Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Nemat
New Contributor II

North-south security inspection in AWS.

 

We have two VPC in AWS [Security, and Production] VPCs. We have deployed fortigate in Security VPC. In the designing phase we consider the fortigate to work as a Nat instance for all our private subnet including the on in the Production VPC.

 

From FortiOS - AWS Administration Guide, section Security inspection with Gateway Load Balancer
integration, part North-south security inspection to customer VPC. I have understood this can be accomplish by using Gateway Load Balancer. [https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/e129c4eb-867b-11eb-9995-005056...]

 

My question is:

1- We have one fortigate do we need to deploy Gateway Load Balancer? if No need for the Load Balancer, then how?

2-If I have stablished site to site VPN between the fortigate and third parties, and one of the Production private EC2 need to reach it I can do this also right?

 

Thanks,

2 REPLIES 2
vvarangoulis
Staff
Staff

Hello Nemat,

To answer your questions:

1- The traffic needs to reach the Fortigate, so either with the GWLB as per documentation on page 192-193 or depending on your deployments perhaps another Fortigate/firewall. Although the former solution with the GWLB is a better way, ihmo.

2- Again this depends on how you have done your deployment and your topology, but all firewalls should be capable of VPN (i.e. IPsec).

For the GWLB, make sure you also have the latest firmware in your Fortigate. From the documentation i read that is using the Geneve protocol and it would be better to be on the latest firmware (i.e 6.4.10/7.0.8/7.2.2)

Please mark the posts as solved if you have no further queries
--VV--
gfleming
Staff
Staff

I am pretty sure you will need a Transit GW to satisfy the dependencies of #2. VPCs are not transitive. That is you cannot have traffic entering one VPC (i.e. VPN Traffic) and traversing to another VPC. For this you need Transit GW or a local Internet/VPN gw in the VPC. Check east-west traffic inspection it goes into a bit of detail on this one.

Cheers,
Graham
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors