Hi Marty,
We have a similar setup. along with the route table that @Ammar suggested, and links included in his answer are very helpful. I just thought to share how we configured it;
To configure the traffic flow as PIP Firewall → PIP Load Balancer → AKS Cluster → Fortigate Firewall → Internet.
- Configure Initial Traffic Routing:
- Ensure that incoming traffic from the internet first hits the Public IP (PIP) of the Fortigate Firewall.
- Set up the Fortigate Firewall to route this incoming traffic to the Public IP of the Load Balancer.
- Load Balancer Configuration:
- Configure the Load Balancer to forward the traffic to the AKS Cluster.
- Make sure the Load Balancer is set up with the correct rules to route the traffic to the appropriate services in the AKS cluster.
- AKS Cluster Network Configuration:
- Configure the AKS cluster's network settings to ensure that outbound traffic is directed towards the Fortigate Firewall.
- This may involve setting up specific routes in the AKS cluster or adjusting the network configuration so that the default route for outbound traffic points to the Fortigate Firewall.
- Fortigate Firewall Outbound Configuration:
- On the Fortigate Firewall, configure the outbound rules to handle traffic coming from the AKS cluster.
- Set up NAT (Network Address Translation) rules, to translate the internal IP addresses from the AKS cluster to the public IP address of the Fortigate Firewall for outbound traffic to the internet.
Say, the Load Balancer IP is (x.x.x.x) and the Fortigate Firewall (let's say y.y.y.y)
Step 1: Configuring the Fortigate Firewall
Log into the Fortigate Firewall:
- Access the Fortigate Firewall management console.
Create a Virtual IP (VIP):
- Navigate to 'Policy & Objects' > 'Virtual IPs'.
- Click 'Create New' > 'Virtual IP'.
- Set the 'External IP Range' to the PIP of the Fortigate Firewall (y.y.y.y).
- Set the 'Mapped IP Range' to the PIP of the Load Balancer (x.x.x.x).
- Save the VIP configuration.
Step 2: Setting Up a Firewall Policy
Create a New Policy:
- Go to 'Policy & Objects' > 'IPv4 Policy'.
- Click 'Create New'.
Configure the Policy:
- In 'Incoming Interface', select the interface connected to the internet.
- In 'Outgoing Interface', select the interface leading to the Load Balancer.
- For 'Source', select 'all' or specify the desired source addresses.
- Set 'Destination' to the VIP you created.
- Set 'Service' to 'ALL' or specific services (like HTTP, HTTPS).
- Turn 'NAT' on.
- Save the policy.
Step 3: Apply Changes
- Apply and Save Configuration:
- Ensure the new configurations are saved and applied.
- You might need to commit the changes, depending on the Fortigate model.
Hope this is helpful .