Technical Tip: AWS Cloud WAN unleashed with Fortinet SD-WAN

Description

 

AWS Cloud WAN simplifies the process of creating, overseeing, and optimizing a unified global network, streamlining the connection between customers’ cloud-based and on-premises infrastructure for enhanced speed, security, and convenience. To help secure network traffic, organizations use the combination of FortiGate Next Generation Firewall as part of their defense-in-depth strategy and Secure SD-WAN.

 

AWS Cloud WAN offers a comprehensive range of connectivity, routing, and security services. It is specifically designed to facilitate seamless integration with on-premises SD-WAN and SASE technologies and services. As many enterprise organizations transition from traditional private WAN to SD-WAN and SASE, FortiGate Secure SD-WAN leverages the full capabilities of AWS's global network when interconnected with AWS Cloud WAN.

 

This article describes how to architect with FortiGate and AWS Cloud WAN Tunnel-less technology that addresses the following use cases:

 

• FortiGate Secure SD-WAN natively integrated with AWS Cloud WAN to connect on premises data centers, remote branches, SASE Point of Presences, and users over different transit networks.
• FortiGate Next Generation Firewall for outbound traffic inspection (also known north-south inspection)

 

 

Figure-1 – Cloud WAN and Fortinet Secure SD-WAN.

Scope

 

FortiGate Secure SD-WAN, AWS Cloud WAN, FortiGate Next Generation Firewall.

 

Solution

 

To get the most from this article, it is necessary to understand some of the fundamental concepts used by Cloud WAN. Check the Cloud WAN documentation to learn more about Cloud WAN concepts.

 

In this article, the primary focus will be on establishing a global FortiGate-VM within a Security VPC to enhance and secure connectivity for remote branch locations. The Security VPC can also be used as a centralized outbound network traffic inspection from AWS workloads in a Cloud WAN network, commonly referred to as north-south traffic. Note that filtering and inspecting traffic within a VPC or transit traffic between AWS Cloud WAN Segments (known as east-west traffic) is a valuable use case, but it will not be covered in this article.

 

The new Cloud WAN capability known as 'tunnel-less connect' will be used to achieve the desired solution. FortiGate-VM peers can employ BGP (Border Gateway Protocol) without the need for specialized tunneling protocols. The following advantages are provided by Tunnel-Less on Cloud WAN:

 

• Native and simplified tunnel-less integration: Tunnel-less Connect removes the need to deploy IPSec or GRE-based tunnels between the FortiGate-VM hub appliances and AWS Cloud WAN. This removes the need for tunneling protocol configuration and simplifies the overall integration process.
• Improved Throughput Performance: Tunnel-less integration does not introduce additional packet overhead as compared to tunneling protocols (the GRE header is 24bytes and an IPSec header can be up to 64 bytes), effectively increasing connection throughput. Higher effective throughput can optimize the size and number of FortiGate-VM instances (EC2). Moreover, Tunnel-less integration provides the full VPC attachment bandwidth (100Gpbs peak) for customer traffic as compared to IPSec VPN (1.25Gbps per tunnel) and GRE (5Gbps per tunnel). This high bandwidth connectivity lessens the need to deploy specialized techniques like ECMP (Equal Cost Multi-pathing) that is typically used to scale bandwidth across tunnels.

The FortiGate-VMs will be deployed in Active/Passive configuration to ensure high availability within the region.

 

FortiGate Secure SD-WAN with AWS Cloud WAN.

 

This setup will be created with a Cloud WAN Core Network with two edge locations and three network segments: Security, Production, and Development. 

The VPCs are attached in the Edge Network as VPC attachments. The Prod VPC and Dev VPC each host a private workload deployed in a single availability zone (AZ), while FortiGate-VMs have been deployed in the Security VPC across multiple AZs. Figure 2 illustrates a high-level topology of the environment we will be constructing in this blog post.

 

Figure-2 – Multi-Region topology with 3 network segments and VPC attachments.

 

Figures 3 and 4 depict the FortiGate-VMs, subnets, and attachments in the Security in the region us-west-1 and eu-central-1:

 

 Figure-3 – FortiGate-VMs in the central security VPC and Cloud WAN attachment in the region us-west-1.

 

 

 

 Figure-4 – FortiGate-VMs in the central security VPC and Cloud WAN attachment in the region eu-central-1.

 

 

Figures 5 and 6 depict the attachment of VPC Production and Development into Cloud WAN segments in the region us-west-1 and eu-central-1.

 

 

Figure-5 – VPC Production and Development attached into Cloud WAN segments in the region us-west-1.

 

 

 Figure-6 – VPC Production and Development attached into Cloud WAN segments in the region eu-europe-1.

 

The traffic from Production and Development VPC goes through the Cloud WAN Core Network to reach its respective local Security VPC, where the FortiGate-VMs filter and apply NAT to the egressing traffic. Figure 7 provides a comprehensive illustration of the packet flow, depicting the journey from VPC Prod-A to the internet, offering a detailed view of the data path.

 

Figure-7 – Packet flow from Prod-A to the internet going through centralized outbound traffic inspection in the region us-west-1.

 

Consider the packet flow and how traffic from the VPC-Prod-A is routed by the Cloud WAN Core Network, inspected by FortiGate-VM, and egresses to the internet:

 

1. The Packet leaves the EC2 instance and travels toward the Cloud WAN Core WAN ENI in the private subnet and arrives in Production Segment of Cloud WAN Core Network.
2. Within the Production Segment route table of the Cloud WAN Core Network, a default route is propagated through route importation by Security Segment.

 

3. In the Security Segment route table, these are all routes through BGP peering with FortiGate, including the default route. The FortiGate receives the packet and applies the firewall policies and NAT.
   
   

 

4. The packet goes to the internet with its source being the Elastic IP associated with the public ENI connected to the FortiGate-VM.
5. The packet reaches its destination.

 

Now, consider the key configuration on AWS Cloud WAN and FortiGate-VMs.

 

Steps to create a global and core network.

 

To get started with AWS Cloud WAN, it is first necessary to create the VPCs, Subnets, and Route Tables.

The following steps outline the procedures for setting up the structure of an AWS Cloud WAN global and core network. Select the document links to see more information.

 

1. Create a Global Network: The first step in setting up AWS Cloud WAN is to create a global network.
2. Create a core network and core network policy: After creating a global network, consider creating a core network within the global network. After creating the core network, it will also be possible to create the core network policy that deploys the network structure. The figure below shows the expected topology within the AWS account:

 

To illustrate, the following Network Policy configurations will be used:

 

• ASN Ranges: 64520 – 64525.

The Autonomous Systems Numbers (ASN) to assign to Core Network Edges. By default, the core network automatically assigns an ASN for each Core Network Edge.

 

 

• Inside CIDR blocks: 10.192.0.0/16.

The Classless Inter-Domain Routing (CIDR) block range is used to create tunnels for AWS Transit Gateway Connect and tunnel-less BGP peering with FortiGate-VMs.

 

 

• Edge Locations: Europe (Frankfurt), US West (N. California).

 

 

• Segments: Development, Production, Security.

Please note that in this example, attachment acceptance has been configured as 'false.' It is still essential to emphasize that attachment acceptance is considered a security best practice, necessitating network administrator approval for attachment requests.

 

 

• Segments Actions – optional.

The Production and Development segments share a connection with the Security Segment, enabling automatic propagation of routes between the Security Segment and the other two segments.

 

 

• Create a Policy version using the AWS Cloud WAN JSON editor.
  
  

 

Ensure that the correct key name that defines the network segment is specified in the attachment tag value.

