This PR more accurately reflects how Fortigates are typically used in production environments.
Instead of one big security group for all the interfaces, create a separate security group for each of the following:
Public
Private
HASync
HAMgmt
This allows for more granular security controls on each of the interfaces. For example, one can now allow management stations ONLY to the HAMgmt interfaces, while still allowing 0.0.0.0/0 to the Public interface (for example, SSLVPN termination).
It also secures the HASync interface to only allow communication between Fortigates, as well as only allowing internal traffic on the Private interfaces.
In addition, an entry into the base VPC for the private route to the FGT eni is also created, which previously needed to be manually created after deployment.
This configuration has been running in a production environment for over two weeks with no issues.
This PR more accurately reflects how Fortigates are typically used in production environments.
Instead of one big security group for all the interfaces, create a separate security group for each of the following:
This allows for more granular security controls on each of the interfaces. For example, one can now allow management stations ONLY to the HAMgmt interfaces, while still allowing 0.0.0.0/0 to the Public interface (for example, SSLVPN termination).
It also secures the HASync interface to only allow communication between Fortigates, as well as only allowing internal traffic on the Private interfaces.
In addition, an entry into the base VPC for the private route to the FGT eni is also created, which previously needed to be manually created after deployment.
This configuration has been running in a production environment for over two weeks with no issues.