This is a brief walk through of how to use Fortigate FW VM on AWS VPC as NAT gateway to route your traffic from private subnet within a VPC to internet.
There are quit many prerequisites for this walk through and only couple of them will be shown here. The prerequisites are:
- A VPC with one public and one private subnet
Adjust private subnet route table to point default route to Fortigate FW - Launch a Fortigate FW VM from AWS marketplace into public subnet
Disable Source/Destination Check for the FW
Adjust S.G of the FW accordingly
Login to Fortigate FW and configure FW policy - Launch a VM into private subnet
Now let’s start to work on the VPC first. After the Fortigate FW VM is created, go to the route table of private subnet and add a new route saying that all traffics are route to NIF of Fortigate FW.
Now let’s work on the Fortigate FW. Since the FW will act as a NAT, so Source/Destination Check needs to be disabled from EC2 console.
Login to Fortigate FW and create a FW policy, which allows traffic from EC2 within private subnet and traffic from internet to flow through the FW itself. Make sure to enable NAT, without it, traffic won’t flow through. Use default value for the rest of options and click ok at the bottom.
Since traffic will flow from EC2 to internet, so Security Group of Fortigate FW must accept traffic from EC2. All the rules are generated by default when creating the Fortigate FW besides All traffic and All ICMP. Modify Source address according to your needs.
And that’s it!, now login to the EC2 in private subnet and verify if everything works. As shown in the images, EC2 only has a private of 3.203 and when I curl for my public address, it returns me an address of .122, which is the public ip address of my Fortigate FW. So this verifies that my EC2 is accessing the internet through Fortigate FW.
Lastly, we can also see records within FW log entries that EC2 was indeed NAT to internet through FW private IP.
