FortiGate-VM on AWS Discussions & Onboarding Information
lmomesso
Staff
Staff

AWS Cloud WAN Service Insertion with FortiGate

AWS Cloud WAN Service Insertion feature allows customers to easily integrate FortiGate-VMs or FortiGate-CNF to enhance cloud networking and security capabilities. Cloud WAN Service Insertion streamlines traffic steering to FortiGate for the following use cases:

  1. Inter-VPC – within the same or across regions
  2. Inter Cloud WAN Segments – within the same or across regions
  3. North-South – Traffic between AWS infrastructure, Internet, on-premises data center and remote sites.
  4. The SDWAN use case can be found at this link.

This article explains how to deploy FortiGate with AWS Cloud WAN Service Insertion across regions, as illustrated in the figure below.

Figure-1 – Cloud WAN Service Insertion with FortiGate-VMsFigure-1 – Cloud WAN Service Insertion with FortiGate-VMs

 

 

You can find the Terraform code for deploying the resources needed for this blog post at the link below.

https://github.com/leandro2m/fortigate-aws-cwan

 

Solution Overview

To get the most out of this post, you must understand some of the fundamental concepts used by Cloud WAN Service Insertion. For more details, refer to the Cloud WAN documentation and the blog post Simplify Global Security Inspection with AWS Cloud WAN Service Insertion to learn more about Cloud WAN and Cloud WAN Service Insertion concepts.

The following advantages are provided by Cloud WAN Service Insertion with FortiGate:

  • Workload security: The FortiGate on AWS delivers next-generation firewall capabilities for organizations of all sizes, with the flexibility to be deployed as Virtual Machine (self-managed) or SaaS known as FortiGate-CNF (Cloud Native Firewall).
  • Simplified routing: Customers requiring traffic inspection for inter-VPC, Internet, or on-premises traffic can leverage AWS Cloud WAN Service Insertion to easily direct relevant network traffic to the FortiGates and thus secure applications deployed in a VPC, without the need to manage complex routing configurations.
  • Multi-Region security inspection: Customers can deploy multi-region workloads to support expansion or disaster recovery use-cases. The Service Insertion capability simplifies multi-Region deployment and allows you to steer both intra-Region and inter-Region traffic through FortiGate
  • Zero-day threat prevention: This integration supports Fortinet’s AI-based inline malware prevention, our most advanced sandbox service, to analyze and block unknown files in real-time, offering sub second protection against zero-day and sophisticated threats across all NGFWs.
  • Centralized Network and Security Management at Scale: The central policy document model on Cloud WAN, combined with FortiManager solution from Fortinet, enables integrated management of the Fortinet security fabric, serving as the fundamental component for deploying hybrid cloud environments.

FortiGate with AWS Cloud WAN Service Insertion

In this setup, we will create a Cloud WAN Core Network with two edge locations and two network segments, namely Production, and Development spanning across the two regions. The VPCs are attached to the Edge Network as VPC attachments. FortiGate-VMs have been deployed in the Security VPC attached to a Network Function Group.

The traffic from Production and Development VPC flows through the Cloud WAN Core Network, where Cloud WAN Service Insertion through, using its policy document capabilities, steer the traffic through FortiGate. Customers use “send-to” segment-action for north-south and internet egress traffic inspection, and the “send-via” segment-action for east-west traffic inspection. FortiGate supports all service insertion segment-actions and segment insertion modes.

Figures 2 depicts the FortiGate-VMs, subnets, and Cloud WAN attachments in the Security VPC in us-west-1 and us-west-2.

Figure-2– FortiGate-VMs in the central security VPC and Cloud WAN attachment in us-west-1 and us-west-2Figure-2– FortiGate-VMs in the central security VPC and Cloud WAN attachment in us-west-1 and us-west-2

 

Figures 3 depicts the attachment of VPC Production and Development into Cloud WAN segments in the regions us-west-1 and us-west-2.

 

Figure-3 – VPC Production and Development attached into Cloud WAN segments in us-west-1 and us-west-2Figure-3 – VPC Production and Development attached into Cloud WAN segments in us-west-1 and us-west-2

 

For north-south traffic inspection in production segment, the following segment-action has been configured on Cloud WAN:

Figure-4 – send-to segment actionFigure-4 – send-to segment action

The Service Insertion "send-to" clause creates a default route in the production segment, pointing the traffic to the inspectionVPCs. Figure 5 shows the route table in the production segment.

