AWS Cloud WAN Service Insertion feature allows customers to easily integrate FortiGate-VMs or FortiGate-CNF to enhance cloud networking and security capabilities. Cloud WAN Service Insertion streamlines traffic steering to FortiGate for the following use cases:
This article explains how to deploy FortiGate with AWS Cloud WAN Service Insertion across regions, as illustrated in the figure below.
You can find the Terraform code for deploying the resources needed for this blog post at the link below.
https://github.com/leandro2m/fortigate-aws-cwan
To get the most out of this post, you must understand some of the fundamental concepts used by Cloud WAN Service Insertion. For more details, refer to the Cloud WAN documentation and the blog post Simplify Global Security Inspection with AWS Cloud WAN Service Insertion to learn more about Cloud WAN and Cloud WAN Service Insertion concepts.
The following advantages are provided by Cloud WAN Service Insertion with FortiGate:
In this setup, we will create a Cloud WAN Core Network with two edge locations and two network segments, namely Production, and Development spanning across the two regions. The VPCs are attached to the Edge Network as VPC attachments. FortiGate-VMs have been deployed in the Security VPC attached to a Network Function Group.
The traffic from Production and Development VPC flows through the Cloud WAN Core Network, where Cloud WAN Service Insertion through, using its policy document capabilities, steer the traffic through FortiGate. Customers use “send-to” segment-action for north-south and internet egress traffic inspection, and the “send-via” segment-action for east-west traffic inspection. FortiGate supports all service insertion segment-actions and segment insertion modes.
Figures 2 depicts the FortiGate-VMs, subnets, and Cloud WAN attachments in the Security VPC in us-west-1 and us-west-2.
Figures 3 depicts the attachment of VPC Production and Development into Cloud WAN segments in the regions us-west-1 and us-west-2.
For north-south traffic inspection in production segment, the following segment-action has been configured on Cloud WAN:
The Service Insertion "send-to" clause creates a default route in the production segment, pointing the traffic to the inspectionVPCs. Figure 5 shows the route table in the production segment.
The Service Insertion “send-via” clause in the production segment is creating east-west route propagation, sending all VPC prefixes to the inspectionVPCs.
The figure 7 shows the route table sending all the traffic to inpsectionVPCs due the “send-via” segment-action route policy.
Figure 8 provides a hop-by-hop illustration of the packet flow, depicting the journey from Prod-A workload attached to Production segment to the Dev-A workload attached to the Development segment, inspected by FortiGate in Network Function Group.
Let us walk through the packet flow to see how traffic from VPC-Prod-A to VPC-Dev-A is routed through the Cloud WAN Core Network and inspected by the FortiGate-VM behind the Gateway Load Balancer.
3. The route to 10.212.0.0/16 is pointing to the attachment to VPC ID – Security VPC. The security VPC is associated to Network Function Group – inspectionVPCs. In the Network Function Group route table, the route is propagated via Security VPC attachment.
4. The packet is forwarded to the subnet in the Security VPC where the Cloud WAN is attached.
5. The local route table includes a route directing the traffic to the Gateway Load Balancer Endpoint (GWLBE).
6. The packet is forwarded to Gateway Load Balancer (GWLB). The GWLB balances the traffic across multiple FortiGate-VMs.
7. FortiGate receives the packet and applies deep packet inspection.
8. FortiGate returns the packet to Gateway Load Balancer.
9. GWLB maintains the flow symmetric and returns the packet to GWLBE that originates the session. The route table in GWLBE sends all traffic to Cloud WAN.
10. The packet returns to Network Function Group – inspectionVpcs.
11. As you can see in figure 11, the next-hop for 10.212.0.0/16 is pointing to VPC-Dev-A attachment.
12. The packet reaches its destination.
The complementary partnership between Fortinet and AWS Cloud WAN Service Insertion delivers a comprehensive WAN for massive scale. It empowers organizations to expand their networks globally with ease, accommodating the growing demands of modern business.
Consistent enforcement and visibility provide tools to enhance security and monitor network traffic consistently, ensuring that no potential threat goes unnoticed.
In conclusion, the information presented in this blog post is valid for those seeking to understand Fortinet's solutions in AWS. These insights, tips, and best practices provide a foundation for testing and familiarizing yourself with the capabilities of Fortinet's products. It is essential to emphasize that the guidance shared here is intended exclusively for lab and testing purposes. When it comes to deploying these solutions in a production environment or implementing more advanced configurations tailored to the unique needs of your organization, it is strongly recommended that you reach out to Fortinet's Cloud Consulting Services team at consulting@fortinet.com.
Fortinet’s Cloud Consulting experts bring a wealth of experience and expertise to the table, ensuring that your cloud security solutions are not only deployed securely but are also optimized for peak performance and efficiency.
FortiGate-VM and FortiGate-CNF are both available through AWS Marketplace. Additionally, for customers deploying in dynamic environments, FortiGate-VM is also available through Fortinet’s FortiFlex program which offers daily usage based licensing with ability to easily scale up, down, in, or out as needed.
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.