We have a FortiGate (FortiOS 6.0) connected to a IPSec Site-to-Site VPN (Dynamic BGP) on AWS. When the VPN is up, we can only access EC2 using the private IP, public IP no longer works. Only the public IP in the VPC linked to the VPN are unreachable, the public IP of others AWS account remains reachable.
How do we make both IPs reachable, even when connected to the VPN?
For the testing purpose i created an "allow all traffic from any ip" security group to make sure i wasn't blocked by that.
That is a limitation of AWS VPNs. They only allow traffic to/from private IPs belonging to the VPC the VPN is deployed in.
You shouldn't be reaching any of the public IP addresses via the VPN (maybe it's routing publicly?).
It's not an issue fo Security Groups, but of routing. IIRC you don't have transitive routing via a VPN connection, meaning that the route tables in the VPC that is associated with your VPN won't route traffic not directed between itself and the network(s) you have defined in your on-premises networking.
Or you could have something like an EC2 instance do the routing with two (or more) ENIs attached to it.
If memory serves, you could overcome the transitive routing situation by using Direct Connect instead of VPN.
