FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 265857

This article describes the method to route ingress and egress traffic bounded to the FortiGate loopback interface in AWS VPC.


By default, the AWS VPC router will route traffic to and from FortiGate ENI (Elastic Network Interface) for only the subnet to which the ENIs are associated. Hence traffic sourced/destined to configured network interfaces will always work.


Consider the below topology. In this, traffic to/from the FortiGate loopback interface will fail.




FG04 # diag ip address list

IP=> index=3 devname=port1

IP=> index=4 devname=port2

IP=> index=11 devname=loopback-mgmt


By default, the VPC router will not route traffic from server to loopback interface via FortiGate interface: port2.


The traffic sourced from the FortiGate loopback interface will fail.

This will impact all loopback-related traffic to and from FortiGate VM in AWS.

Scope FortiGate-VM instance in AWS.

By default, the AWS VPC route table will have the VPC IPv4 CIDR mapped to ‘local’, which is the VPC router.




Route to loopback interface IP cannot be added to the route table because the route destination does not match any subnet that is configured in the VPC.




It is recommended to modify the target as network interface – FortiGate port 2 for the destination




Test Result: