Skip to content

Latest commit

 

History

History
42 lines (28 loc) · 3.35 KB

outsidevwan-sdwan.md

File metadata and controls

42 lines (28 loc) · 3.35 KB

FortiGate Secure SD-WAN (OUTSIDE Virtual WAN Hub)

Connecting your branches and datacenters into the FortiGate Next-Generation Firewall in Microsoft Azure

network drawing for FortiGate SD-WAN inside Virtual Hub

Design

This scenario preferable uses an active/passive setup to terminate the IPSEC VPN tunnels via the External Azure Load Balancer. An active/active deployment would be possible as well but requires the on-premises component to setup 2 IPSEC tunnels to each of the FortiGate units. Deployment of these setup can be done either via the Azure Marketplace or via the above GitHub links.

Routing is possible using static or dynamic routing for both we have an example deployment/demo available:

Deployment

Deployment of the FortiGate-VM(s) is documented here and can be done via the Azure Marketplace or using the ARM or Terraform templates.

Requirements and limitations

  • Routing: During the deployment the FortiGate-VMs are coupled to the Azure Routing Service inside the Virtual WAN Hub using BGP. This allows the FortiGate-VMs to inject routes to them for all the remote sites. The gateway the networks is always the ForitGate-VM ip address on the port2.
  • Licenses for Fortigate
    • BYOL: VM, VM Subscription or Flex-VM licenses can be used on these units. A demo license can be made available via your Fortinet partner or on our website. Licenses need to be registered on the Fortinet support site. Download the .lic file after registration. Note, these files may not work until 60 minutes after it's initial creation.
    • PAYG or OnDemand: These licenses are automatically generated during the deployment of the FortiGate systems.

Flows

This flow is based on an Active/Passive setup using route distribution between the on-premises, cloud and Azure VWAN BGP endpoints.

Flows_north-south

  1. Connection from client to the private IP of the server. The packet is routed over an IPSEC connection to the FortiGate-VM to decrypt the packet. - s: 10.10.0.10 - d: 10.20.0.4
  2. Decrypted packet is routed via port2 into VNET peering to VWAN and subsequently into Spoke1 - s: 10.10.0.10 - d: 10.20.0.4
  3. Server responds to the request - s: 10.20.0.4 - d: 10.10.0.10
  4. The FortiGate encrypts the packet to on-premises - s: 10.20.0.4 - d: 10.10.0.10