Blogs

AWS Cloud-WAN integration Fortinet SD-WAN for secure branch networking

By Alan posted Oct 26, 2022 11:12 PM

  

Feature Introduction

AWS Cloud WAN

AWS Cloud WAN provides a central dashboard for making connections between your branch offices, data centers, and Amazon Virtual Private Clouds (Amazon VPCs)—building a global network with only a few clicks. You use network policies to automate network management and security tasks in one location. Cloud WAN generates a complete view of your on-premises and AWS networks to help you monitor network health, security, and performance.

 

Fortinet SD-WAN

Fortinet SDWAN (software-defined wide-area network) solution enables enterprises to transform and secure all WAN edges. Leveraging the Security-driven Networking approach that uses one operating system and one centralized management console, enterprises realize superior user experience, enhanced security posture effectiveness with converged networking and security, and achieve operational continuity and efficiency. Fortinet FortiGate delivers fast, scalable, and flexible Secure SD-WAN for cloud-first, security-sensitive, and global enterprises. Our Security-Driven Networking approach consolidates SD-WAN, next-generation firewall (NGFW), and advanced routing.

 

Example Description

In the previous example, we use the integration of AWS Cloud-WAN and Fortinet SD-WAN to achieve cloud-network convergence of enterprise services, so that enterprise employees can quickly access internal applications deployed on AWS in any branch office.

For details, see:

https://fusecommunity.fortinet.com/blogs/alan/2022/10/08/aws-cloud-wan-integration-fortinet-sd-wan-1

 

In this example, we use the integration of AWS Cloud-WAN and Fortinet SD-WAN to realize direct connection communication of enterprise branches based on the secure connection between SD-WAN POPs, so that the management terminal of the Singapore office can quickly connect to the equipment of the Virginia plant through SD-WAN network security. Securely transfer corporate data.

 

Architecture:

Configuration Instructions

Address information:

Site

SD-WAN

IP Address

POP Tunnel

IP Address

LAN

IP/Netmask

Virginia

POP

10.0.255.254

10.0.12.1

-

Virginia

Factory

10.0.255.1

-

192.168.20.2/24

Singapore

POP

10.0.254.254

10.0.12.2

-

Singapore

Branch

10.0.254.1

-

192.168.101.2/24

 

Virginia POP Configurations

Enable BGP, configure neighbor information for Virginia factory and Singapore POP, as well as local network information

  • Set "Local AS" to "65401"
  • Create new Neighbor, set "IP" to "10.0.255.1", "Remote AS" to "65411"
  • Create new Neighbor, set "IP" to "10.0.12.2", "Remote AS" to "65402"
  • Set "Networks" to "10.0.255.0/24"

 

Configure a firewall policy on the Singapore office intranet to access the Virginia factory intranet

  • Set "Incoming Interface" to "Singapore"
  • Set "Outgoing Interface" to "SD-WAN"
  • Set "Source" to "192.168.101.0/24"
  • Set "Destination" to "192.168.20.0/24"

Singapore POP Configurations

Enable BGP, configure neighbor information for Singapore office and Virginia POP, as well as local network information

  • Set "Local AS65402"
  • Create new Neighbors, set "IP" to "10.0.254.1", "Remote AS" to "65421"
  • Create new Neighbors, set "IP" to "10.0.12.1", "Remote AS" to "65401"
  • Set "Networks" to "10.0.254.0/24"

Configure a firewall policy on the Singapore office intranet to access the Virginia factory intranet

  • Set "Incoming Interface" to "SD-WAN"
  • Set "Outgoing Interface" to "Virginia"
  • Set "Source" to "192.168.101.0/24"
  • Set "Destination" to "192.168.20.0/24"

Singapore Branch Configurations

Enable BGP, configure the neighbor information for Singapore POP, as well as the local network information

  • Set "Local AS" to "65421"
  • Create new Neighbor, set "IP" to " 10.0.254.254", "Remote AS" to "65402"
  • Set "Networks" to "192.168.101.0/24"

Configure SD-WAN Rules to have traffic from the Singapore office to the Virginia facility flow out of SDWAN01

  • Set "Source" to "192.168.101.0/24"
  • Set " Destination" to "192.168.20.0/24"
  • Set "Outgoing Interface" to "sdwan01"

 

Configure firewall policies for the Singapore office to access the Virginia facility

  • Set "Incoming Interface" to "port10"
  • Set "Outgoing Interface" to "virtual-wan-link"
  • Set "Source" to "192.168.101.0/24"
  • Set "Destination" to "192.168.20.0/24"

 

Virginia Factory Configurations

Enable BGP, configure the neighbor information for Singapore POP, as well as the local network information

  • Set "Local AS" to "65411
  • Create New "Neighbor", Set "IP" to "10.0.255.254", "Remote AS" to "65401"
  • Set "Networks" to "192.168.20.0/24"

 

Configure a firewall policy that allows the Singapore office to access the Virginia facility

  • Set "Incoming Interface" to "sdwan01"
  • Set "Outgoing Interface" to "port2"
  • Set "Source" to "192.168.101.0/24"
  • Ser "Destination" to "192.168.20.0/24"

Verify

Management terminals in the Singapore office can securely connect to equipment at the Virginia facility via SD-WAN network for secure transmission of corporate data.

Permalink