Figure-5 – Production Segment route tableFigure-5 – Production Segment route table

The Service Insertion “send-via” clause in the production segment is creating east-west route propagation, sending all VPC prefixes to the inspectionVPCs.

 

Figure-6 – send-via segment actionFigure-6 – send-via segment action

The figure 7 shows the route table sending all the traffic to inpsectionVPCs due the “send-via” segment-action route policy.

Figure-7 – Production Segment route tableFigure-7 – Production Segment route table

Figure 8 provides a hop-by-hop illustration of the packet flow, depicting the journey from Prod-A workload attached to Production segment to the Dev-A workload attached to the Development segment, inspected by FortiGate in Network Function Group.

Figure-8 - Centralized East-West traffic inspection in the region us-west-1Figure-8 - Centralized East-West traffic inspection in the region us-west-1

Let us walk through the packet flow to see how traffic from VPC-Prod-A to VPC-Dev-A is routed through the Cloud WAN Core Network and inspected by the FortiGate-VM behind the Gateway Load Balancer.

  1. The Packet leaves the EC2 instance in VPC-Prod-A and travels toward the Cloud WAN Core WAN ENI in the private subnet and arrives in Production Segment of Cloud WAN Core Network.
  2. Within the Production Segment route table of the Cloud WAN Core Network, due to the send-via clause, there is a routing propagation to VPC-Dev-A (10.212.0.0/16) through inspectionVpcs – Network Function Group.

Figure-9 – Production Segment Route Table – Dev-A routeFigure-9 – Production Segment Route Table – Dev-A route

3. The route to 10.212.0.0/16 is pointing to the attachment to VPC ID – Security VPC. The security VPC is associated to Network Function Group – inspectionVPCs. In the Network Function Group route table, the route is propagated via Security VPC attachment.

 

Figure-10 – Network Function Group Route TableFigure-10 – Network Function Group Route Table

4. The packet is forwarded to the subnet in the Security VPC where the Cloud WAN is attached.

5. The local route table includes a route directing the traffic to the Gateway Load Balancer Endpoint (GWLBE).

6. The packet is forwarded to Gateway Load Balancer (GWLB). The GWLB balances the traffic across multiple FortiGate-VMs.
7. FortiGate receives the packet and applies deep packet inspection.

8. FortiGate returns the packet to Gateway Load Balancer.

9. GWLB maintains the flow symmetric and returns the packet to GWLBE that originates the session. The route table in GWLBE sends all traffic to Cloud WAN.

10. The packet returns to Network Function Group – inspectionVpcs.

11. As you can see in figure 11, the next-hop for 10.212.0.0/16 is pointing to VPC-Dev-A attachment.

12. The packet reaches its destination.

Conclusion

The complementary partnership between Fortinet and AWS Cloud WAN Service Insertion delivers a comprehensive WAN for massive scale. It empowers organizations to expand their networks globally with ease, accommodating the growing demands of modern business.

 

Consistent enforcement and visibility provide tools to enhance security and monitor network traffic consistently, ensuring that no potential threat goes unnoticed.

In conclusion, the information presented in this blog post is valid for those seeking to understand Fortinet's solutions in AWS. These insights, tips, and best practices provide a foundation for testing and familiarizing yourself with the capabilities of Fortinet's products. It is essential to emphasize that the guidance shared here is intended exclusively for lab and testing purposes. When it comes to deploying these solutions in a production environment or implementing more advanced configurations tailored to the unique needs of your organization, it is strongly recommended that you reach out to Fortinet's Cloud Consulting Services team at consulting@fortinet.com.

 

Fortinet’s Cloud Consulting experts bring a wealth of experience and expertise to the table, ensuring that your cloud security solutions are not only deployed securely but are also optimized for peak performance and efficiency.

FortiGate-VM and FortiGate-CNF are both available through AWS Marketplace. Additionally, for customers deploying in dynamic environments, FortiGate-VM is also available through Fortinet’s FortiFlex program which offers daily usage based licensing with ability to easily scale up, down, in, or out as needed.

Principal Cloud Solutions Architect
0 REPLIES 0
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Top Kudoed Authors