This tutorial architecture is based on the most common design described in detail here. It consists of an HA cluster of 2 FortiGates 7.0 and a very basic web application with a single VM with a proxy server (tier 1) and a single VM running a web server (tier2) deployed in peered VPCs.
The tutorial setup demonstrates the following use-cases:
- North-South inspection for inbound connections
- South-North inspection for outbound connections (secure web gateway)
- East-West segmentation
An HTTP connection initiated from the Internet will be passing through the following steps:
- Client initiates a connection to external load balancer public IP
- External load balancer relays the connection to the active FortiGate instance port1
- FortiGate performs DNAT, inspects the connection for threats and releases it via port2
- Connection is sent over VPC peering and terminated on wrkld-tier1-proxy
- Proxy initiates connection to the web server (wrkld-tier2-web)
- Imported custom route sends the connection over peering to the internal load balancer
- Internal load balancer forwards connection to the active FrtiGate
- FortiGate inspects connection
- Connection is sent via VPC peering to tier 2 VPC and terminated by wrkld-tier2-web