中转网关（Transit Gateway）Connect 连接类型集成 FortiGate 安全服务丨How to integrate Transit Gateway Connect with Fortinet FortiGate

英文版本 | 中文版本

1. Introduction to Transit Gateway Connect.

Software-Defined Wide Area Networks (SD-WAN) have long served as means to connect data centers and branch offices over public Internet connections. In modern architectures, the scope of these networks expanded to include public cloud. However, traditional SD-WAN solutions may not always be well-suited for this task, often increasing complexity of network design, configuration and maintenance.

Many Amazon Web Services (AWS) customers are leveraging AWS Transit Gateway to connect their global networks to the AWS network. With the launch of AWS Transit Gateway Connect, there is now a native way to seamlessly extend your SD-WAN edge into AWS, without the need to set up multiple IPsec VPNs between the SD-WAN appliances and Transit Gateway. Transit Gateway Connect is a new attachment type that supports Generic Routing Encapsulation (GRE) tunnel protocol for improved bandwidth and Border Gateway Protocol (BGP) for dynamic routing updates, eliminating the need to configure static routes. This simplifies network design and reduces the associated operational burden.

Benefits of Transit Gateway Connect:

• Native integration: You can now natively connect your network to AWS Transit Gateways without having to configure complex IPsec VPN connections. Dynamic routing capability further simplifies route management across hybrid cloud environments.
• Higher bandwidth interconnects between SD-WAN and AWS cloud: You no longer need to manage and operate multiple IPsec VPN connections between your third-party appliances and Transit Gateway to support higher bandwidth. Transit Gateway Connect does this by using GRE tunnels that are scaled horizontally to provide higher bandwidth within a single Connect attachment. This increases total bandwidth to 20 Gbps per Connect attachment.
• Increased visibility: Integration with Transit Gateway Network Manager gives you increased levels of visibility into your network health. It shows you performance metrics and telemetry data, not only from virtual appliance instances in AWS, but also from branch appliances sitting behind them. Now you can truly monitor your end-to-end network, across AWS and on-premises.
• End-to-End Management: You can perform end-to-end management of your global network with a single orchestration platform. Transit Gateway Connect does this through deeper integration with APN Partner SD-WAN orchestration platforms and gives you the ability to update Transit Gateway route tables, resulting in more intelligent routing decisions.
• Security and Compliance: You can use private IP addresses on your third-party virtual appliances by using Transit Gateway Connect to establish connectivity and reachability to resources located in AWS Virtual Private Clouds (VPC), decreasing the need for internet routable public IPs.

2. Gateway Connect reference architectures.

Transit Gateway Connect can establish connection in two ways:

• It can connect to an SD-WAN appliance deployed in a VPC (Figure 1)
• It can first connect to an on-premises data center via AWS Direct Connect and then connect to an appliance on the local network (Figure 2)

With the Connect attachment type, GRE packets from third-party appliances are routed based on the associated route table of the Connect attachment. A GRE tunnel is established between Transit Gateway and the third-party appliance. You can then establish BGP peering with the Transit Gateway within the GRE tunnel to securely exchange routing information.

Figure 1 – Transit Gateway Connect with a virtual appliance.

Figure 2 – Transit Gateway Connect with AWS Direct Connect

3. Transit Gateway Connect integration with Fortinet FortiGate.

In this example we will review the process of integrating Transit Gateway Connect with FortiGate.

Components of the sample architecture:

• Customer workloads are deployed in Application VPCs. We recommend establishing Transit Gateway attachments in dedicated subnets.
• FortiGate appliances are deployed in Security VPC with two availability zones, each consisting of three subnets: public, private, and a subnet for a Transit Gateway attachment. FortiGate appliance has two network interfaces, one in the public subnet and another in the private subnet.
• Transit Gateway securely connects spoke Application VPCs and the hub Security VPC. VPCs communicate through VPC attachments. Security VPC sends and receives traffic over a GRE tunnel to and from the transit gateway using the Connect attachment., one in each availability zone.

3.1 Transit Gateway Connect attachment

A Connect attachment uses an existing VPC attachment as the underlying transport mechanism. This is referred to as the transport attachment. Transit Gateway Connect supports a maximum bandwidth of 5 Gbps per GRE tunnel. Bandwidth above 5 Gbps is achieved by advertising the same prefixes across multiple GRE tunnels for the same Connect attachment. A maximum of four Connect peers are supported for each Connect attachment at the time of launch. FortiGate appliance must be configured with BGP for dynamic route updates and health checks.

