Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate Azure Discussions & Onboarding Information
- Fortinet Community
- Community Groups
- FortiGate-VM on Azure
- Discussions & Onboarding Information
- Adding a Fortigate NVA in Azure as a spoke to an e...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Adding a Fortigate NVA in Azure as a spoke to an existing Hub and Spoke setup
We have a working Hub and Spoke setup over the Internet and the Hub also has an express route to Azure.
We dont want the branch users going via the EXPRESSROUTE to Azure as its only for backup traffic from DC.
So we want to add a Fortigate NVA in Azure for branch to Azure connectivity.
We have a couple of servers in Azure that the branches need access to but majority of the infra in an on-prem DC. Traffic to Azure is not critical or needs high priority.
For branches to Fortigate Azure connectivity. The way I see it, these are the options to deploy.
Setup ADVPN hub -2 on the Fortigate NVA in Azure.
2 . Setup Site to Site from DC HUB Fortigate to Azure and have the branches connect to Azure via the DC Fortigate. There would be some latency and bandwidth utilization but at least the design is simple.
3. Setup Dial UP Ipsec on Azure Fortigate and have the branches connect directly without ADVPN.
4. Configure the Azure Fortigate as a spoke in existing ADVPN.
Could someone please advice which option would be the simplest and something that doesnt a lot of overload and complexity to troubleshooting and operations.
Thanks.
Labels:
- Labels:
-
Azure
-
FortiGate
-
FortiGate VM
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@austinmas1987 crypto signals wrote:We have a working Hub and Spoke setup over the Internet and the Hub also has an express route to Azure.
We dont want the branch users going via the EXPRESSROUTE to Azure as its only for backup traffic from DC.
So we want to add a Fortigate NVA in Azure for branch to Azure connectivity.
We have a couple of servers in Azure that the branches need access to but majority of the infra in an on-prem DC. Traffic to Azure is not critical or needs high priority.
For branches to Fortigate Azure connectivity. The way I see it, these are the options to deploy.
Setup ADVPN hub -2 on the Fortigate NVA in Azure.
2 . Setup Site to Site from DC HUB Fortigate to Azure and have the branches connect to Azure via the DC Fortigate. There would be some latency and bandwidth utilization but at least the design is simple.
3. Setup Dial UP Ipsec on Azure Fortigate and have the branches connect directly without ADVPN.
4. Configure the Azure Fortigate as a spoke in existing ADVPN.
Could someone please advice which option would be the simplest and something that doesnt a lot of overload and complexity to troubleshooting and operations.
Thanks.
Option 3 setting up Dial-Up IPsec VPN on the Azure FortiGate and letting branches connect directly is the simplest and most operationally efficient choice if traffic to Azure isn’t critical. It avoids extra ADVPN complexity and keeps troubleshooting lightweight.
Just like a bull put spread in trading where you're managing risk and reward in a defined range we’re trying to achieve a balance between simplicity, control, and operational efficiency in our network design
buy facebook likes AustraliaBest Crypto Signals
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@austinmas1987 hsrp wrote:We have a working Hub and Spoke setup over the Internet and the Hub also has an express route to Azure.
We dont want the branch users going via the EXPRESSROUTE to Azure as its only for backup traffic from DC.
So we want to add a Fortigate NVA in Azure for branch to Azure connectivity.
We have a couple of servers in Azure that the branches need access to but majority of the infra in an on-prem DC. Traffic to Azure is not critical or needs high priority.
For branches to Fortigate Azure connectivity. The way I see it, these are the options to deploy.
Setup ADVPN hub -2 on the Fortigate NVA in Azure.
2 . Setup Site to Site from DC HUB Fortigate to Azure and have the branches connect to Azure via the DC Fortigate. There would be some latency and bandwidth utilization but at least the design is simple.
3. Setup Dial UP Ipsec on Azure Fortigate and have the branches connect directly without ADVPN.
4. Configure the Azure Fortigate as a spoke in existing ADVPN.
Could someone please advice which option would be the simplest and something that doesnt a lot of overload and complexity to troubleshooting and operations.
Thanks.
(Dial-up IPsec on Azure Fortigate) is likely the simplest and avoids adding ADVPN complexity. It allows direct branch-to-Azure connectivity without routing through the DC or modifying existing ADVPN setups.
paybyplatesrd sassa change phone number
Announcements
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
Labels
-
FortiGate
7 -
Azure
5 -
Microsoft Azure
3 -
SAML
2 -
SDN connector
1 -
FortiGate VM
1 -
marketplace
1 -
FortiGate 7.2 and above
1 -
Azure vWAN
1 -
SDN
1 -
MFA
1 -
Migration
1 -
SSO
1 -
HA
1 -
Authentication
1 -
SSL-VPN
1 -
FortiGateCloud
1 -
FortiManager
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.