Skip to main content
patsmitty
patsmitty
New Member
November 27, 2024
Question

NGFW in Azure VWan Hub - Firewall Capability Question

  • November 27, 2024
  • 1 reply
  • 1622 views

Hello,

 

My use-case:

I have deployed the FortiGate NVAs in my vWAN Hub via the Azure Marketplace as prescribed here.

I want to use Azure Routing Policies as prescribed here. I don't want to have to manage UDRs if possible.

I want to use the NVAs as a Firewall only (for now).

I have the hub's VNet and the spoke's VNet(s) connected to the VWan Hub.

 

My two questions relate to the Azure side of things in terms of NVA capabilities:

  1. Can I send all internet-bound traffic through the NVAs (and potentially filter that traffic)? When I set up that routing policy in Azure, I lose outbound connectivity. Is it a limitation, or perhaps a mis-configuration on the NVAs?
  2. When I enable the private traffic policy through the VNAs, I lose connectivity between the hub and spokes. Is the fact they're all connected to the VWan Hub; but they need to be peered to the hub's VNet instead? Can I manage traffic from one subnet to another subnet in the same VNet?

 

Thank You

1 reply

sjoshi
Staff
sjoshi
Staff
November 27, 2024

Hi,

 

To address your questions related to Azure routing policies and FortiGate NVAs in your vWAN environment: 1. **Sending Internet-bound traffic through FortiGate NVAs:** - Yes, you can send all internet-bound traffic through the FortiGate NVAs deployed in your vWAN hub. To achieve this, you need to configure User Defined Routes (UDRs) in Azure to direct traffic through the NVAs. If you are losing outbound connectivity after setting up the routing policy, it could be due to misconfigurations on the NVAs. Ensure that the NVAs are correctly configured to handle and filter the internet-bound traffic. Check the NVA's routing, security policies, and NAT configurations to troubleshoot the connectivity issue.

 

2. **Private traffic policy and connectivity between hub and spokes:** - When you enable private traffic policies through the FortiGate NVAs, and you lose connectivity between the hub and spokes, it could be related to how the traffic is being handled within the vWAN environment. - Ensure that the hub and spokes are correctly connected to the vWAN hub and that the routing configurations on the NVAs allow for proper communication between the different subnets. - If the hub and spokes are all connected to the vWAN hub but need to communicate with each other, consider peering the hub's VNet with the spokes' VNets to enable direct communication between the subnets. - You can manage traffic from one subnet to another subnet in the same VNet by configuring appropriate network security groups (NSGs) and routing within Azure. By verifying the configurations on the FortiGate NVAs, setting up proper routing policies in Azure, and ensuring correct connectivity between the hub and spokes, you should be able to achieve the desired traffic routing and filtering capabilities in your vWAN environment.

If you have found a solution, please like and mark it as solved to make it easily accessible for everyone.
    patsmitty
    patsmittyAuthor
    New Member
    November 27, 2024

    Thank you for the quick response. You said to achieve all internet-bound traffic flow through the NVAs I'd have to set up UDRs... but because I have all my VNets connected to the VWAN Hub I wanted to use the Routing Policies instead. Is this possible to do with these Fortigate NVAs?

     

    If so, I will check the NVA's routing, security policies, and NAT configurations as you suggested.

     

    Screenshot 2024-11-27 at 13.28.36.png

    Terms & ConditionsAccessibility statement