1. Public Facing Workload Configuration Sample(link)
1.1. Overview(link)
This page describes the steps needed to configure a public facing web application that is deployed within a workload AWS Account in the Secure Environment Accelerator (SEA).
The high-level steps are the following:
- Create a SSL public certificate in AWS Certificate Manager.
- Create a DNS entry for the web application.
- Create Application Load Balancer Target Groups for the web application
- Create an Application Load Balancer Rule to forward traffic to the Firewalls.
- Configure the Firewalls.
The screenshots and steps in this page are specific to the Fortigate Firewalls.
1.2. Perimeter SEA AWS Account(link)
1.2.1. SSL Certificate Configuration(link)
-
Within the Perimeter SEA AWS Account, navigate to the Certificate Manager service.
-
Follow the steps to request a new public certificate. This will be used to support https for the web application. Note that the SEA deploys 'example' certificates, but these should not be used at the perimeter. Here's an example showing a wildcard cert.
- Navigate to the ALBs and select the Load Balancer that will support the incoming requests for the web application. In this example, it will be the 'Public-DevTest-perimeter-alb'.
- Select the 'Public-DevTest-perimeter-alb' ALB and click the View/edit certificates link button.
-
Click the + button and select the new SSL Certificate. Click Add.
-
Return back to the ALBs and select the 'Public-DevTest-perimeter-alb' ALB. Select the default HTTPS listener and click Edit
- Change the Default SSL certificate to the newly created public cert and update the settings.
1.2.2. ALB Target Group Configuration(link)
- Navigate to the EC2 Load Balancers and view the default Application Load Balancers (ALB).
- List the ALB Target Groups
These are pairs of targets (one for each firewall) that direct traffic from the perimeter ALB to the firewall. The two pairs were created as part of the default configuration and provide health checks to the shared VPCs. For support a new web application, a new pair will be created. One for each firewall (i.e. one per AZ).
-
Click the Create target group button. (Note: This will be repeated for each Firewall).
-
Enter the following parameter values:
- Target group name: Public-DevTest-SampleApp-azA
- Protocol: HTTPS
- Port: (pick an unused port on the Firewall). Example 7006
- VPC: Perimeter_VPC
- When Registering a target, pick the instance that aligns with the Availability Zone (AZ) that is being configured. Example: Firewall*az[A|B]. If creating 'Public-DevTest-SampleApp-azA', then choose Firewall instance 'Firewall*azA'.
- Ensure that the port value is using the previous entered port value. Click the Include as pending below.
-
Click the Create target group button when ready.
-
Repeat for the additional firewalls.
1.2.3. ALB Listener Rule Configuration(link)
-
Create a DNS entry for the web application that resolves to the perimeter ALB being configured. For example: webapplication.mydomain.ca resolves to 'Public-DevTest-perimeter-alb-1616856287.ca-central-1.elb.amazonaws.com'
-
Navigate to the ALBs and select the 'Public-DevTest-perimeter-alb' ALB. Click the View/edit rules link button.
- Click the + button to create a new rule. Then click the + Insert Rule button.
- Configure a match condition on Host header.... enter the value of the DNS entry for the web application.
-
Click the checkmark to update it.
-
Click the + Add action and select Forward to...
- Configure both Targets using the ones previously created (one per firewall). Adjust for 50% load balanced traffic.
- Click the checkmark to update and then click the Save button.
1.3. Fortigate Firewall Configuration(link)
The following configuration will be executed per Firewall instance (twice with the default SEA configuration).
- Log in to the firewall instance.
- Switch the Virtual Domain (vdom) to FG-traffic.
- Navigate to Policy & Objects and select Addresses
-
Create a new entry using the following parameter values:
-
Name: Dev1-SampleWebApplication-ALB-FQDN
- Type: FQDN
- FQDN: (use the DNS value of the internal load balancer in front of the web application)
- Interface: tgw-vpn1
- After saving the entry, refresh the Address grid and verify that the row colour is white.
- Navigate to Policy & Objects and select Virtual IPs
-
Make note of the used ip address in the Details column. In the example above “100.96.250.22”.
-
Click the CLI command icon in the top right corner. Note that the following must be done using the CLI.
- Update the following script template replacing values for the following: name, extip, mapped-addr, extport
config firewall vip
edit "Dev1-SampleWebApplication-ALB"
set type fqdn
set extip 100.96.250.22
set extintf "port1"
set portforward enable
set mapped-addr "Dev1-SampleWebApplication-ALB-FQDN"
set extport 7006
set mappedport 443
next
end
- Returning back to the UI interface shows the new entry.
- Navigate to Policy & Objects and select IPv4 Policy and expand public (port1)
- Locate the desired policy (ex: Dev-Test #8 in the example below). Right-click and click Edit.
- Locate the Destination field entry and click the + button.
- Locate the newly created VirtualIP entry (ex: Dev1-SampleWbApplication-ALB) and save the changes. NOTE: The entry is NOT the Address/FQDN entry.
- After refreshing the page, the row background should be white, and the new destination is visible.