By Jonathan Peng, Staff Solutions Architect
Most Internet services within a Virtual Private Cloud (VPC) need to have multiple Public IP addresses for customers to access. If we want to protect all public traffic with a secured firewall box, we will face the problem of deploying multiple IPs on a single Elastic Compute Service (ECS) instance-based firewall.
In this article, we will be deploying multiple EIPs with one Fortinet NGFW ECS instance to help Alibaba Cloud users to address this problem.
Here are some of the things that you can do with multiple IP addresses and Fortinet NGFW:
- Use URL base filtering policy. We can leverage Fortinet’s URL filtering feature to protect inbound and outbound Internet traffic by using URL instead of IP address.
- Protect Web services and more. You can guard against malicious traffic, data loss, and unauthorized access by using this approach. Meanwhile, the Fortinet device deliver a number of security technologies, such as IPS, web filtering, VPN, SSL inspection, identity management integration, bandwidth management, etc.
- Optimize network appliances. Network appliances such as firewalls and load balancers generally work better when they have access to multiple public IP addresses on the Internet.
Solution Overall Description
Following diagram illustrate the overall concept of how to deploy this solution, we need to go through following 7 steps:
- Create a VPC with 2 different vSwitch for the networking.
- Create ECSs for all the frontend services, such as App, Web and Search, in one vSwitch.
- Create Fortinet FortiGate NGFW ECSs from Alibaba Cloud marketplace on the other vSwitch.
- Create SLBs for different public IP and point to Fortinet NGFW ECS as backend server and point to different private IP and Fortinet NGFW dedicated port.
- Add Route Entry into VPC’s Route Table and set default route’s next hop to Fortinet NGFW ECS.
- Setup Fortinet NGFW, add SNAT and DNAT with firewall policies to connect different backend ECS.
Login Alibaba Cloud console, in product find VPC and create a new VPC and two vSwitches.
In product find ECS and create three different ECS, simulate to provide App 192.168.1.81, Web 192.168.1.82, and Search 192.168.1.80 services.
Create ECS by using Marketplace Image, and choose Fortinet FortiGate NGFW image.
Create 3 SLB for App, Web, and Search HTTP services.
All listener is set to http 80
Different SLB listener need to add the Fortinet Firewall as backend server and point to different port 40001, 40002 and 40003.
Add a default route into the VPC’s vRouter and point to Fortinet ECS.
Login to Fortinet ECS.
Add App, Web, and Search private address into Fortinet.
Setup inbound DNAT, create 3 Virtual IPs and mapping 40001 port to App 80 port, 40002 port to Web 80 port, and 40003 port to Search 80 port.
Set up outbound SNAT firewall policy for internet connection.
Set up inbound DNAT firewall policy for internet connection.
At last, we can connect to these three different service servers by SLB IP address.
If you’ve followed the above steps correctly, you should see all the traffic going through the Fortinet firewall.