Alan_Chen
Staff
Staff

Feature Introduction

AWS Cloud WAN

AWS Cloud WAN provides a central dashboard for making connections between your branch offices, data centers, and Amazon Virtual Private Clouds (Amazon VPCs)—building a global network with only a few clicks. You use network policies to automate network management and security tasks in one location. Cloud WAN generates a complete view of your on-premises and AWS networks to help you monitor network health, security, and performance.

 

Fortinet SD-WAN

Fortinet SDWAN (software-defined wide-area network) solution enables enterprises to transform and secure all WAN edges. Leveraging the Security-driven Networking approach that uses one operating system and one centralized management console, enterprises realize superior user experience, enhanced security posture effectiveness with converged networking and security, and achieve operational continuity and efficiency. Fortinet FortiGate delivers fast, scalable, and flexible Secure SD-WAN for cloud-first, security-sensitive, and global enterprises. Our Security-Driven Networking approach consolidates SD-WAN, next-generation firewall (NGFW), and advanced routing.

 

Example and Configuration Instructions

In this example, we choose three regions perform the test, separately in each region create 2 VPCs, Define different feature properties. Deploy web server as a test application in Business-VPC, deploy FortiGate as an SD-WAN access node in Fortinet-VPC. Network connectivity between VPCs is established through AWS Cloud WAN.

We deploy AWS Cloud WAN and Fortinet SD-WAN with minimal configuration operations enabled cloud-network convergence, connecting to the closest Fortinet SD-WAN access node deployed in AWS via FortiGate at the Singapore branch, verify the endpoint to have the best experience accessing all services deployed in AWS.

Design parameters:

Region

Virginia

Singapore

Frankfurt

VPC Name

Business-VPC

Fortinet-VPC

Business-VPC

Fortinet-VPC

Business-VPC

Fortinet-VPC

Business-VPC CIDR

10.0.1.0/24

10.0.2.0/24

10.0.3.0/24

Fortinet-VPC CIDR

172.16.1.0/24

172.16.32.0/24

172.16.2.0/24

172.16.32.0/24

172.16.3.0/24

172.16.32.0/24

SD-WAN CIDR

10.0.255.0/24

10.0.254.0/24

10.0.253.0/24

Architecture:

MessageImages_bd666b6bd2614bed88f7a809e508b7e1.png 

Deploy VPC

Create a VPC based on the design parameters

1、Virginia Configuration:

  • Create a VPC named Business-VPC with a subnet address segment configured as 10.0.1.0/24
  • Create a VPC named Fortinet-VPC with a subnet address segment configured as 172.16.1.0/24 and 172.16.32.0/24MessageImages_9e14773efb2f422ab65c51e7b58e2f9a.png

2、Singapore Configuration:

  • Create a VPC named Business-VPC with a subnet address segment configured as 10.0.2.0/24
  • Create a VPC named Fortinet-VPC with a subnet address segment configured as 172.16.2.0/24 and 172.16.32.0/24MessageImages_415b272661404d8eac7289d33cd6b977.png

3、Frankfurt Configuration:

  • Create a VPC named Business-VPC with a subnet address segment configured as 10.0.3.0/24
  • Create a VPC named Fortinet-VPC with a subnet address segment configured as 172.16.3.0/24 and 172.16.32.0/24MessageImages_8de0af46f12c4d27829d1a3738c1be09.png

Deploy Cloud WAN

Create a cloud wan based on example needs, Select AWS Cloud WAN in the left column of the VPC control page, click Network Manager to enter the Cloud WAN design and configuration page.

