I have a fortigate ec2 instance in public subnet. An eks cluster in public subnet application deployed in eks is accessible using NLB endpoint in public subnet. I want all the traffic to my application pass through the fortigate firewall(fortigate instance and NLB are in same public subnet).
So I have tried configuring route table for public subnet or the edge route table for internet gateway so if traffic is destined to NLB private interface ips it should be routed to fortigate vm interface but got the error that it's not a subnet cider.
I only want incoming traffic to pass through fortigate so I can setup some firewall rules on it.
Can anyone help with this config or suggest any better way to implement the desired requirement.
I have tried with NLb interface ips and also tried creating a prefix list from private ips but nothing worked
Editing the question as cannot post this in comment
So I have did the same config for subnets as mentioned in 1st awnser. Also created fortigate VM with two interfaces port1 in public and port2 in NLB subnet. And For egde subnet sending the traffic to port2 interface same for internet traffic of NLB subnet. Here is the fortigate config file
Content-Type: multipart/mixed; boundary="==AWS=="
MIME-Version: 1.0
--==AWS==
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
config system interface
edit port1
set vdom "root"
set alias public
set mode dhcp
set allowaccess ping https ssh fgfm
next
edit port2
set vdom "root"
set alias private
set mode dhcp
set allowaccess ping https ssh fgfm probe-response
next
end
config firewall policy
edit 1
set name "test"
set srcintf "port1"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 1
set name "test2"
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
config router static
edit 1
set gateway ${nlb_ip}
set device "port1"
next
edit 2
set gateway ${nlb_ip}
set device "port2"
next
end
--==AWS==--
Still when hit the nlb endpoit it is not reachable. but if use normal network config without fortigate is accessable.
If you want to route traffic through an intermediate device like the setup you mentioned, its better to have them in separate Subnets. If the routing is expected to be as below:
Client --> Internet --> IGW --> Fortigate --> NLB --> EKSYou will need to spilt them to at least 2 subnets.
Route-Tables will be as below:
Public Subnet's Route-Table:
VPC CIDR > local
0.0.0.0/0 > IGW
Protected Subnet's Route-Table:
VPC CIDR > local
0.0.0.0/0 > FW ENI
Edge Route-Table( on IGW ):
VPC CIDR > local
NLB's Subnet CIDR > FW ENI