This is a diagram that is used to deploy this lab.
![](https://tungle.ca/wp-content/uploads/2022/04/image-202.png)
In this lab, we will use Elastic Load Balancer to distribute RDP traffic via Windows 2016 VM instances among the FortiGate in different AZs on AWS.
Below are a couple of steps that are used to deploy this lab.
- Create your VPC, subnets, and route tables.
- Launch FortiGate 1 on AZ 1 and FortiGate 2 on AZ 2.
- Create both Windows 2016 VM on AZ 1 and AZ 2.
- Configure DNAT to allow RDP traffic from the Internet to Windows Server 2016 instance on each AZ.
- Configure Elastic Network Load Balancing on both FortiGates on multiple AZ.
- RDP traffic has been distributed to Windows 2016 VM1 and VM2 via Elastic Network Load Balancing
Create a new VPC.
![](https://tungle.ca/wp-content/uploads/2022/04/image-95.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-97-1024x154.png)
Create new both Public subnet 2 and Private subnet 2 on the Availability zone 2
![](https://tungle.ca/wp-content/uploads/2022/04/image-98.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-99.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-101-1024x190.png)
Create 4 route tables as in the diagram above.
![](https://tungle.ca/wp-content/uploads/2022/04/image-122-1024x504.png)
Link the subnets to corresponding route tables.
![](https://tungle.ca/wp-content/uploads/2022/04/image-103.png)
Create a new FortiGate on AZ 1.
![](https://tungle.ca/wp-content/uploads/2022/04/image-105-1024x797.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-106-1024x462.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-107-1024x808.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-108-1024x583.png)
Create a new Elastic IP address and associate for the first FortiGate.
![](https://tungle.ca/wp-content/uploads/2022/04/image-109.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-110-1024x581.png)
Launch the new FortiGate instance on AZ 2.
![](https://tungle.ca/wp-content/uploads/2022/04/image-111.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-112.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-113-1024x689.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-114-1024x578.png)
Rename to Fortinet Zone 1 Public subnet and Fortinet Zone 2 Public Subnet.
![](https://tungle.ca/wp-content/uploads/2022/04/image-115-1024x582.png)
Create a new Fortinet Zone 1 Private subnet.
![](https://tungle.ca/wp-content/uploads/2022/04/image-116.png)
Attach this into the first FortiGate.
![](https://tungle.ca/wp-content/uploads/2022/04/image-118.png)
Create a new Fortinet Zone 2 Private subnet and attach it to FortiGate 2.
![](https://tungle.ca/wp-content/uploads/2022/04/image-119.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-120.png)
Uncheck “Change source/destination check” on all FortiGate interfaces.
![](https://tungle.ca/wp-content/uploads/2022/04/image-117.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-121-1024x186.png)
Back to Route tables.
![](https://tungle.ca/wp-content/uploads/2022/04/image-123-1024x608.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-124-1024x593.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-125-1024x498.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-126-1024x486.png)
Create a new route 0.0.0.0/0 on Public Route table 1 via Fortinet Zone 1 Public subnet interface.
![](https://tungle.ca/wp-content/uploads/2022/04/image-127-1024x415.png)
Create a new route 0.0.0.0/0 on Public Route table 2 via Fortinet Zone 2 Public subnet interface.
![](https://tungle.ca/wp-content/uploads/2022/04/image-130-1024x425.png)
Create a new route 0.0.0.0/0 on Private Route table 1 via Fortinet Zone 1 Private subnet interface.
![](https://tungle.ca/wp-content/uploads/2022/04/image-128-1024x406.png)
Create a new route 0.0.0.0/0 on Private Route table subnet 2 via Fortinet Zone 2 Private subnet interface.
![](https://tungle.ca/wp-content/uploads/2022/04/image-129-1024x428.png)
Access FortiGate management interface.
![](https://tungle.ca/wp-content/uploads/2022/04/image-131-1024x585.png)
The FortiGate 1.
![](https://tungle.ca/wp-content/uploads/2022/04/image-132-1024x725.png)
Change the LAN setting for port 2.
![](https://tungle.ca/wp-content/uploads/2022/04/image-133.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-134-1024x493.png)
Do the same with FortiGate 2.
![](https://tungle.ca/wp-content/uploads/2022/04/image-135-1024x537.png)
Create two new Windows Server 2016 instances on AZ1 and AZ2.
![](https://tungle.ca/wp-content/uploads/2022/04/image-145.png)
Windows Security Group.
![](https://tungle.ca/wp-content/uploads/2022/04/image-140-1024x452.png)
Launch the new one.
![](https://tungle.ca/wp-content/uploads/2022/04/image-144-1024x503.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-142-1024x665.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-146-1024x567.png)
Go to FortiGate 1, and DNAT port 3389 to Windows Server 2016 VM 1 instance.
![](https://tungle.ca/wp-content/uploads/2022/04/image-148-1024x672.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-149-1024x413.png)
Create a new inbound policy to allow traffic from the Internet to Windows 2016 instance.
![](https://tungle.ca/wp-content/uploads/2022/04/image-150-1024x868.png)
On FortiGate 2.
![](https://tungle.ca/wp-content/uploads/2022/04/image-153-1024x669.png)
Create a new Firewall Policy.
![](https://tungle.ca/wp-content/uploads/2022/04/image-154.png)
Edit the Security Group to allow RDP to Windows 2016 VM 2 instance.
![](https://tungle.ca/wp-content/uploads/2022/04/image-157-1024x693.png)
Access Windows VM 1.
![](https://tungle.ca/wp-content/uploads/2022/04/image-158.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-160.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-159.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-161.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-162-1024x371.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-163-1024x220.png)
Create Network Load Balancer on AWS for RDP traffic to Windows Server 2016 instance.
![](https://tungle.ca/wp-content/uploads/2022/04/image-199.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-180.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-170.png)
Select “IP address”.
![](https://tungle.ca/wp-content/uploads/2022/04/image-167.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-168.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-169.png)
Add IP addresses on the public subnet of both FortiGates on “register targets”.
![](https://tungle.ca/wp-content/uploads/2022/04/image-173-1024x584.png)
Click Register targets.
![](https://tungle.ca/wp-content/uploads/2022/04/image-188-1024x536.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-189-1024x539.png)
Wait until the health states on both IP addresses are healthy.
![](https://tungle.ca/wp-content/uploads/2022/04/image-196-1024x522.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-181-1024x420.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-185-1024x609.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-190.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-183-1024x401.png)
Right-click on FortiGate-NLB-RDP and enable “Cross zone load balancing” to allow load balancing on multiple AZ.
![](https://tungle.ca/wp-content/uploads/2022/04/image-187-1024x524.png)
Set the same Windows password for both Windows 2016 instances.
Access RDP to the highlighted DNS name on NLB.
![](https://tungle.ca/wp-content/uploads/2022/04/image-186.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-191.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-192.png)
An RDP session will access Windows Server VM 1 or VM 2 via Elastic Load Balancing.
![](https://tungle.ca/wp-content/uploads/2022/04/image-193-1024x453.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-194-1024x548.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-195-1024x501.png)
We are able to configure both web servers on Windows server 2016 VMs and distribute web traffic via Windows 2016 VM instances among the FortiGate in different AZs on AWS.