3.2 Transit Gateway Connect attachment

Create three VPCs – two Application VPCs and one Security VPC

Security VPC subnet 10.0.0.0/24

Create subnets. Each Application VPC has one subnet. Security VPC has two availability zones and six subnets, three per availability zone.

4. Install and test a web server in the Application VPC

Install a Linux server in the Application VPC, and install the Apache web server and SSH server for testing.

Install the web service

Start the web service

sudo systemctl start httpd
sudo systemctl enable httpd

Create another Linux server with Apache web server and SSH server in the second Application VPC

5. Create FortiGate instances in Security VPC

Create a FortiGate instance in each availability zone in Security VPC. If redundancy is not required, you can create a single FortiGate instance. For detailed FortiGate deployment steps, please refer to the documentation at https://docs.fortinet.com.

Each FortiGate instance has two network interfaces, one in the public subnet, and one in the private subnet.

Deploy FortiGate and activate license. You can select any official FortiGate version published in the Amazon Cloud Marketplace. In this guide, we have used FortiGate 6.4.5

6. Create and configure the Transit Gateway

In this section, we will discuss the steps to create a Transit Gateway and configure Connect attachment to FortiGate instances in the Security VPC.

6.1 Transit Gateway

From the Amazon Cloud Management Console, navigate to “VPC -> Transit Gateway ->Transit Gateway”, and click “Create New Transit Gateway”

The transit gateway will use BGP to exchange routes with the Fortigate security gateway, specify the AS that the transit gateway will use, and the new Connect transit gateway connection type will create a GRE connection point at the transit gateway. For this purpose, you need to specify a network segment for the GRE tunnel connection address.

Use the default BGP AS 64512 and 1.0.0.0/24 interconnect address segments here, leaving the rest of the parameters at their default values.

6.2 Connect the transit gateway to the VPC attachment

Secure VPCs and application VPCs need to be connected to a transit gateway, using the VPC attachment type to connect to the transit gateway. For App VPC, it can create a transit gateway connection in the application subnet or a transit gateway connection in a private subnet. For a secure VPC, there are 2 FortiGates in two different Availability Zones. Each Availability Zone requires the creation of a transit gateway connection, which uses a dedicated subnet to connect to the transit gateway.

VPC->Transit Gateway->Transit Gateway Connection, click “Create Transit Gateway Attachment” and select the VPC connection type.

The following screenshot shows creating a VPC connection for a secure VPC. Two private subnets for transit gateway connections are selected during the creation process.

Similarly, create transit gateway connections for the two application VPCs.

All three VPCs are connected to a transit gateway

6.3 Connect attachment to the transit gateway

The underlying VPC is already connected to the transit gateway, and an upper layer superimposed connect-type transit gateway connection has been created.

VPC->Transit Gateway->Transit Gateway Connection, click “Create Transit Gateway Attachment” and select the connection type.

At this point, the transit gateway has 4 attachments

6.4 Transit gateway route table

In this guide, all three VPCs are connected to the same transit gateway route table. All three VPCs propagate routes to the same route table. If you need to control and secure the east-west traffic between the application VPCs, you need multiple transit gateway route tables to achieve business isolation, so that inter-business traffic can pass through the Fortigate secure gateway.

By default, the transit gateway associates and transmits routes to the connected VPC, and publishes routes to the default route table of the transit gateway.

VPC->Transit Gateway->Transit Gateway Route Table

There are 3 VPC routes in the default route table

A secure VPC does not need to publish the entire VPC route through a VPC connection. The route will later be published through BGP connected to the transit gateway. Therefore, in this route table, we will delete the secure VPC’s attachment, and only keep two Business VPC attachment and connect attachment in the routing table.

Pass two business VPC routes in the route table

6.5 Connect peers

Connect peers are GRE and BGP interconnect virtual lines for the FortiGate secure gateway and transit gateway in a secure VPC. Connect peers are added from the previously created transit gateway to connect the connect connection item.

VPC->Transit Gateway->Transit Gateway Connection, click the connect-type connection created previously, and click the connect peers subpanel.