  1. Create a Global network named "Fortinet" as the root network unitMessageImages_e996e976899940238faff9b3cb43451c.png
  2. Configure the Core networks of the root network unit
  • Set "ASN range" to "64521-64529"
  • Set "Edge locations", select Virginia, Singapore, Frankfurt
  • Set "Segment name" to "sdwan"MessageImages_aad288ccf29349cb964a665862110da8.pngMessageImages_0771738b5fcf4d7dad3ad6251b0b1539.png
  1. Configure Core network Policy
  • Create an Argument policy rule
  • Set "Rule number" to "200"
  • Set "Attach to Segment" to "sdwan"
  • Set "Attachment condition" type to "any"MessageImages_07328b8eeb0546eea245f942c238842f.png
  • After creating a policy, click View and apply change set to send the configuration to make it take effect.MessageImages_8d9e5b744a944bcb97e2de264a2db497.png

  1. Configure the Attachment for the Core network
  • Create an Attachment named "Virginia-Business"
  • Set "Edge location", select "Virginia"
  • Set "Attachment type", select "VPC"
  • Set "VPC Attachment", select "Business-VPC"MessageImages_7bf01e9380c94f8bbee6fbf8b2771d47.png
  • Follow step 4 to create the appropriate attachments for the 6 VPCs in turn.MessageImages_67eb6aa1e719448cac983f0e0ac046d0.pngMessageImages_27e0e185f0764fd0bec06278e781aa69.png

 

Deploy Business-VPC instance

Deploy a Linux instances in each Business-VPC in each Region and install Web Server for business testing.

  1. Virginia configuration:
  • IP address 10.0.1.80MessageImages_90fe3efdc5fc4287882fae7fdd0c011d.png
  • Complete the Web Server deploymentMessageImages_30b8d6e56f0b46e8ae794681aaae552a.png

 

  1. Singapore configuration:
  • IP address 10.0.2.80MessageImages_6c4a6aaf3f4b46edbcea8a14995fb1f0.png
  • Complete the Web Server deploymentMessageImages_0a54cc918cc943d78a8dcafe7fb9dee3.png

 

  1. Frankfurt configuration:
  • IP address 10.0.3.80MessageImages_2c56416b008d40c6b87aecb90efbc20d.png
  • Complete the Web Server deploymentMessageImages_8be37b5c06314a4faf8c05cb159a8a6d.png

 

Deploy Fortinet-VPC instance

Deploy a FortiGate instance in each Fortinet-VPC in each Region, allocate 2 NICs, one as a private connection to Business-VPC, and the other as a public connection to internet, and configure different address segments.

  1. Virginia configuration:
  • Private connection IP address 172.16.1.254, Public connection IP address 172.16.32.254 (Binding EIP)MessageImages_c2e1fbbc44e2414b89d6310e4744c517.png
  • Complete the FortiGate deployment and activate licenseMessageImages_b59b595341bc473cbc94f6f064b24594.png

 

  1. Singapore configuration:
  • Private connection IP address 172.16.2.254, Public connection IP address 172.16.32.254 (Binding EIP)MessageImages_2bfc09b9648f44e493e58cda378b43dd.png
  • Complete the FortiGate deployment and activate licenseMessageImages_d381f253b7004cc2be91abadc4cd7bee.png

 

  1. Frankfurt configuration:
  • Private connection IP address 172.16.3.254, Public connection IP address 172.16.32.254 (Binding EIP)MessageImages_7a678e4b4c5742fa8ca90dfa046952f9.png
  • Complete the FortiGate deployment and activate licenseMessageImages_00f8b046d21a4c10865ae0c84b6a8370.png

 

Deploy VPC routing

  1. Virginia configuration:
  • Business-VPC, set the routing interface for target 10.0.0.0/22 and 172.16.0.0/22 as Core networkMessageImages_441dc797aec64467aa96c0df40365f6a.png
  • Fortinet-VPC, set the routing interface for target 10.0.0.0/22 and 172.16.0.0/22 as Core networkMessageImages_d54fdbdaf1914e938f99ce6a86cd6b13.png

 

  1. Singapore configuration:
  • Business-VPC, set the routing interface for target 10.0.0.0/22 and 172.16.0.0/22 as Core networkMessageImages_77e319d0729640d9b4d74d56c128198e.png
  • Fortinet-VPC, set the routing interface for target 10.0.0.0/22 and 172.16.0.0/22 as Core networkMessageImages_03e0d0b97b2747bbb4b7ca7c722a6830.png

