Yes you can do that. Through Gateway Load balancer Endpoint in spoke + GWLB with Fortgiate as target in dedicated VPC.
See Diagram 2 in Palo Alto article with dotted green and dotted blue line flow ( forget about TGW in that diagram )
Essentially , you will created Gateway Endpoint in both spoke, link them with Gateway LB in dedicated VPC that has Fortigate registered with it.
After that some Appliances provide 2 ARM design where traffic will exit out to internet through second ENI of fortigate through IGW in fortigate/GWLB VPC. or in One Arm design where traffic will come back to spoke VPC and exit through spoke VPC IGW.
I just want to give you architectural guidance that what you want to do is achievable.
Here you got.
Dont forget to accept the answer
Hi, why would you like to achieve this without a transit gateway? Technical requirement, cost? it depends on the reason the most suitable answer. If its because cost, then there other options like Gateway Load balancer but this also implies a cost, if it is because you would like to get other benefits like load balancing, north-south traffic inspection then gateway load balancer could be a solution without transit gateway. If is other reason and you just want to remove transit gateway, then before the transit gateway this kind of scenario was deployed using a Transit VPC, where one central VPC (your fortigate VPC) connects with every other VPC (spoke VPC) through a VPN connection. This architecture comes with own challenges, and transit gateway was the service that came to resolve them, however is still possible to do that configuration.
Relevant content
- asked 4 years ago
- asked 3 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 8 months ago