 

3. Create the Security-VPC attachments.

Having created the Cloud WAN resources, the next step is to attach the VPCs into the Cloud WAN. Follow these steps:

 

1. Access the Network Manager console at https://console.aws.amazon.com/networkmanager/home/.
2. Under Connectivity, choose Global Networks.
3. On the Global networks page, choose the global network link for the core network it is desired to add an attachment to.
4. In the navigation pane under the name of the global network, choose Attachments.
5. Choose Create attachment.
6. Enter a name identifying the SECURITY-VPC attachment.
7. From the Edge location dropdown list, choose the location where the attachment is located.
8. Choose VPC.
9. Check the option Appliance mode support.
10. From the VPC IP dropdown list, choose the Security-VPC to attach to the core network.
11. After choosing the VPC ID, a prompt will appear to choose the Availability Zone and Subnet Id in which to create the core network VPC attachment. The Availability Zones that are listed are those edge locations that were chosen upon creating the core network. It is necessary to choose the subnet called subnet-core in each availability zone.

 

 

12. In the Tags section, add Key and Value tags to put the attachment in the right Network Segment. Environment = Security.

 

 

13. Choose Create attachment.
14. Repeat the same process for Security-VPC in eu-central-1 region.

 

4. Create the Tunnel-Less connection with FortiGate-VMs.

Next, configure the BGP peer between Core Network and FortiGate-VM in the Security-Segment as shown in the figure below.

 

 

Follow these steps:

1. Access the Network Manager console at https://console.aws.amazon.com/networkmanager/home/.
2. Under Connectivity, choose Global Networks.
3. On the Global networks page, choose the global network link for the core network it is desired to add an attachment to.
4. In the navigation pane under the name of the global network, choose Attachments.
5. Choose Create attachment.
6. Enter a name identifying the FortiGate-US-WEST-1 attachment.
7. From the Edge location dropdown list, choose the location where the attachment is located.
8. From the connect attachment protocol, select Tunnel-less (No Encapsulation).
9. Transport Attachment ID select the VPC-Security attachment.
10. In the Tags section, add Key and Value tags to put the attachment in the right Network Segment. Environment = Security.

 

 

11. After completing the Connect Attachment section, choose the Connect peers tab.
12. Choose Create Connect peer.
13. Enter a Name to identify the Connect peer.
14. In the Peer BGP IP Address, enter the FortiGate-VM internal IP address.
15. In the Peer ASN, enter the BGP AS number of the FortiGate-VM.
16. Select the private subnet in the availability zone.

 

 

17. Repeat the same process for Security-VPC in eu-central-1 region.

 

5. Create the VPC Production attachments.

Follow these steps:

 

1. Access the Network Manager console at https://console.aws.amazon.com/networkmanager/home/.
2. Under Connectivity, choose Global Networks.
3. On the Global networks page, choose the global network link for the core network it is desired to add an attachment to.
4. In the navigation pane under the name of the global network, choose Attachments.
5. Choose Create attachment.
6. Enter a name identifying the VPC-Production attachment.
7. From the Edge location dropdown list, choose the location where the attachment is located.
8. Choose VPC.
9. From the VPC IP dropdown list, choose the VPC-Prod-A to attach to the core network.
10. After choosing the VPC ID, a prompt will appear to choose the Availability Zone and Subnet Id in which to create the core network VPC attachment. The Availability Zones that are listed are those edge locations that were chosen upon creating the core network.

 

 

11. In the Tags section, add Key and Value tags to put the attachment in the right Network Segment. Environment = Production.

 

 

12. Choose Create attachment.
13. Repeat the same process for VPC-Production in eu-central-1 region.

 

6. Create the VPC Development attachments.

Follow these steps:

 

1. Access the Network Manager console at https://console.aws.amazon.com/networkmanager/home/.
2. Under Connectivity, choose Global Networks.
3. On the Global networks page, choose the global network link for the core network it is desired to add an attachment to.
4. In the navigation pane under the name of the global network, choose Attachments.
5. Choose Create attachment.
6. Enter a name identifying the VPC-Development attachment.
7. From the Edge location dropdown list, choose the location where the attachment is located.
8. Choose VPC.
9. From the VPC IP dropdown list, choose the VPC-Dev-A to attach to the core network.
10. After choosing the VPC ID, a prompt will appear to choose the Availability Zone and Subnet Id in which to create the core network VPC attachment. The Availability Zones that are listed are those edge locations that were chosen upon creating the core network.

