| Description | This article explains how to prevent east-west traffic from being routed through external interfaces on Fortinet in Azure Virtual WAN (VWAN) |
| Scope | Fortinet. |
| Solution |
In Azure Virtual WAN (VWAN), VNets 192.168.0.0/24 and 192.168.1.0/24 are attached. In some deployments, the following issues may arise:
However, as per the intended architecture, the attached VNets should be connected to an Internal Load Balancer (ILB), ensuring that east-west VNet-to-VNet traffic does not route through the External Load Balancer (ELB).
The Azure External Load Balancer incorrectly attempts to route east-west traffic through Port1 (external). Since this traffic should never be routed externally, this behavior leads to an unintended routing scenario.
config system interface
edit "port1"
set vdom "root"
set mode dhcp
set allowaccess ping https probe-response ftm
set type physical
set snmp-index 1
set dns-server-override disable
next
edit "port2"
set vdom "root"
set mode dhcp
set allowaccess ping https ssh probe-response ftm
set type physical
set snmp-index 2
set defaultgw disable
set dns-server-override disable
next
To prevent east-west traffic from being routed through the External Load Balancer (ELB), disable probe-response on Port1:
config system interface
edit "port1"
set allowaccess ping https ftm
next
end
Without probe-response on Port1, Fortinet will not respond to Azure Load Balancer health checks.
As a result, the External Load Balancer (ELB) will consider the Fortinet instances down and will not send traffic towards them.
This effectively ensures that east-west traffic remains within the Internal Load Balancer (ILB) and does not route externally.
This issue stems from Microsoft Azure's Load Balancer handling of health probes, which incorrectly influences routing decisions.
While the root cause lies with Microsoft, the recommended workaround effectively mitigates the issue by ensuring that Fortinet instances do not respond to external health probes on Port1, preventing unintended traffic routing.
|
Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Spring Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiWAN
- FortiToken
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Customer Service
Customer Service Information and Announcements
- Fortinet Community
- Knowledge Base
- Customer Service
- Technical Tip: Azure East-West Traffic Routing Ove...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.