Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Route all traffic To & from EC2 Instances(in private subnet) to on-premise Fortigate Firewall via site-to-site VPN

0

Hi Team,

I am collaborating with a customer to migrate their SAP instances to AWS. They are presently utilizing a Fortigate Firewall in their on-premises environment. Their specific request is to maintain the same firewall for managing all traffic to and from their EC2 instances in AWS. Can we set routing rule to redirect all traffic to Fortigate? Do we require separate Fortigate instance on AWS? Do we require any other components (like AWS network firewall)?

Themen
Vernetzung & Bereitstellung von InhaltenSicherheit, Identität & Konformität
Tags
Amazon VPCAWS Network FirewallVernetzung & Bereitstellung von InhaltenAWS Virtuelles Privates Netzwerk (VPN)
Sprache
English
AWS
rePost-User-8294601
gefragt vor 8 Monaten448 Aufrufe
2 Antworten
0
Akzeptierte Antwort

Hello,

To migrate the workloads to AWS you can use AWS Site to Site VPN service, this is managed AWS service and you don't need to deploy or manage any extra firewalls on the AWS side.

[+] Site-to-Site VPN single and multiple VPN connection examples - https://docs.aws.amazon.com/vpn/latest/s2svpn/Examples.html

You can setup a AWS Site to Site VPN using below steps:

Step 1: Create a customer gateway > Fortigate External Public IP

Step 2: Create a target gateway > Select Virtual Private Gateway or Transit Gateway if you wish to connect to multiple VPCs.

Step 3: Configure routing

Step 4: Update your security group

Step 5: Create a VPN connection

Step 6: Download the configuration file

Step 7: Configure the customer gateway device (Fortigate firewall)

[+] Getting started with AWS Site-to-Site VPN - https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html

You can define routing in Step 3 and Step 5 as that will give option to add the route pointing towards on-premises CIDR range.

profile picture
EXPERTE
Narinder Singh Kharbanda
beantwortet vor 8 Monaten
profile picture
EXPERTE
Antonio_Lagrotteria
überprüft vor 6 Monaten
  • rePost-User-8294601
    vor 8 Monaten

    Thank you so much Narinder for your quick response. it helped.

0

You can inspect all of your traffic to/from AWS using an on premises firewall as you describe. Private connectivity to AWS can be achieved using Direct Connect or site-to-site VPN. In either case, the network topology on the customer side can be configured to use the firewalls.

Note that you can also inspect traffic on the AWS side using Fortigate firewalls and Gateway Load Balancer. This is explained in the documentation - but it is an option as traffic can be inspected on premises.

profile pictureAWS
EXPERTE
Brettski-AWS
beantwortet vor 8 Monaten
  • rePost-User-8294601
    vor 8 Monaten

    Thank you so much Brettski for your inputs. it clarified my doubts.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt