Business & Technology

Highly Scalable FortiGate Next Generation Firewall Security on AWS Gateway Load Balancer Service

By Vinod Sundarraj | November 10, 2020

Organizations are increasingly adopting deeper and more comprehensive solutions to secure their Amazon Virtual Private Cloud (Amazon VPC) environments. And they are implementing these security solutions with high availability architectures to ensure that protection is always on against malicious actors and threats. But these types of deployments increase operational complexity. As a result, other teams within an organization that don’t have the security expertise will often bypass the use of these security appliances. 

AWS Gateway Load Balancer (GWLB) is a new service from AWS that makes it easy to deploy, scale, and manage virtual appliances such as firewalls, intrusion detection and prevention systems, and deep packet inspection systems, in the cloud. Now, organizations can simplify their VPC security deployment and improve resiliency by delivering FortiGate-VM Next Generation Firewall protection as a service with GWLB.

Fortinet’s FortiGate-VM integration with GWLB helps organizations deploy Next Generation Firewall capabilities in the cloud with high availability, scaling, and load balancing. All while using FortiGate’s rich security features, including Intrusion Prevention (IDPS), Deep Packet Inspection (DPI), URL Filtering, AntiSpam and Anti-malware protection. FortiGate-VM Next Generation Firewall connected with GWLB addresses two key use cases for a couple of deployment options – North-South Inspection and East-West Inspection.

Use case 1: North-South Inspection

In typical AWS deployments, most of the application instances in a VPC reside in a Private subnet and are blocked from accessing resources outside the local network. But some application instances need to be accessible to users over the internet, and in some other cases applications or servers need to access other services, such as automatic software updates. In these cases, the traffic to and from the internet must be inspected to prevent attacks and reduce the risk of breaches. For these reasons, customers can deploy FortiGate-VM with the GWLB service to protect their application instances.

The first option is to use AWS Gateway Load Balancer Endpoints (GWLBE) from customers’ VPCs. GWLBE makes it easy for users to secure their internet-bound traffic without the hassle of having to setup and manage virtual firewalls and policies.

Figure 1: North-South Inspection using GWLBE

Network traffic from the application instances and the internet gateway are sent to a GWLBE in the VPC.  The GWLBE then sends this VPC traffic to the GWLB in a subnet belonging to a centralized security services VPC, which could be managed by a shared security or network operations team. The GWLB tunnels this VPC traffic to FortiGate virtual firewalls for inspection. Tunneling also isolates traffic sent for inspection from spoke VPCs. The inspected internet traffic – both inbound and outbound – is then sent back to the VPC. Alternately, the GWLBE could send this traffic to a GWLB in a Managed Security Service Provider VPC for FortiGate virtual firewall inspection.

The users’ VPC network traffic routing is accomplished with a VPC Ingress Routing Table and separate subnet routing tables for GWLBE and the application instances. These types of configurations can be easily automated using templates. In addition to using GWLB, which also acts as a L4 load balancer, organizations can easily scale the volume of inspected traffic by adding more FortiGate-VM instances in the security services VPC.

A second option is available to organizations is to use the AWS Transit Gateway service (TGW). TGW attachments – whether VPC attachment or VPN attachment – make it easy for users to secure their internet-bound traffic without the hassle of having to setup and manage virtual firewalls and policies.

Figure 2: North-South Inspection w/ TGW

In this scenario, VPC traffic is routed through the TGW service to the AGW in a subnet belonging to a centralized Security Services VPC. With this architecture, customers can use an Internet Gateway in a separate Internet VPC, or it can be co-located in the security services VPC. Both TGW ENI and GWLBE ENI are configured in the security services VPC to route traffic from TGW to FortiGate virtual firewalls for inspection. Using a TGW based architecture greatly simplifies routing for customers implementing large number of VPCs. With the GWLB service in place it is easy to scale up and scale down FortiGate virtual firewall instances to match the volume of traffic needing inspection.

Use Case 2: East-West Inspection

With the rapid adoption of AWS, organizations are quickly evolving from single VPC deployments to having a large number of VPCs. In many cases, these VPCs are managed by application development teams without a security background. Applications are often built using open source code that may have vulnerabilities that malicious actors can leverage to launch attacks between VPCs. To avoid these scenarios, the VPC-to-VPC traffic flows must be inspected. Organizations can deploy FortiGate-VM with GWLB service to provide this protection. 

Figure 3: East-West Inspection w/ TGW

Most customers adopt TGW when rolling out large number of VPCs. And from a network topology and routing perspective this use case can utilize similar implementations discussed above for use case 1 with TGW. GWLB provides a simple and effective way to scale FortiGate virtual firewall protection as the volume of inspected traffic increases.

Expanding Fortinet’s Collaboration with AWS 

Fortinet continues to build on its existing collaborations with AWS services, including AWS Transit Gateway and AWS Outposts. Together, FortiGate-VM Next Generation Firewall Security and AWS Gateway Load Balancer provide a complete cloud security services and cloud management solution that gives enterprise customers fast, flexible access to the cloud. Organizations using AWS can confidently migrate to AWS environments knowing their workloads will be protected with Fortinet’s cloud security offerings. 

Learn how Fortinet’s dynamic cloud security solutions provide increased visibility and control across cloud infrastructures, enabling secure applications and connectivity from data center to cloud. 

Read these customer case studies to see how Hillsborough Community College and WeLab implement Fortinet’s dynamic cloud security solutions for secure connectivity from data center to the cloud. 

Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.