| Description |
This article describes the method to route ingress and egress traffic bounded to the FortiGate loopback interface in AWS VPC.
By default, the AWS VPC router will route traffic to and from FortiGate ENI (Elastic Network Interface) for only the subnet to which the ENIs are associated. Hence traffic sourced/destined to configured network interfaces will always work.
Consider the below topology. In this, traffic to/from the FortiGate loopback interface will fail.
FG04 # diag ip address list IP=10.4.0.5->10.4.0.5/255.255.255.0 index=3 devname=port1 IP=10.4.2.5->10.4.2.5/255.255.255.0 index=4 devname=port2 IP=10.4.1.1->10.4.1.1/255.255.255.255 index=11 devname=loopback-mgmt
By default, the VPC router will not route traffic from server 10.4.2.9 to loopback interface 10.4.1.1 via FortiGate interface: port2.
The traffic sourced from the FortiGate loopback interface 10.4.1.1 will fail. This will impact all loopback-related traffic to and from FortiGate VM in AWS. |
| Scope | FortiGate-VM instance in AWS. |
| Solution |
By default, the AWS VPC route table will have the VPC IPv4 CIDR mapped to ‘local’, which is the VPC router.
Route to loopback interface IP 10.4.1.1/32 cannot be added to the route table because the route destination does not match any subnet that is configured in the VPC.
It is recommended to modify the target as network interface – FortiGate port 2 for the destination 10.4.0.0/16.
Test Result:
 |
