Technical Tip: Azure East-West Traffic Routing Over Fortinet in Virtual WAN (VWAN)
| Description | This article explains how to prevent east-west traffic from being routed through external interfaces on Fortinet in Azure Virtual WAN (VWAN) |
| Scope | FortiGate. |
| Solution |
In Azure Virtual WAN (VWAN), VNets 192.168.0.0/24 and 192.168.1.0/24 are attached. In some deployments, the following issues may arise:
However, as per the intended architecture, the attached VNets should be connected to an Internal Load Balancer (ILB), ensuring that east-west VNet-to-VNet traffic does not route through the External Load Balancer (ELB). The Azure External Load Balancer incorrectly attempts to route east-west traffic through Port1 (external). Since this traffic should never be routed externally, this behavior leads to an unintended routing scenario. config system interface edit "port1" set vdom "root" set mode dhcp set allowaccess ping https probe-response ftm set type physical set snmp-index 1 set dns-server-override disable next edit "port2" set vdom "root" set mode dhcp set allowaccess ping https ssh probe-response ftm set type physical set snmp-index 2 set defaultgw disable set dns-server-override disable next To prevent east-west traffic from being routed through the External Load Balancer (ELB), disable probe-response on Port1: config system interface edit "port1" set allowaccess ping https ftm next end Without probe-response on Port1, Fortinet will not respond to Azure Load Balancer health checks. As a result, the External Load Balancer (ELB) will consider the Fortinet instances down and will not send traffic towards them. This effectively ensures that east-west traffic remains within the Internal Load Balancer (ILB) and does not route externally. This issue stems from Microsoft Azure's Load Balancer handling of health probes, which incorrectly influences routing decisions. While the root cause lies with Microsoft, the recommended workaround effectively mitigates the issue by ensuring that Fortinet instances do not respond to external health probes on Port1, preventing unintended traffic routing. If the above changes do not resolve the issue and continue to observe east–west traffic drops over Azure vWAN, review the session helper entries based on the debug flow deny logs. Remove any unnecessary session helpers if applicable. In DCE-RPC environments, traffic may be dropped because the session helper cannot create the required sessions when authentication traffic is encrypted, which is expected behavior. Configuring a firewall policy in the reverse direction to allow the traffic, and removing the DCE helper session, can resolve the issue. |