When creating connect peers, the peer GRE address is the interface address used by the FortiGate security gateway to establish the GRE tunnel. Here is the Port2 interface IP, BGP inside CIDR blocks are GRE tunnel interface addresses, and the network mask is limited to 29 bits. Peer ASN is the FortiGate side AS.

If you create two Fortigate secure gateways in two Availability Zones, create two CONNECT PEERS for each.

After the transit gateway has created connect peers, the GRE endpoint address and GRE tunnel address are assigned to the Connect Peers connection table. Since the Fortigate side has not yet been configured, the connect peers neighbor is in a down state at this time.

7. VPC subnet route table

Adjust the route tables for the three VPCs to flow business traffic from the application VPC to the secure VPC.

7.1 Business VPC route table

The two business VPCs no longer have an route to Internet. Traffic from any network other than the business VPC needs to be routed through a transit gateway to the secure VPC Internet exit or other VPC, and add or modify the default gateway for the VPC route to the transit gateway.

7.2 Secure VPC Route Tables

The secure VPC has three subnets in each AZ, and the GRE tunnel will be terminated on the FortiGate port2 interface. A route to the GRE peer address 1.0.0.0/24 segment needs to be added to point to the transit gateway.

8. Fortigate security gateway configuration

GRE tunnels, tunnel interface IPs, BGP routes, static routes, and firewall policies need to be configured on the FortiGate secure gateway.

8.1 Static Route Configuration

Add a static route to Fortigate. The purpose is GRE endpoint network segment 1.0.0.0/24, specify to exit from the port2 interface and establish a GRE tunnel with the transit gateway. The next hop address is the first IP in the subnet.

Fortigate-1:
config router static
    edit 1
        set dst 1.0.0.0 255.255.255.0
        set gateway 10.0.0.17
        set device "port2"
    next
end

Fortigate-2:
config router static
    edit 1
        set dst 1.0.0.0 255.255.255.0
        set gateway 10.0.0.81
        set device "port2"
    next
end

8.2 GRE configuration

The endpoint address used to create the GRE tunnel has been assigned to the peers connected to the transit gateway. According to the assigned IP, create a GRE tunnel on the FortiGate security gateway.

Fortigate-1:
config system gre-tunnel
    edit "tgwc"
        set interface "port2"
        set remote-gw 1.0.0.4
        set local-gw 10.0.0.29
    next
end

fortigate-2:
config system gre-tunnel
    edit "tgwc"
        set interface "port2"
        set remote-gw 1.0.0.131
        set local-gw 10.0.0.90
    next
end

8.3 Configure GRE Tunnel Interface IP

Configure the GRE tunnel interface IP according to the IP assigned by the transit gateway connect peers. This IP address is used to establish BGP neighbors.

Fortigate -1:
config system interface
    edit "tgwc"
        set ip 169.254.120.1 255.255.255.255
        set allowaccess ping 
        set remote-ip 169.254.120.2 255.255.255.248
    next
end

Fortigate-2:
config system interface
    edit "tgwc"
        set ip 169.254.121.1 255.255.255.255
        set allowaccess ping 
        set remote-ip 169.254.121.2 255.255.255.248
    next
end

The GRE endpoint address on the transit gateway cannot be pinged. The GRE interface IP can be PINGed. Verify whether the transit gateway connect type connection is successful by PINGing the GRE interface IP 169.254.x.x on the transit gateway.

8.4 Configure BGP

The transit gateway connects to each PEERS with two BGP connection neighbors, enables EBGP neighbor multi-hop, and enables publishing default routes and secure VPC subnet routes to neighbors.

config router bgp
    set as 65510
    set router-id 169.254.100.1
    config neighbor
        edit "169.254.120.2"
            set capability-default-originate enable
            set ebgp-enforce-multihop enable
            set soft-reconfiguration enable
            set remote-as 64512
        next
        edit "169.254.120.3"
            set capability-default-originate enable
            set ebgp-enforce-multihop enable
            set soft-reconfiguration enable
            set remote-as 64512
        next
end
config network
        edit 1
            set prefix 10.0.0.16 255.255.255.240
        next
    end
end

