Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

DaviRiec
New Contributor

How many protected subnets can i use with a Fortinet NGFW on Azure?

Hello All,

I see there are quite a few examples online on how to deploy a Fortigate in Azure, however these examples only seem to deploy a single protected subnet behind the fortigate. I have a requirement to have quite a traditional multi-tier segmented network protected by the firewall (i.e DMZ + APP Tier + DB Tier + Management + Room for others as needed)

As I understand it, to protect additional subnets within the vNet that the Fortigate is deployed to, additional vNIC's need to be added to the Fortigate and that new vNIC put into the subnet you want it to protect (and then the UDR rules setup on those subnets to route to the Fortigate).

Is this assumption correct (an additional vNIC on the Fortigate Appliance per additional protected subnet)?

If so, then wouldn't one need to upgrade to an excessivly large Virtual Machine size e.g. Standard_DS4 ( and then the corresponding Fortigate-VM-Azure license) just to to get up to 8  vNIC's and thus up to 8 protected back-end subnets?

Thanks for any help you can provide.

1 Solution
wipash
New Contributor

I emailed Fortinet with this same question, their reponse:

 

The best way to accomplish this would be to create an IPsec tunnel between the Azure gateway in each VNET and the FortiGate itself.  In this way, each VNET could connect on a unique VPN port of the FortiGate, so you can configure routing and policies per interface and/or based on source/destination IP/network.  The downside with this solution is that you will have to use a public IP or IPs to form the tunnels, and so, you will likely be charged for bandwidth as it traverses between the VNETs.

 

You could also configure the same using VNET to VNET connectivity.  However, in order to send the traffic through the FortiGate, you will have to use a destination NAT configuration to get around limitations in Gateway Subnet routing.

View solution in original post

3 REPLIES 3
NoahBaie
New Contributor

I"m curious about this as well. Have you learned anything about this David?

DaviRiec

Hi Noah,

No breakthrough or update unfortunately. We actually abandoned deploying a Fortigate FW in Azure as the Large VM Cost + Large VM08 License cost was disproprtionately high for what it was trying to acheive (8 protected subnets, only medium throughput).

I've put through (for what its worth, which is probably nil) a suggestion on the Azure forums for MS to charge for additional vNIC's so that you dont have to scale up the instance size.

wipash
New Contributor

I emailed Fortinet with this same question, their reponse:

 

The best way to accomplish this would be to create an IPsec tunnel between the Azure gateway in each VNET and the FortiGate itself.  In this way, each VNET could connect on a unique VPN port of the FortiGate, so you can configure routing and policies per interface and/or based on source/destination IP/network.  The downside with this solution is that you will have to use a public IP or IPs to form the tunnels, and so, you will likely be charged for bandwidth as it traverses between the VNETs.

 

You could also configure the same using VNET to VNET connectivity.  However, in order to send the traffic through the FortiGate, you will have to use a destination NAT configuration to get around limitations in Gateway Subnet routing.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.