By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Route all traffic To & from EC2 Instances(in private subnet) to on-premise Fortigate Firewall via site-to-site VPN

0

Hi Team,

I am collaborating with a customer to migrate their SAP instances to AWS. They are presently utilizing a Fortigate Firewall in their on-premises environment. Their specific request is to maintain the same firewall for managing all traffic to and from their EC2 instances in AWS. Can we set routing rule to redirect all traffic to Fortigate? Do we require separate Fortigate instance on AWS? Do we require any other components (like AWS network firewall)?

Topics
Networking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon VPCAWS Network FirewallNetworking & Content DeliveryAWS Virtual Private Network (VPN)
Language
English
AWS
rePost-User-8294601
asked 8 months ago428 views
2 Answers
0
Accepted Answer

Hello,

To migrate the workloads to AWS you can use AWS Site to Site VPN service, this is managed AWS service and you don't need to deploy or manage any extra firewalls on the AWS side.

[+] Site-to-Site VPN single and multiple VPN connection examples - https://docs.aws.amazon.com/vpn/latest/s2svpn/Examples.html

You can setup a AWS Site to Site VPN using below steps:

Step 1: Create a customer gateway > Fortigate External Public IP

Step 2: Create a target gateway > Select Virtual Private Gateway or Transit Gateway if you wish to connect to multiple VPCs.

Step 3: Configure routing

Step 4: Update your security group

Step 5: Create a VPN connection

Step 6: Download the configuration file

Step 7: Configure the customer gateway device (Fortigate firewall)

[+] Getting started with AWS Site-to-Site VPN - https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html

You can define routing in Step 3 and Step 5 as that will give option to add the route pointing towards on-premises CIDR range.

profile picture
EXPERT
Narinder Singh Kharbanda
answered 8 months ago
profile picture
EXPERT
Antonio_Lagrotteria
reviewed 5 months ago
0

You can inspect all of your traffic to/from AWS using an on premises firewall as you describe. Private connectivity to AWS can be achieved using Direct Connect or site-to-site VPN. In either case, the network topology on the customer side can be configured to use the firewalls.

Note that you can also inspect traffic on the AWS side using Fortigate firewalls and Gateway Load Balancer. This is explained in the documentation - but it is an option as traffic can be inspected on premises.

profile pictureAWS
EXPERT
Brettski-AWS
answered 8 months ago
  • rePost-User-8294601
    8 months ago

    Thank you so much Brettski for your inputs. it clarified my doubts.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content