| Description | This article describes the procedure to Create a VIP to send traffic from FortiGate Cloud to the AWS Internal Load Balancer. |
| Scope | FortiGate Cloud, AWS. |
| Solution |
Network Layout:
Scenario:
The architecture in AWS is as shown below:
External User -> Internet -> DNS resolving to External Application Load Balancer -> Rules in Application load balancer checking as per URL/ host configured rules and sending to Active FortiGate firewall in the backend -> firewall processing the rule against its checklist and attack vectors.
In this case:
The VIP is hit as the external interface mapping of the FortiGate private IP to the FQDN of the internal application/network load balancer, and is sent to defined port to backend.
Configuration:
Configure Firewall Address as per AWS Network/Application Load Balancer FQDN:
Below shows means to configure the Firewall Address through CLI. This can also be done through the GUI by checking the relevant settings.
# config firewall address edit "nlb_fqdn" set uuid 2********************391 set type fqdn set fqdn "my-loadbalancer-1234567890.us- west-2.elb.amazonaws.com" next end
Create VIP via CLI: (Only possible in the CLI) The following example shows VIP creation for accessing RDP access to the internal server from outside.
# config firewall vip edit RDP_VIP1 set type fqdn end
Select the created VIP while creating the policy. (It will be visible for selection under the list.) Apply security as required, save the policy and test.
Article by Amarpreet Singh - 'Joshiamarpreet' |
