
Azure virtual network terminal access point (TAP) provides the capability to encapsulate and mirror traffic to a network interface of an appliance or a load balancer fronting an appliance. For workloads deployed in Azure, where traffic inspection via a stateful device like an NGFW (Next-Generation Firewall) isn’t in place or isn’t feasible, leveraging the virtual network TAP solution provides visibility into network traffic without the need to rearchitect or reroute production traffic.
Leveraging virtual network TAP with FortiGate VM enables the following use cases:
High-Level Architecture Diagram for a 3-Tier Web App Leveraging virtual network TAP
This article explains how to integrate virtual network TAP with FortiGate to provide IDS functionality for workloads hosted in Azure.
FortiGate Integration with virtual network TAP
In this setup, we will create a virtual network TAP instance and leverage a pair of Ubuntu VMs acting as client and server. This setup simulates a workload sending its network traffic to a FortiGate instance hosted in the same region, fronted by an internal load balancer. The FortiGate instance will perform IDS on this traffic and evaluate it against the security profiles configured.
Note: virtual network TAP also provides the capability to send traffic directly to the VNI (Virtual Network Interface) of an appliance. This can be leveraged when you have a single FortiGate instance deployed. In scenarios where FortiGate is deployed as a cluster, it is recommended to use the ILB (Internal Load Balancer) to send traffic to FortiGate and it can also be used with single FortiGate instance.
Virtual network TAP and VXLAN
Virtual network TAP leverages VXLAN to tunnel traffic from the source to the desired target using a VNI of 27. A FortiGate VM will be configured to enable the VXLAN tunnel setup.
Prerequisites:
Setup:
config system vxlan
edit "vxlan1"
set interface "port2"
set vni 27
set remote-ip "172.16.20.69" "172.16.20.70"
next
end
Interface: select the port on the FortiGate VM to which ILB is sending traffic.
Remote IP: IP address of the Ubuntu VM which are configured as sources in virtual network TAP.
From the GUI, navigate to Network > Interfaces > VXLAN1, and configure it as needed.
Note: The security profiles can be customized per requirements. More details can be obtained at FortiGate One-Arm Sniffer.
Make sure probe response is enabled on the FortiGate VM interface which will receive health checks from the Azure Load Balancer, and that it has the static route configured to respond to the health checks. Additionally, ensure that routing is in place for the FortiGate VM to send traffic to the source VMs.
Conclusion
This integration between Fortinet and Microsoft delivers network visibility for workloads hosted in Azure by mirroring the traffic to the FortiGate VM, which can monitor and alert on suspicious traffic based on the configured security profiles.
In conclusion, this article provides useful information for those seeking to understand and leverage Fortinet's solutions in Azure. These insights, tips, and best practices offer a foundation for testing and familiarizing oneself with the capabilities of Fortinet's products. It is essential to emphasize that the guidance shared here is intended exclusively for lab and testing purposes. For deploying these solutions in a production environment, or implementing advanced configurations tailored to the unique needs of your organization, it is strongly recommended to reach out to Fortinet's Cloud Consulting Services team at consulting@fortinet.com.
Fortinet’s Cloud Consulting experts bring extensive experience and expertise to ensure that cloud security solutions are deployed securely, optimized for peak performance, and configured for maximum efficiency.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.