FortiGate is a great choice to replace the Cloud NAT service. You can easily police access based on VM metadata and grant very selective access to internet services while adding AV scanning on top to make sure your workloads remain healthy.
To enable Internet access the following changes are added:
- FortiGate IP Pool object and an outbound firewall policy
This module currently leverages the ELB created by inbound-ns.
- Workload initiates connection towards Internet
- Connection matches custom route imported from FortiGate trusted VPC and is forwarded over VPC peering
- Internal Load Balancer selects currently active FortiGate appliance and forwards traffic to it
- FortiGate performs Source NAT to ELB external IP and passes the connection.
Note: Currently outbound-ns requires that you first deploy inbound-ns.
Use terraform module block to add outbound connectivity objects to FortiGate.
To configure this module you have to provide the following arguments:
name- is simply a label which will be used to create names of resourcesday0- map of day0 remote state outputs. You'll have to create a data.terraform_remote_state object and pass its outputs to this argumentelb- self link of forwarding rule to be used for SNAT
Additional FortiGate-specific arguments can be added to fine-tune settings of the firewall policy.
See day1 for example use:
module "outbound" {
source = "../modules/usecases/outbound-ns"
day0 = data.terraform_remote_state.base.outputs
elb = module.inbound.elb_frule
}