Fortigate-2：
config router bgp
    set as 65511
    set router-id 169.254.100.2
    config neighbor
        edit "169.254.121.2"
            set capability-default-originate enable
            set ebgp-enforce-multihop enable
            set soft-reconfiguration enable
            set remote-as 64512
        next
        edit "169.254.121.3"
            set capability-default-originate enable
            set ebgp-enforce-multihop enable
            set soft-reconfiguration enable
            set remote-as 64512
        next
    end
    config network
        edit 1
            set prefix 10.0.0.80 255.255.255.240
        next
    end
end

8.5 Firewall Policy Configuration

8.5.1 Anti-questioning Internet Outreach Strategy

The Internet is accessible from the business server, and from the transit gateway through the GRE tunnel to the Fortigate secure gateway.

config firewall policy
    edit 1
        set name "1"
        set srcintf "tgwc"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set webfilter-profile "monitor-all"
        set application-list "default"
        set nat enable
    next
end

8.5.2 Inbound policies for Internet access business systems

Through elastic IP or Ingress Routing on FortiGate, business access traffic is securely inspected by the FortiGate security gateway.

config firewall vip
    edit "vpc2-web-server"
        set uuid a39feefc-ba1a-51eb-e1ca-91dba4aeeab4
        set mappedip "192.168.100.100"
        set extintf "port1"
        set portforward enable
        set extport 280
        set mappedport 80
    next
    edit "vpc2-ssh-server"
        set uuid c6a378f6-ba1a-51eb-69d2-edd646ee5d25
        set mappedip "192.168.100.100"
        set extintf "port1"
        set portforward enable
        set extport 222
        set mappedport 22
    next
    edit "vcp1-webserver"
        set uuid d921c744-ba1a-51eb-14b5-b368bf2fa237
        set mappedip "192.168.50.100"
        set extintf "port1"
        set portforward enable
        set extport 180
        set mappedport 80
    next
    edit "vpc1-ssh-server"
        set uuid e67c7038-ba1a-51eb-8d65-2d9ad8034f26
        set mappedip "192.168.50.100"
        set extintf "port1"
        set portforward enable
        set extport 122
        set mappedport 22
    next
end

config firewall policy
    edit 2
        set name "2"
        set srcintf "port1"
        set dstintf "tgwc"
        set srcaddr "all"
        set dstaddr "vcp1-webserver" "vpc1-ssh-server" "vpc2-ssh-server" "vpc2-web-server"
        set action accept
        set schedule "always"
        set service "HTTP" "SSH"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set av-profile "default"
        set ips-sensor "default"
        set logtraffic all
        set nat enable
    next
end

8.5.3 Security check for east-west traffic between VPCs

Network traffic between business VPCs is not controlled under this test architecture, but traffic from a business VPC into a secure VPC must go through FortiGate security checks. Traffic security checks between business VPCs are required. This can be achieved through a transit gateway with multiple route tables. Please refer to the relevant manual at https://docs.fortinet.com

Config firewall policy
edit 3
        set name "3"
        set uuid 4256b2aa-ba1c-51eb-1691-6910ded0355f
        set srcintf "tgwc"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set av-profile "default"
        set webfilter-profile "monitor-all"
        set application-list "default"
        set nat enable
    next
    edit 4
        set name "4"
        set uuid 63f76b84-ba1c-51eb-01a5-7fe837254fdc
        set srcintf "port2"
        set dstintf "tgwc"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set av-profile "default"
        set webfilter-profile "default"
        set application-list "default"
        set logtraffic all
        set nat enable
    next
end

9. Verification

9.1 BGP Routing on the FortiGate Secure Gateway

FortiGate successfully learned business VPC routes from transit gateways

BGP route entries sent and received by FortiGate to the host

9.2 BGP Routing on Transit Gateways

BGP routes received from connect neighbors

The BGP neighbor that the transit gateway connects to peers is UP

9.3 Accessing the Business Server from the Internet

The business server entry address is the firewall’s elastic IP address. Different ports are used for different services. The port is in the previous policy VIP settings. HTTP to http://52.83.204.126:180/, SSH to port 52.83.204. 126:122

Traffic security inspection records:

Business server URL records:

Application Identification:

9.4 Internet egress traffic from the business server

App access history:

URL records:

9.5 East-West Traffic

Access the secure VPC subnet from the business server, confirm that the traffic has passed through the transit VPC, and has passed the Fortiate security check.

FortiGate traffic records:

校译作者