Description
This article describes how to provide Internet connectivity on Compute Engine VMs without external IP, through FortiGate-VM deployed in GCP.
Scope
FortiGate.
Solution
- A FortiGate-VM on GCP has been deployed with 2 VPCs (External and Internal), and an external IP address was assigned to the External VPC:
- The Compute VM instance 'instance-1' has been created on the Internal VPC and trying to ping the external DNS 8.8.8.8 is not reachable:
- To provide Internet access to the Compute Engine VM, it is recommended to create a static route on GCP to send all the traffic through the FortiGate-VM on GCP. To do so, go to VPC Network -> Routes, on Route Management, and select 'Create Route'.
- On the Create Route menu, select the VPC Internal, Route type as Static, set the Destination IP Range as any IP '0.0.0.0/0', set the priority '100' and as Next hop select 'Specify an instance' then choose the FortiGate-VM on GCP.
- In the FortiGate-VM on GCP, if trying ping to the Compute Engine VM 'instance-1' with the port2 IP as source, it is not reachable:
- To avoid this behavior, it is recommended to create a static route, to know the Internal VPC segment '10.20.0.0/24', and then set the Internal VPC Gateway '10.20.0.1' on the port2 interface, after there will be connectivity to the Compute Engine VM:
- Create the Firewall Policy LAN to WAN to provide Internet access. The Compute ENgine VM has internet connectivity through the FortiGate-VM on GCP: