Interface", select "port1"
- Set "Administrative Distance" to "1"
- Configure the Firewall Policy for accessing the test business
- Set "Incoming Interface", select "SD-WAN"
- Set "Outgoing Interface", select "port1"
- Set "Source", select "all"
- Set "Destination", select "Business Address (10.0.0.0/22) "
Follow this method to complete the deployment of the other two SD-WAN access nodes.
Deploy Branch Office
Branch Office's FortiGate configuration:
- Create an IPSec Tunnel named "sdwan01", template type chooses Custom
- Set "Remote Gateway" to Singapore EIP
- Set "Interface", select "port1"
- Set "Dead Peer Detection", select "On Idle"
- Set "Pre-shared Key" to 123456789
- Set "IKE Version", select "2"
- Configure the IP address and access permissions for the "sdwan01" interface
- Set "Address IP" to 10.0.254.1
- Set "Remote IP/Netmask" to 10.0.254.254/24
- Set "Administrative Access", select "Ping"
- Configure SD-WAN Zones, add sdwan01 to virtual-wan-link
- Create an SD-WAN Member
- Set "Interface", select "sdwan01"
- Set "SD-WAN Zone", select "Virtual-wan-link"
- Configure SD-WAN Rules to let traffic to the test application flow out of "sdwan01"
- Set "Destination", select "Business Address"
- Set "Outbound Interface", select "sdwan01"
- Configure the Firewall Policy for accessing the test business
- Set "Incoming Interface", select "port10"
- Set "Outgoing Interface", select "virtual-wan-link"
- Set "Source", select "all"
- Set "Destination", select "Business Address (10.0.0.0/22)"
Verify
- Verify connectivity in branch office to business by ping each Business-VPC test service
- Verify availability in branch office to access each Business-VPC test service via browser
