| Scope |
Port1: External (Public) interface that is connected to Internet.
Port2: Internal Interface that is connected to the Private network.
Two subnets are needed for the Lab (AZ can be random).
Window servers are placed in private subnets respectively.
Two route tables are needed for the Lab. (One for public as well as one for private).
Reference to create VPC, Subnets (Subnet Association), Route Table, and Internet Gateway has already been configured and attached to the corresponding Entities:
Creating a VPC and subnets
Attaching the new VPC Internet gateway
Creating routing tables and associate subnets
|
| Solution |
- If users possess multiple instances in AWS and wish to resolve all instance DNS on their FortiGate (FGT), it is possible to achieve this by creating A records within a privately hosted zone on AWS.
- Create two subnets: one designated as the public subnet with a public routing table, which provides access to the internet, and the other as a private subnet.
- Create a FortiGate instance and a Windows Server, and ensure that the Windows Server is placed within the private subnet: Deploying FortiGate-VM from AWS marketplace
- Add an additional network interface to the private subnet and associate it with the FortiGate instance.
- Now, the FortiGate will have two network interfaces, one in the public subnet and the other in the private subnet. (port1 and port2 respectively)
- Creating a hosted zone on AWS
To create a hosted zone for 'fortinet.com' on Amazon Route 53: follow the below link:
Creating a public hosted zone
Select the region as well as the VPC.
- Check the Windows Server's private IP, copy it, and then create an A-type record in this hosted zone for the Windows Server as shown below:
- In this case, the Windows Server IP is 10.0.2.150.
- Once that is done, AWS should resolve window.fortinet.com to 10.0.2.150.
In Amazon Web Services (AWS), it is possible to configure DHCP option sets for a Virtual Private Cloud (VPC) to provide network configuration settings to instances when they start. These DHCP option sets can include settings such as DNS servers, NTP (Network Time Protocol) servers, domain names, and domain name servers.
Go to VPC -> DHCP option, create a new DHCP option and associate with VPC.
Make sure to use AmazonProvidedDNS as the name server to do not have its own DNS server:
DHCP option sets in Amazon VPC
Once the FortiGate instance is running, uncheck 'Override System DNS' for Port1 and change the DNS servers of FortiGate to FortiGuard servers:
- The above picture shows settings on port1 (The public port of FortiGate).
- Use the FortiGuard server for all DNS queries.
- Try to ping Window.fortinet.com.
- FortiGate is not able to resolve this name however; public DNS is resolving all other queries. (All DNS queries will be forwarded to public DNS)
- Add a private network interface with the FortiGate instance and keep overriding internal DNS enable.
- So port 2 settings can be seen in the picture below ( Private subnet).
- If the ping test is processed again, FortiGate is resolved for window.fortinet.com.
- Performing a packet capture at this moment will reveal that all DNS queries are being sent to the AWS DNS server, resolving a private domain hosted on AWS.
- Use hybrid DNS resolution to use on-premises DNS for AWS. Route53 Resolver can serve this purpose.
Note:
Enabling the 'Override Internal DNS' option on any interface in this network will route all DNS requests to AWS DNS servers.
|
