cloud networking, multi-cloud networking, thrid party integration

Centralized Ingress using FortiGate NGFWs and Aviatrix Transit Gateways with FireNet enabled

High Level Design

Ingress Design using the Aviatrix FireNet FortiGates:

All FortiGates receive sessions via the load balancer as long as they pass the health checks. While an Active-Passive (A-P) cluster behind the load balancer is an option, it is generally more effective to use standalone FGT units behind the load balancer in multiple Availability Zones (AZs). This configuration provides a robust mechanism to withstand the complete failure of an AZ.

For reference, i have attached the Aviatrix Transit Firewall Network design for FortiGate firewalls below:

  • Port 1 is the port/interface facing the internet (unstrusted)
  • Port 2 is the port/interface facing the Aviatrix Transit Gateways (trusted)

The application flow is show below:

Aviatrix Transit Configuration

Enable Firenet

Navigate to CoPilot -> Security -> Firenet and click on the +Firenet button. Select the transit gateway you want to enable the feature:

Click Add.

FortiGate Deployment

In the AWS Marketplace portal, search for Fortinet FortiGate Next-Generation Firewall and Accept the terms for Fortinet FortiGate Next-Generation Firewall on AWS Marketplace:

Go back to CoPilot and deploy a pair of firewalls:

Web Server

For testing purposes, I created a spoke where i deployed an EC2 instance running NGINX on port 80 (10.208.132.45):

Load Balancer

Create a target group to expose the web server running on port 80:

VPC and Health checks:

Pick up the firewalls, select port 80, and register as pending:

Health checks will fail for now as we still need to configure the firewall.

Create an Application Load Balancer (ALB) to expose HTTP and HTTPS based applications. Application Load Balancer offers advanced features as WAF and other integrations. If you have non-HTTP/HTTPS applications, deploy a Network Load Balancer (NLB).

Possible ALB integrations:

The ALB/NLB is Internet Facing:

We will deploy it in the same vpc where the Aviatrix Transit Gateways were deployed:

We will drop the load balancer interfaces into the “-Public-FW-ingress-egress-” subnets across two different zones.

FortiGate Configuration

Check if Source/Destination is disabled on the EC2 Instance:

Access the management GUI and create a VIP for the web server:

  • External IP address is the FortiGate private interface IP address facing the Load Balancers (port 1)
  • Map to IPv4 address/range is the web server private ip address

Create a firewall policy to allow the traffic:

  • Incoming Interface: port 1
  • Outgoing Interface: port 2
  • Source: all (it can be fine tune to the ALB private addresses (recommended approach))
  • Destination: VIP address
  • Service: HTTP

Testing

Identify the ALB/NLB DNS name from the ALB/NLB properties:

Using a browner access it:

Curl it from a terminal:

Exposing More Applications

The rule of exposing more applications is to be capable of properly redirecting traffic to the backend by doing DNAT in the firewall:

There are multiple ways of accomplishing it and I’m going to cover the options below.

Host-Based Routing

  • Add target groups for each application (e.g., TargetGroup-App1, TargetGroup-App2).
  • Configure listener rules to route traffic based on the host header:
    • Example: Host: app1.example.com → TargetGroup-App1.
    • Example: Host: app2.example.com → TargetGroup-App2.
  • Ensure DNS records (e.g., CNAME) point app1.example.com and app2.example.com to the ALB’s DNS name.

Path-Based Routing

Route traffic to different applications based on the URL path (e.g., example.com/app1, example.com/app2).

  • Create separate target groups for each application.
  • Configure listener rules to route traffic based on the path pattern:
    • Example: Path: /app1/* → TargetGroup-App1.
    • Example: Path: /app2/* → TargetGroup-App2.

Combination of Host- and Path-Based Routing

Combine host and path rules for more complex routing (e.g., app1.example.com/api → App1, app2.example.com/api → App2).

  • Use listener rules that combine host header and path pattern conditions.
  • Example: Host: app1.example.com AND Path: /api/* → TargetGroup-App1.

Multiple Ports or Protocols

  • Route traffic based on different listener ports
    • services are different

Using Multiple Load Balancers

  • Deploy separate ALBs or NLBs for each application.
    • source IPs are different

Packet Capture on FortiGate NGFWs

diagnose sniffer packet port1 "port 80"

Bucket Policy

If you need/want to enable logging for the ALB/NLBs you will need to create a S3 bucket and a bucket policy to allow the LBs to write into it:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "logdelivery.elasticloadbalancing.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::<bucket name>/AWSLogs/<account number>/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}

Reference

https://docs.aviatrix.com/documentation/latest/security/fortigate-ingress-protection-firenet.html

Leave a Reply