Setup FortiGate on AWS and Force All EC2'sTraffic Through It

Setup FortiGate on AWS

Once a while, I encounter times that need to help customer to setup their FortiGate locally. Honestly, I ain’t an networking expert nor had the chance to manage/operate all those networking devices. So I found it difficult/not efficent to help out the customers sometimes.

Therefore, I came out with this very basic lab just to help/practice myself more comfortable with configuring FortiGate. The idea is pretty simple. I will setup a FortiGate and two EC2s. Configure one of the EC2(A) without public IP, making all of it’s outbound traffic through Fortigate. Another EC2(B) is just acting as bastion to login the first EC2.

I will not go through all the steps in detail but only some points that are easily missed. The Steps are:

  1. Create a VPC with 2 subnets in it, FW and VM. Don’t forget to enable auto assign public IP on both subnets.
  2. If you ain’t using VPC wizard to create a VPC, remember to create an Internet Gateway(IGW) and attach it to VPC just created.
  3. Once IGW is created, add a route point to your IGW in your route table.
  4. Create FortiGate into FW subnet. Once done, disable source/destination check. Also, modify NSG to allow Lan traffic so that VM can outbound traffic through it.
  5. Create VM A into VM subnet, make sure public IP is not given.
  6. Create a new route table, configure a route directing all traffic to Fortigate, apply this new route table to VM subnet. By doing so, all taffics from VM subnet are forced to go through FortiGate.
  7. Configure FortiGate to accept and route traffic.

That’s it! Seems like a lot of things to do but actually is not that difficult, let’s get started!

Once subnet is created, enable Auto-assign IPv4.

Once IGW is created, attach it to your VPC.

Once FW is created, turn off source/destination check and modify it’s NSG to allow Lan access.

After VM is created into VM subnet, created a new route table, add a route points to FortiGate and apply to VM subnet, forcing all traffics bound to FG.

Login to FW, add a FW policy to allow Lan traffic to outbound to Wan.

Lastly, login to VM from bastion and verify that it can access internet through FW!

There are couple ways to get your lan ip, this is just a fancy one….. In fact, lan ip is shown on command line XD.

ip -f inet a | grep inet | awk ‘{print $2}’ | cut -d / -f 1 | grep -v 127.0.0.1

From the result, we can confirm that the VM can access to internet without IPv4 and by getting its source IP, which is the IP of FG, we can be sure that VM outbounds through FW.

AWS Certified SA, SysOps & Developer Associate, Alibaba Cloud certified SA. Focusing on Azure, Prometheus w/ Grafana, ELK and K8S now.