 

  1. Frankfurt configuration:
  • Business-VPC, set the routing interface for target 10.0.0.0/22 and 172.16.0.0/22 as Core networkMessageImages_10b91645188f4f08b340dfe62e5ff16e.png
  • Fortinet-VPC, set the routing interface for target 10.0.0.0/22 and 172.16.0.0/22 as Core networkMessageImages_2dce11f81faa4805afeb20cb89b79ac5.png

 

Deploy SD-WAN access nodes

Virginia Configuration:

  1. Create an IPSec Tunnel named SD-WAN, template type select "Custom"
  • Set "Remote Gateway", select "Dialup User"
  • Set "Interface", select "port2"
  • Set "Pre-shared Key" to 123456789
  • Set "IKE Version", select "2"
  • Set "Peer Options", select "Any peer ID"MessageImages_ed028dbd9068496db9b163d380354657.png

 

  1. Configure the SD-WAN interface IP address and access permissions
  • Set the Address IP" to 10.0.255.254
  • Set The Remote IP/Netmask" to 10.0.255.254/24
  • Set Administrative Access", select "Ping"MessageImages_7141bf4b4ad44f2ebe16606c20323413.png

 

  1. Configure static route for access test services
  • Set "Destination" to 10.0.0.0/22
  • Set "Interface", select "port1"
  • Set "Administrative Distance" to "1"MessageImages_45562474b3f04922a0c38ce0cc380ed1.png

 

  1. Configure the Firewall Policy for accessing the test business
  • Set "Incoming Interface", select "SD-WAN"
  • Set "Outgoing Interface", select "port1"
  • Set "Source", select "all"
  • Set "Destination", select "Business Address (10.0.0.0/22) "MessageImages_cb95f19cc78e48dba4ed5438822f070f.png

Follow this method to complete the deployment of the other two SD-WAN access nodes. 

Deploy Branch Office

Branch Office's FortiGate configuration:

  1. Create an IPSec Tunnel named "sdwan01", template type chooses Custom
  • Set "Remote Gateway" to Singapore EIP
  • Set "Interface", select "port1"
  • Set "Dead Peer Detection", select "On Idle"
  • Set "Pre-shared Key" to 123456789
  • Set "IKE Version", select "2"MessageImages_cd072c74e3614b6d8e7c3321e850bcb5.png

 

  1. Configure the IP address and access permissions for the "sdwan01" interface
  • Set "Address IP" to 10.0.254.1
  • Set "Remote IP/Netmask" to 10.0.254.254/24
  • Set "Administrative Access", select "Ping"MessageImages_3a273256f235489e9e083f252ce0aef5.png

 

  1. Configure SD-WAN Zones, add sdwan01 to virtual-wan-link
  • Create an SD-WAN Member
  • Set "Interface", select "sdwan01"
  • Set "SD-WAN Zone", select "Virtual-wan-link"MessageImages_b1dec6d1188b47a5819c9c8eae1fccc0.png

 

  1. Configure SD-WAN Rules to let traffic to the test application flow out of "sdwan01"
  • Set "Destination", select "Business Address"
  • Set "Outbound Interface", select "sdwan01"MessageImages_95ffd9a988d846efb195c98f4150fad2.png

 

  1. Configure the Firewall Policy for accessing the test business
  • Set "Incoming Interface", select "port10"
  • Set "Outgoing Interface", select "virtual-wan-link"
  • Set "Source", select "all"
  • Set "Destination", select "Business Address (10.0.0.0/22)"MessageImages_512b835f676242f4994a736bc5302342.png

 

Verify

  1. Verify connectivity in branch office to business by ping each Business-VPC test serviceMessageImages_f5c0fe8477d34b708dd47b47a4670956.png

 

  1. Verify availability in branch office to access each Business-VPC test service via browser
    MessageImages_2ab85b2e6a2b4942a49b1a373bd2121f.png

 

1 Comment