- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How many protected subnets can i use with a Fortinet NGFW on Azure?
Hello All,
I see there are quite a few examples online on how to deploy a Fortigate in Azure, however these examples only seem to deploy a single protected subnet behind the fortigate. I have a requirement to have quite a traditional multi-tier segmented network protected by the firewall (i.e DMZ + APP Tier + DB Tier + Management + Room for others as needed)
As I understand it, to protect additional subnets within the vNet that the Fortigate is deployed to, additional vNIC's need to be added to the Fortigate and that new vNIC put into the subnet you want it to protect (and then the UDR rules setup on those subnets to route to the Fortigate).
Is this assumption correct (an additional vNIC on the Fortigate Appliance per additional protected subnet)?
If so, then wouldn't one need to upgrade to an excessivly large Virtual Machine size e.g. Standard_DS4 ( and then the corresponding Fortigate-VM-Azure license) just to to get up to 8 vNIC's and thus up to 8 protected back-end subnets?
Thanks for any help you can provide.
Solved! Go to Solution.
- Labels:
-
Cloud Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I emailed Fortinet with this same question, their reponse:
The best way to accomplish this would be to create an IPsec tunnel between the Azure gateway in each VNET and the FortiGate itself. In this way, each VNET could connect on a unique VPN port of the FortiGate, so you can configure routing and policies per interface and/or based on source/destination IP/network. The downside with this solution is that you will have to use a public IP or IPs to form the tunnels, and so, you will likely be charged for bandwidth as it traverses between the VNETs.
You could also configure the same using VNET to VNET connectivity. However, in order to send the traffic through the FortiGate, you will have to use a destination NAT configuration to get around limitations in Gateway Subnet routing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I"m curious about this as well. Have you learned anything about this David?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Noah,
No breakthrough or update unfortunately. We actually abandoned deploying a Fortigate FW in Azure as the Large VM Cost + Large VM08 License cost was disproprtionately high for what it was trying to acheive (8 protected subnets, only medium throughput).
I've put through (for what its worth, which is probably nil) a suggestion on the Azure forums for MS to charge for additional vNIC's so that you dont have to scale up the instance size.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I emailed Fortinet with this same question, their reponse:
The best way to accomplish this would be to create an IPsec tunnel between the Azure gateway in each VNET and the FortiGate itself. In this way, each VNET could connect on a unique VPN port of the FortiGate, so you can configure routing and policies per interface and/or based on source/destination IP/network. The downside with this solution is that you will have to use a public IP or IPs to form the tunnels, and so, you will likely be charged for bandwidth as it traverses between the VNETs.
You could also configure the same using VNET to VNET connectivity. However, in order to send the traffic through the FortiGate, you will have to use a destination NAT configuration to get around limitations in Gateway Subnet routing.
