Business & Technology

FortiGate AWS Transit Gateway Integrated with Cloud Services

By Ali Bidabadi  | November 28, 2018

Most AWS deployments have evolved from a single VPC (Virtual Private Cloud) to multiple VPCs spread across multiple regions. Fortinet’s Transit VPC solution supports those organizations that have storage and compute infrastructures spread across on-premise data centers and AWS VPCs. It enables them to not only interconnect their globally distributed workloads but also protects those environments with the integrated advanced security features of the Fortinet Security Fabric.

Now, with AWS launching its much-anticipated Transit Gateway service, we are excited to announce the availability of the Fortinet Cloud Services Hub integrated with the AWS Transit Gateway. Equipped with full autoscaling capabilities, as well as the powerful routing and security features of its Security Fabric, Fortinet is leveraging the highly scalable and distributed AWS Transit Gateway service to take its current offering to the next level.

The AWS Transit Gateway - How Does it Work?

Today if customers want to interconnect their VPCs, they either need to create point-to-point peering and manage networking at each VPC (creating added complexity), or create IPSec tunnels from each VPC to third-party router/firewall appliances in a shared VPC (resulting in a hub and spoke topology called Transit VPC). While Transit VPC deployments (such as Fortinet Transit VPC) have been adopted by many customers as the preferred approach to solving their inter-VPC connectivity and security requirements, an AWS Virtual Private Gateway (VGW)—which is deployed at each VPC spoke to terminate VPN connections—has serious bandwidth restrictions, thus limiting network performance.

The AWS Transit Gateway resolves this challenge through its new highly scalable, distributed service that allows connectivity at scale. Since it supports Equal Cost Multipath (ECMP), traffic can be equally distributed over two or more VPN connections that propagate the same IP prefix, allowing significantly more flexibility in the network. And because it is part of the AWS suite, native AWS services such as CloudFormation, CloudWatch, and VPC Flow Logs can be used to manage and monitor the AWS Transit Gateway.

5 Key Use Cases for the Integration of the Cloud Services Hub and the AWS Transit Gateway

Fortinet Cloud Services Hub leverages the newly announced AWS Transit Gateway service, to enable and improve several important use cases:

1. Cloud-only Deployments with Auto-Scaling and ECMP

Since many AWS customers have their workloads spread across multiple VPCs, it is of paramount importance to allow inter-VPC connectivity while simultaneously scaling up or down FortiGate’s capacity based on network traffic to enable a fully scalable and cost-effective solution. In this deployment scenario, application VPCs (often referred to as spoke VPCs) attach to the AWS Transit Gateway via Transit Gateway attachment objects. The AWS CloudWatch service is used to trigger Lambda functions once it is notified of a lifecycle change event. Therefore, as new FortiGate instances are spawned by the Auto Scaling Group, IPSec tunnels are dynamically and automatically created using the ECMP feature to allow equal distribution of traffic across all tunnels.

2. Hybrid Cloud (multiple VPCs and multiple remote sites with Auto Scaling and ECMP)

In a typical hybrid cloud deployment, a large volume of data is continuously transferred between multiple remote branches, the corporate data center, as well as application VPCs. The Fortinet Cloud Services Hub essentially creates a central hub VPC in the cloud to facilitate interconnectivity and traffic inspection. While application VPCs attach directly to the Transit Gateway, physical data centers and remote branch locations can connect to FortiGate NGFW in this central hub using ECMP in a scalable fashion. Additionally, this deployment model gives customers more flexibility in that they do not need to change their overall network design or their internal teams’ responsibilities.

3: East-West Traffic Inspection

As zero-trust security deployment strategies are being adopted by large and small enterprises, the ability to inspect all traffic is of critical importance. Recent studies show that the vast majority of multi-cloud traffic travels East-West across the environment. Fortinet Cloud Services Hub supports a deployment model where all traffic is inspected to stop the lateral propagation of threats within an organization’s environment. This can be achieved in two different ways:

  1. Deploy FortiGates at each application VPC: Deploying a FortiGate solution at each VPC allows security policy to be enforced at the individual VPC level while also enabling East-West traffic inspection. Just as with FortiGates deployed in the hub, the spoke VPC FortiGate solutions also connect to the Transit Gateway through IPSec tunnels.

  2. Create multiple route tables in the AWS Transit Gateway: This allows all or a subset of inter-VPC traffic to be inspected by FortiGate’s advanced security features that are integrated into the Fortinet Security Fabric. All traffic that needs to be inspected is sent to the FortiGate solutions deployed in the central hub.

4:  Inbound Application Traffic with Firewall Resiliency

Many customers prefer to deploy their applications in private subnets in VPCs, hence not requiring any public IP addresses. However, the need to protect their applications from outside attacks does not simply go away. With the Cloud Services Hub’s integration with the AWS Transit Gateway, customers can conveniently deploy web applications in a private VPC while resilient FortiGate NGFWs are provisioned in a public VPC fronted by a public load balancer to protect their applications. Both source NAT and destination NAT are performed at each FortiGate to ensure that return traffic passes through the same instance.

5: WAF VPC for Multiple Applications

Combining the Transit Gateway with the Auto Scaling Group allows organizations to deploy a resilient and scalable Web Application Firewall (WAF) to protect multiple application VPCs. Similar to the first use case, the AWS Auto Scaling group, CloudWatch, and other services are used to dynamically scale WAF capacity up or down to meet changing traffic volume requirements.

The Fortinet Cloud Services Hub enables those organizations that have spread their compute and storage infrastructures across multi-account cross-region VPCs, as well as physical data center and remote locations, to protect their workloads in a dynamic, scalable, and automated manner. Integrating the newly launched AWS Transit Gateway service with Fortinet’s Cloud Services Hub allows for even more scalable security. Taking advantage of Fortinet NGFW, Fortinet WAF, and AWS native services such as Lambda, CloudWatch, and Auto Scaling Group, the Cloud Services Hub can address many more use cases. These use cases include but are not limited to, East-West and North-South traffic inspection, inbound application traffic with firewall resiliency, and deploying a WAF solution in a shared VPC to protect multiple applications.

Read more about how Fortinet secures multi-cloud environments with our Security Fabric.

Read other news from Fortinet and AWS today:

Fortinet Selected to Join the AWS Consulting Partner Private Offer Program

Fortinet and AWS Offer New, Integrated Security Solutions