We have two VPC in AWS [Security, and Production] VPCs. We have deployed fortigate in Security VPC. In the designing phase we consider the fortigate to work as a Nat instance for all our private subnet including the on in the Production VPC.
1- The traffic needs to reach the Fortigate, so either with the GWLB as per documentation on page 192-193 or depending on your deployments perhaps another Fortigate/firewall. Although the former solution with the GWLB is a better way, ihmo.
2- Again this depends on how you have done your deployment and your topology, but all firewalls should be capable of VPN (i.e. IPsec).
For the GWLB, make sure you also have the latest firmware in your Fortigate. From the documentation i read that is using the Geneve protocol and it would be better to be on the latest firmware (i.e 6.4.10/7.0.8/7.2.2)
Please mark the posts as solved if you have no further queries --VV--
I am pretty sure you will need a Transit GW to satisfy the dependencies of #2. VPCs are not transitive. That is you cannot have traffic entering one VPC (i.e. VPN Traffic) and traversing to another VPC. For this you need Transit GW or a local Internet/VPN gw in the VPC. Check east-west traffic inspection it goes into a bit of detail on this one.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.