We have a working Hub and Spoke setup over the Internet and the Hub also has an express route to Azure.
We dont want the branch users going via the EXPRESSROUTE to Azure as its only for backup traffic from DC.
So we want to add a Fortigate NVA in Azure for branch to Azure connectivity.
We have a couple of servers in Azure that the branches need access to but majority of the infra in an on-prem DC. Traffic to Azure is not critical or needs high priority.
For branches to Fortigate Azure connectivity. The way I see it, these are the options to deploy.
Setup ADVPN hub -2 on the Fortigate NVA in Azure.
2 . Setup Site to Site from DC HUB Fortigate to Azure and have the branches connect to Azure via the DC Fortigate. There would be some latency and bandwidth utilization but at least the design is simple.
3. Setup Dial UP Ipsec on Azure Fortigate and have the branches connect directly without ADVPN.
4. Configure the Azure Fortigate as a spoke in existing ADVPN.
Could someone please advice which option would be the simplest and something that doesnt a lot of overload and complexity to troubleshooting and operations.
Thanks.
