Skip to main content
FortiDave
FortiDave
Explorer
May 14, 2022
Question

Redundant Fortigate-Azure VPN

  • May 14, 2022
  • 3 replies
  • 4053 views

Hi,

Could I get some advice on how I could setup a redundant VPN between FGT and Azure.

 

I have two completely seperate active-active DCs, with FGT HA clusters in each, and would like one Azure VPN active to say DC1, and if that connection goes down, auto failover to DC2. 

 

I assume this is possible, but in terms of the failover mechanism, is most of the configuration on the Azure side?  Or FGT also?

 

I know when building Azure VPNs, it automathically creates a second tunnell. Im wondering is that what I should use for the standby tunnell, and have Azure failover when it identifies a drop in connection?

 

I was thinking, because this is an active-active DC environment, would a more prudent option be to have two separate and active VPNs into Azure?

 

Im not completely sure if we might have routing issues when the backup VPN automathically comes online through DC2, or how that might look from the FGT side of things.

 

Note, theres no connection between the DC1 and DC2 FGT HA clusters.

 

Any thoughts very welcome!

D

3 replies

vponmuniraj
Staff
vponmuniraj
Staff
May 15, 2022

Hi,

 

You can use BGP to advertise the FGT segments and that should failover the traffic automatically. 

 

Ensure that DC1 is preferred over DC2. 

 

 

Regards,

FortiDave
FortiDaveAuthor
Explorer
May 15, 2022

Thanks. At this point, I dont believe we have the availability to use BGP.

Is it possible to manage this using FGT / Azure configuration?

FortiDave
FortiDaveAuthor
Explorer
May 16, 2022
Also, I know on the Fortigates, we could deploy two route-based VPNs on each cluster, and have the backup tunnel set with a lower AD. Would that be another possible option?
vponmuniraj
Staff
vponmuniraj
Staff
May 23, 2022

Hi,

 

Yes, but that does not control the traffic routing from Azure side. The return traffic can be sent to any cluster the Azure route lookup selects. 

 

 

Regards,

FortiDave
FortiDaveAuthor
Explorer
May 23, 2022

The following Microsoft doc outlines exactly what I want to acheive. 

 

Screenshot 2022-05-23 at 09.19.10.png

In terms of the "BGP Failover" piece. Is that something both on Fortigates and Azure VPN Gateway?
Im not too familiar with BGP deployments, so just trying to get it clear in my head technically what exactly is required here. 

I assume the Fortigates would also need to resdistribute routes to the internal network when one of the tunnels go down?

Terms & ConditionsAccessibility statement