datbird
commented
5 years ago Is this still a thing? I'm coming from an Transit VPC architecture and let me be sure I understand correctly. The Lambda automation scripts are checking the firewalls to ensure there default routes are pointed to the VPC's IGW as a next hop gateway?? If that does not exist you're saying it wont propogate the default route or that it doesnt install the route into the firewalls route table?
When deploying FortiGate VMs to an existing VPC in an Auto Scale configuration, worker node cannot find the routing table FortiGate subnet/interface is associated to and doesn't update the default route to the FortiGate ENI.
Reason of the issue is the RouteTableCheck function in Fortigate.py, which expects the default route to be pointing to an IGW:
if igwbool is TrueThere are lots of scenarios where this might not be true: default route is pointing to a NAT Gateway, default route is empty (private subnet talks only to subnets propagated from a VPG), etc. As a result, deployment might or might not succeed, depending on how existing VPC routing tables are configured.
The easiest way to fix this is probably to remove this check and change default route to FortiGate VM ENI regardless of how routing tables are configured.