AWS VPC Peering

Alternative VPC peering solution with FortiGate firewall

Alternative VPC peering solution with FortiGate (VM AWS on Demand) firewall: Interface based VPN + BGP


Assumption

  • Multiple AWS accounts
  • All to All VPN interconnections
  • Safe internet access
  • Posiblity of use shared security solutions
  • Inter VPC traffic monitoring



To do


1. Create new AWS account
This account will be used for VPN interconnection only. No other services are allowed in this account. If you need to add some shared services, add another account.

2. Import 2 FortiGate VM AWS on Demand from AWS Marketplace
Place one in AZ (Availability Zone) A and second in AZ B. Instances needs to be located in separate AZ to avoid whole AWS Data Center failure or instance decommission (Instance Retirement).

3. Add elastic IP to firewall
This IP will be used for management and VPN connection. One IP is sufficient in most cases.

4. Log in to firewall
You will have to do it with SSH key provided by AWS. Default login: admin; empty password will not work. To log in to gui you need to set up password for admin account:

config system admin
edit admin
set password password
end

After that limit access to SSH, HTTPS using security groups or network access list. This also can be done by Virtual IP object and firewall rule on FortiGate itself. In my case password guessing started 20 minutes after deployment.

5. Configure VPN on satelite AWS accounts using built in feature
One satelite account will have 4 VPN tunnels. 2 to first firewall and 2 to second one. Download FortiGate configuration from AWS. It will look like this (names changed, comments removed and added my own):

config vpn ipsec phase1-interface
edit vpn-0000000-0
!
! Change name of tunnel to vpn-name-a or similar. Add A,B at end to recognize tunnel.
! Name must be shorter then 15 characters (FortiGate requirement)
!

set interface "wan1"
!
! Change name of public interface (one with Elastic IP)
! In most cases: port1
!

set dpd enable
set local-gw xxx.xxx.xxx.xxx
!
! Remove this line! ! !
! Public IP is not attached to FortiGate interface. NAT is being done by AWS network
!

set dhgrp 2
set proposal aes128-sha1
set keylife 28800
set remote-gw yyy.yyy.yyy.yyy
set psksecret preshared-key
set dpd-retryinterval 10
next
end



config vpn ipsec phase2-interface
edit "vpn-0000000-0"
!
! Change name of phase 2. Just add p2 to name
!

set phase1name "vpn-0000000-0"
!
! Put name of phase 1 here
!

set proposal aes128-sha1
set dhgrp 2
set keylifeseconds 3600
next
end
!
! Add end. Missing in template
!



config system interface
edit "vpn-0000000-0"
!
! Here should be name of phase 1
!

set vdom "root"
set ip 169.254.xxx.xxx 255.255.255.255
set allowaccess ping
set type tunnel
set tcp-mss 1387
set remote-ip 169.254.yyy.yyy
set mtu 1427
set interface "wan1"
!
! Change name of interface to port1
!
next
end
!
! Add end. Missing in template
!



config router bgp
set as private as number
config neighbor
edit 169.254.yyy.yyy
set remote-as aws as number
end


6. On ForiGate create new Zone: VPN_Satelite
This zone will be used for firewall configuration. Create multiple zones (Database, Web servers, shared resources etc)

7. Repeat vpn configuration for secondary unit and then for every AWS account
At this point you should have full connectivity between accounts.

8. If you need to secure internet connection:
a) Propagate default route using BGP. Note: You can't mix BGP and static routes
b) Create new FW rule VPN_Satelite -> port1

9. You can also connect all account to your DC through Fortigate
a) Use route map to control distributed routes
b) Use local pref or AS prepend to avoid asymetric routing
c) You can enable asymetric routing on FortiGate but it's not recommended

Other


a) port1 should have IP assigned by AWS DHCP
b) If you need to connect 2 VPC's from one account you will have to add another public IP to Fortigate. Add elastic IP to port2
c) If you need to upgrade FG AWS on demand you will have to contact Fortinet Support
d) Use on demand instance to calculate FortiGate VM model (size)
d) For long term infrastructure replace on demand licence to BYOL and pay for instance in advance to reduce cost
e) If you need to upgrade run another FortiGate on Demand to check if update will be successfull. After that swith elastic IP
f) After FortiGate deployment you will have to format disk (execute formatlogdisk)
g) AS AWS uses 169.254.yyy.yyy inside VPN tunnel you will be unable to ping AWS instances from FortiGate