 

 

11. In the Tags section, add Key and Value tags to put the attachment in the right Network Segment. Environment = Development.

 

 

12. Choose Create attachment.
13. Repeat the same process for VPC-Development in eu-central-1 region.

 

Steps to deploy FortiGate-VM in Active/Passive.

 

1. Deploy FortiGate-VMs. See the administration guide.

It is necessary to deploy two FortiGate clusters: one located in us-west-1, and the other in eu-europe-1. The following steps provide examples of configuration specifically for the us-west-1 region.

 

2. Configure the FortiGate static routes in the region us-west-1 as below:

config router static

    edit 1

        set dst 10.0.0.0 255.0.0.0

        set gateway 10.111.2.1

        set device "port3"

    next

    edit 2

        set gateway 10.111.0.1

        set device "port2"

    next

end

 

3. Configure the BGP peering.

config router bgp

    set as 65515

    set ebgp-multipath enable

    set ibgp-multipath enable

    set additional-path enable

    set graceful-restart enable

    config neighbor

        edit "10.192.1.67" (IP Address from Cloud WAN)

            set capability-graceful-restart enable

            set capability-default-originate enable (Advertise the default route via FortiGates)

            set ebgp-enforce-multihop enable

            set soft-reconfiguration enable

            set remote-as 64522 (AS Number from Cloud WAN)

            set update-source "port3"

        next

        edit "10.192.1.9" (IP Address from Cloud WAN)

            set capability-graceful-restart enable

            set capability-default-originate enable

            set ebgp-enforce-multihop enable

            set soft-reconfiguration enable

            set remote-as 64522

            set update-source "port3"

        next

    end

 

After the FortiGate BGP configuration, BGP peering should be UP on the Cloud WAN.

 

 

4. Configure the egress Firewall Policy – NAT Enabled.

 

config firewall policy

    edit 2

        set name "Egress-NAT"

        set srcintf "port3"

        set dstintf "port2"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set nat enable

    next

end

 

5. Check the routes on Cloud WAN.

Follow these steps:

 

1. Access the Network Manager.
2. Select Core Network.
3. Select the Routes tab.
4. For Route Filter, select the Security segment. For Edge location, select us-west-1.
5. Verify if the Cloud WAN is receiving the default route from connected peers:

 

 

6. At this stage, the workloads in the private subnet of the Production and Development VPC should have internet connectivity through the FortiGates. Ensure that the default route has been configured in the route table of the remote VPCs to the Core Network.

 

 

Now, the FortiGates and Cloud WAN have complete routing configurations. It is now possible to configure SD-WAN on the FortiGates for remote branches, as demonstrated in the image below.

 

 

Conclusion.

 

The complimenting partnership between Fortinet and AWS Cloud WAN delivers a comprehensive WAN for massive scale. It empowers organizations to expand their networks globally with ease, accommodating the growing demands of modern business.

Consistent enforcement and visibility provide tools to enhance security and monitor network traffic consistently, ensuring that no potential threat goes unnoticed.

 

In conclusion, the information presented in this article is useful for those seeking to understand and experiment with Fortinet's solutions in AWS. These insights, tips, and best practices provide a foundation for testing and familiarizing oneself with the capabilities of Fortinet's products. It is essential to emphasize that the guidance shared here is intended exclusively for lab and testing purposes. When it comes to deploying these solutions in a production environment or implementing more advanced configurations tailored to the unique needs of an organization, it is strongly recommended to reach out to Fortinet's Cloud Consulting Services team at consulting@fortinet.com.

 

Fortinet’s Cloud Consulting experts bring a wealth of experience and expertise to the table, ensuring that cloud security solutions are not only deployed securely but are also optimized for peak performance and efficiency.