FortiGate-VM Hub-and-Spoke Lab: AWS Transit Gateway
Overview
This hands-on lab demonstrates how to protect distributed AWS workloads using a centralized security hub architecture.
You will deploy a FortiGate-VM to inspect:
- North-south Internet traffic
- East-west traffic between workload VPCs
- Inbound traffic from the Internet
AWS Transit Gateway provides connectivity between the FortiGate security hub and the workload VPCs.
Disclaimer
This environment is prepared specifically for hands-on workshop purposes. Do not use it in production without additional security review and hardening.
Lab Architecture
The CloudFormation template automates the deployment of the following components:
- Central Security Hub: A VPC containing the FortiGate-VM inspection point.
- AWS Transit Gateway: The cloud router connecting the security and workload VPCs.
- Workload Spokes: Two separate VPCs running Ubuntu web servers.
- Centralized traffic flow: Egress and east-west traffic from the spoke instances is routed through the Transit Gateway to the FortiGate private interface for security inspection.
Lab Diagram

Lab Sections
- Prepare the AWS environment and create an SSH key pair.
- Subscribe to the FortiGate BYOL AMI and deploy the lab.
- Log in to, license, and verify the FortiGate-VM.
- Configure the FortiGate AWS SDN connector.
- Test egress, east-west, and ingress traffic inspection.
- Delete the lab resources.
AWS Region
The lab is deployed in the AWS West Europe Region:
text
eu-central-1Start the Lab
Continue to Section 1: Lab Preparation.