How to Quickly and Securely Connect to AWS Using Fortinet SD-WAN
By Sumit Mahla, Consulting Systems Architect – Fortinet
By Andy Pettica, Sr. Solutions Architect – AWS
Amazon Web Services (AWS) provides an extensive suite of networking services to simplify the delivery of customer connectivity requirements. For those early in their cloud adoption journey, establishing secure hybrid connectivity to existing on-premises locations enables a flexible yet controlled path for business transformation.
Traditional private wide area networks (WANs) are often slow to deploy, difficult to modify, and can be prohibitively expensive for the ever-growing bandwidth requirements of modern applications.
To address these challenges, software defined wide area networks (SD-WANs) provide greater flexibility and agility for connecting locations over significant geographical distances. Edge sites can include traditional branch offices, but also extends to the telco edge and remote industrial applications such as mine sites or oil and gas installations.
Integrating Fortinet SD-WAN with AWS networking services provides flexible, secure, and scalable connectivity to accelerate digital transformation. For existing Fortinet customers, this reduces the time-to-value by leveraging existing infrastructure and workforce skill sets within a familiar security framework that is consistent across the hybrid environment.
In this post, we’ll show how to establish secure, private connectivity to AWS with Fortinet SD-WAN, and then cover some of the use cases accelerated by this architecture.
The figure below shows the high-level architecture of Fortinet’s solution. Connectivity to a multi-virtual private cloud (VPC) environment is set up by integrating a FortiGate SD-WAN Hub with AWS Transit Gateway Connect.
Remote sites connect privately over the SD-WAN with the FortiGate appliances, providing north-south inspection for cloud-hosted applications. The SD-WAN Hub can also provide firewalled internet connectivity if required.
This pattern can be repeated in multiple AWS regions to locate applications closer to end users or for multi-region redundancy.
Figure 1 – FortiGate SD-WAN Hub with AWS Transit Gateway Connect.
Establishing Connectivity to AWS
This deployment uses an active-passive architecture for FortiGate; this can also be set up in an active-active configuration. Refer to the Fortinet documentation and the Fortinet team in your local region to learn more about these options.
- Create the SD-WAN Hub in the security virtual private cloud (VPC). AWS CloudFormation templates are available in the Fortinet GitHub repository to get started quickly. Deploy the security VPC using the “BASE VPC” template and deploy the multi-Availability Zone (AZ) FortiGate appliances using the “FGCP dual AZ” template.
- Configure AWS Transit Gateway Connect attachments for both FortiGate appliances with the settings highlighted below. For further details on AWS Transit Gateway Connect configuration, refer to the documentation or this AWS blog post.
Figure 2 – AWS Transit Gateway Connect peers.
- Configure generic routing encapsulation (GRE) on the FortiGate appliances to bring up the tunnels to AWS Transit Gateway.
Figure 3 – Establish AWS Transit Gateway Connect GRE tunnels.
- Configure GRE tunnel interface IPs using the FortiGate graphical user interface (GUI).
Figure 4 – FortiGate GRE tunnel interface configuration.
- Configure static routes for the Transit Gateway CIDR range, which is required for FortiGate to reach the Transit Gateway CIDR using a private interface (port 2) elastic network interface (ENI).
Figure 5 – FortiGate static route configuration.
- Configure border gateway protocol (BGP) on the FortiGate appliances to establish dynamic routing. Note that only the primary FortiGate (with role active) will have the GRE tunnel and BGP status showing as “Up.”
- On failure, the secondary appliance (with role passive) becomes the active unit and establishes connectivity via the secondary GRE tunnel and BGP connection.
Figure 6 – Establish AWS Transit Gateway Connect BGP sessions.
- Configure the firewall policy to permit GRE and BGP traffic on both FGT1 and FGT2 appliances in addition to north-south traffic policy. All traffic is permitted in this example for simplicity but is not recommended for production deployments where least privilege access should be implemented.
Figure 7 – FortiGate firewall policy.
- Add a static route for TGW CIDR in the security VPC for FortiGate private interface (port 2). This allows traffic from FortiGate to reach out to the CIDR range using the Transit Gateway attachment. Without this, your connectivity with AWS Transit Gateway Connect would not come up.
Figure 8 – FortiGate static route configuration.
- Configure SD-WAN Hub to integrate branch/edge spoke sites. With the Fortinet SD-WAN Hub connected to the broader AWS environment, connectivity to the remote SD-WAN branch/edge sites or other existing SD-WAN Hubs can be configured. These can be integrated with your choice of connections: virtual private network (VPN) overlays over the internet, or AWS Direct Connect for applications requiring low-latency and guaranteed throughput.
Having stepped through the cloud-based SD-WAN Hub deployment, let’s look at broader SD-WAN integration patterns.
Spoke sites connect to the cloud-based SD-WAN Hub in a similar fashion to any existing hub sites hosted on-premises.
The figure below shows a typical deployment with redundant VPN overlay connections from the branch spoke site to the hub. If even greater redundancy or application localization is required, multiple hubs can be deployed, which we’ll review next.
Figure 9 – FortiGate SD-WAN Hub-spoke with VPN overlays.
Multi-hub configurations enable a new cloud-hosted SD-WAN Hub to interoperate with existing on-premises hubs, making the transition to cloud seamless.
Additional hubs can be deployed for regional redundancy or to host applications closer to customers around the globe. The figure below shows a multi-region architecture with a dual-homed branch spoke site.
Figure 10 – Multi-region FortiGate SD-WAN Hubs with dual-homed spoke site.
These patterns can be modified and combined to optimize connectivity for your organizational requirements. Now, let’s dive deeper into the use cases this connectivity enables.
Accelerate Digital Transformation
- Cloud migrations require secure connectivity between existing on-premises locations and AWS. Leveraging this architecture, secure connectivity can be tailored to the requirements of the workloads and the migration approach itself. This can reduce risk by offering a staged approach to moving workloads, or allow applications to run in a hybrid state. For example, an organization may choose to run applications in the cloud but maintain systems of record (SOR) or supervisory control and data acquisition (SCADA) data on premises while the organization matures its cloud capabilities.
- Consuming native AWS services from on-premises locations over secured networks brings the power of cloud to existing applications. Consume services that eliminate undifferentiated heavy-lifting and pay only for what you use. For example, you could leverage Amazon Simple Storage Service (Amazon S3) with 99.999999999% (11 9s) durability and flexible storage classes over more costly, less durable on-premises alternatives. See a full list of AWS services that can be accessed via private connectivity.
- Cloud access direct from branch or remote-edge locations can be achieved with this Fortinet SD-WAN architecture to provide an optimal path to applications regardless of location.
- Optimize peer-to-peer (P2P) data paths for applications with user-to-user connectivity and a remote control plane, such as collaborative applications. Fortinet SD-WAN application steering for P2P simplifies the delivery or migration by building secure, optimized paths for data and control traffic.
Fortinet SD-WAN integrated with native AWS networking services enables simple, secure, and scalable hybrid architectures to accelerate your business transformation.
To get started, launch a template configuration to begin exploring Fortinet SD-WAN connectivity to AWS. If you’d like to learn more about how Fortinet solutions can simplify your cloud adoption, reach out via firstname.lastname@example.org or review the Fortinet Cloud Security for AWS portal.
You can also learn more about Fortinet in AWS Marketplace.
Fortinet – AWS Partner Spotlight
Fortinet is an AWS Networking Competency Partner that secures the largest enterprise, service providers and government organizations around the world.