AWS Gateway Loadbalancer East West inspection with Fortigate Firewall

Glad to hear the material is helpful ,thank you for your support.

Thanks Gibson

Glad you liked it ,thanks for the feedback

@@tendaimusonza9547 do you have any vids on inbound traffic from the internet that passes through the firewall? We have a multi account, multi vpc setup with a central security account/vpc where the firewall lives. Every account/vpc goes through a transit gateway which decides where to route traffic. We want to be able to make public services available to the internet and still traverse the firewall. thanks in advance!

@@daphenom .Thanks for Checking ,I currently do not have a video specifically on both north south and east west inspection however for internet you have to use ingress routing the same way i did on my AWS Network firewall Video ,and this ingress routing is per each VPC to route incoming traffic to the gateway load-balancer endpoint.

Thank you Shepherd, Glad to hear you enjoyed the demo

I am glad you enjoyed it ,Thank you for the kind words

Thanks for the support Davidson

It's a pleasure, happy you liked it

Glad to know you liked it ,thanks

Thank you Hitesh ,I am not sure if HA will work in conjunction with a GWLB since the health checks have no visibility to HA status since works only by probing tcp port ,I have used HA in a central security VPC using partly the steps in on fortinet link although this link is just for general HA setup not specific for central security VPC ;docs.fortinet.com/document/fortigate-public-cloud/7.2.0/aws-administration-guide/229470/deploying-fortigate-vm-active-passive-ha-aws-between-multiple-zones .I used with a transit gateway .hope you will find this helpful

I provided the TGW as the next hop for both Spoke CIDRS since it is the TGW which knows route back for both spokes in this centralized config ,thank you for your comment , hope i managed to answer your question

That's correct its the same logic only that for north south you introduce ingress routing for the internet gateway

@@tendaimusonza9547 thanks sir, keep going with great content, greetings

@@carlosemanuelbonilla904 ,thanks for the support ,much appreciated

Glad you liked the material and supported the channel with your subscription. Thank you .As far as HA is concerned ,you do it differently from the usual way we do on premise .you can take advantage of the fact that the firewalls are behind a Load balancer and hence with health check mechanism traffic can the be send to only health appliances and if your transit gateway is in appliance mode you will not have asymmetrical routing challenges. The firewalls can also be in an auto scaling group .I also find the following links helpful .aws.amazon.com/blogs/networking-and-content-delivery/introducing-aws-gateway-load-balancer-supported-architecture-patterns/ ,docs.fortinet.com/document/fortigate-public-cloud/6.4.0/aws-administration-guide/249812/creating-the-gwlb-and-registering-targets .Hopefully i have given you some clarity. I have not found a complete end to end documentation which shows the fort config scenarios however for multiple firewalls you will need a central manager if policies are to be in sync.

@@tendaimusonza9547 Thank you so much for your answers. My future goal is to use a VPC for security to allow the forti inspect all trafic (north-south and east-west) and a the same time use HA using (i guess) the port1 to go internet trough a IGW. i dont have so clear all details of the implementation. Thank you man!!

Hello Abdo , you do not need forti HA when using the gateway loadbalancer , the GWLB is doing HA for you in a way and you need to make sure the security VPC attachment is in appliance mode to avoid asymmetrical routing . See link : docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-appliance-scenario.html . with a GWLB your Fortis can be in multiple AZ however use fortimanager to make sure your rules are in sync than adding rules manually on each device .hope i answered your question.

@@tendaimusonza9547 thanks for your reply I will try to make it using TG as I'm trying with GWLB and one fortigate only for now.

Thank you for the feedback. l see your point here, l decided to use the same subnet that was sitting on the gateway load balancer subnet to keep the config short and simple even though the initial plan was to use different subnets for Geneve and for admin. You may also test my setup without adding a route and let me know the outcome ,that decision came after running some debugs and checks on the routes populated automatically after running the get router info on fortigate

@@tendaimusonza9547 Thanks. I will try it once and see how the Fortigate local routes influence the GENEVE behavior. I have seen this with PA but no such routing was required. Hence, the question.

@@sreyanshbhupal9900 you are right for Palo it works without doing any of those steps. Give it a trial ,that's how we all learn thru sharing

Hello Hiren ,Thank you for view the content. As for North south scenario ,the routing needs to change a bit ,in this case default route to geneve up to the TGW is on assumption that its only east-west traffic involved ,however for North south you may choose to have a gateway load balancer route table to send default traffic to a Nat Gateway as illustrated in North south deployment model on link :aws.amazon.com/blogs/networking-and-content-delivery/introducing-aws-gateway-load-balancer-supported-architecture-patterns/ .Hopefully I managed to answer your question.

Hello Randy ,yes Transit Gateway a must only for east west inspection ,that is if you want to send traffic between VPCs thru central security VPC unlike when you do North South inspection i.e internet to VPC.

thansk for your answer @@tendaimusonza9547 so if only 1 app VPC that need to go through security VPC via GWLB it does not need TGW, right?

@@randicalib ,that's right yes

The reason WHY a TGW is necessary for more than 2 VPCs (1 "users/servers" + 1 "Security with GWLB + FWs in it") is due to the non-transitive VPC peering rule docs.aws.amazon.com/vpc/latest/peering/vpc-peering-basics.html ["VPC peering does not support transitive peering relationships"].
So, you either need a TGW or/and a Transit-VPC design (where NVAs act as the glue between different VPCs). A TGW has its limitations, for example if you need Advanced NAT and/or VRFs to segregate traffic, you would need to use a Transit-VPC with NVAs (Cisco CSRs for example).. or even a mix of both, in this case the "Security VPC" could be the "Transit-VPC" at the same time, with that GWLB too.

Hi Rohit , if you have worked with Terraform you may find my configs here useful for VPC and subnet config , github.com/tendai-lino/training/tree/main/GWLB-DEMO ,i used this kind of setup in ruclips.net/video/2g59ihFy5HU/видео.html , Let me know if you require any further assistance

Thank you for the feedback ,that will help me in balancing content on my future videos .you may also open an aws free tier account for learning however exercise caution on usage since not everythung is free however aws documentation clearly states how you can stay within free tier

Hi Zeeshan ,that's a valid point ,to get updates you have to change the routing ,instead of using default route to geneve use specific routes for VPCs cidrs and then default traffic to a different port with route to internet .i used 0.0.0.0/0 just for quick demo

Thanks for the feedback ,will work out something as soon as i grab a moment