AWS route traffic destined to NLB to firewall instance in same subnet

Question

I have a fortigate ec2 instance in public subnet. An eks cluster in public subnet application deployed in eks is accessible using NLB endpoint in public subnet. I want all the traffic to my application pass through the fortigate firewall(fortigate instance and NLB are in same public subnet). So I have tried configuring route table for public subnet or the edge route table for internet gateway so if traffic is destined to NLB private interface ips it should be routed to fortigate vm interface but got the error that it's not a subnet cider. I only want incoming traffic to pass through fortigate so I can setup some firewall rules on it. Can anyone help with this config or suggest any better way to implement the desired requirement.

I have tried with NLb interface ips and also tried creating a prefix list from private ips but nothing worked

Editing the question as cannot post this in comment

So I have did the same config for subnets as mentioned in 1st awnser. Also created fortigate VM with two interfaces port1 in public and port2 in NLB subnet. And For egde subnet sending the traffic to port2 interface same for internet traffic of NLB subnet. Here is the fortigate config file

Content-Type: multipart/mixed; boundary="==AWS=="
MIME-Version: 1.0

--==AWS==
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0

config system interface
edit port1
set vdom "root"
set alias public
set mode dhcp
set allowaccess ping https ssh fgfm
next
edit port2
set vdom "root"
set alias private
set mode dhcp
set allowaccess ping https ssh fgfm probe-response
next
end
config firewall policy
edit 1
set name "test"
set srcintf "port1"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 1
set name "test2"
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
config router static
    edit 1
        set gateway ${nlb_ip}
        set device "port1"
    next
    edit 2
        set gateway ${nlb_ip}
        set device "port2"
    next
end

--==AWS==--

Still when hit the nlb endpoit it is not reachable. but if use normal network config without fortigate is accessable.

Answer 1

If you want to route traffic through an intermediate device like the setup you mentioned, its better to have them in separate Subnets. If the routing is expected to be as below:

Client --> Internet --> IGW --> Fortigate --> NLB --> EKS

You will need to spilt them to at least 2 subnets.

1. Public subnet to hold your Fortigate FW ENIs
2. Protected subnet where you can host your NLBs (and EKS)

Route-Tables will be as below:

---

Public Subnet's Route-Table:

VPC CIDR > local

0.0.0.0/0 > IGW

---

Protected Subnet's Route-Table:

VPC CIDR > local

0.0.0.0/0 > FW ENI

---

Edge Route-Table( on IGW ):

VPC CIDR > local

NLB's Subnet CIDR > FW ENI