Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate Azure Discussions & Onboarding Information
- Fortinet Community
- Community Groups
- FortiGate-VM on Azure
- Discussions & Onboarding Information
- Re: Simultaneous VPN termination to Azure FortiGat...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Simultaneous VPN termination to Azure FortiGate VM - GLB and ILB
Hello,
We have an HA pair of FortiGate VM04s in our Azure development environment that we are using to test for a redesign. The FortiGates were built with the "ELB/ILB Sandwich", as Azure/Fortinet documentation outlines. We also have a GLB placed in front of the ELB, in order to gain the flexibility a global IP provides. The backend IP of the GLB is the single ELB public IP.
We have tested the following successfully:
- We can terminate an IPSec VPN to the ELB, directly connected to the two outside FortiGate vNICs
- We can terminate an IPSec VPN to the GLB
However, we have not been able to successfully terminate separate VPN tunnels to the GLB and ELB simultaneously. The ability to do so would greatly ease our cutover process, as we currently have a standalone FortiGate-VM in production with a regional IP and dozens of vendor IPSec tunnels terminating to it. If we can prove that it's possible to terminate to the GLB and ELB simultaneously, we can slide our production regional IP over to the prepped ELB + HA stack, and slowly move tunnels over to the GLB, vendor meeting by vendor meeting.
All of this to say, has anybody built a similar setup before? Particularly in regard to simultaneous VPN terminations to a GLB and ELB, upstream from the same FortiGate stack? We'd love to know if it's feasible before we sink any additional hours/days into troubleshooting.
Thank you in advance!
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate-VM
-
IPsec
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My colleague ended up working out a clever solution.
A second public facing regional IP was spun up and applied to the ELB. Load balancing rules were applied using that front-end IP and the same backend IPs (the outside vNICs of the HA pair), allowing UDP 500 and 4500 for IPSec.
An additional requirement of this config is the use of loopback interfaces on the FGT representing the public IPs of the GLB, and both public IPs of the ELB. We then turn on the floating IP option in the Azure load balancing rule.
The backend pool (both inside vNICs of the HA pair) remains unchanged.
We can now terminate VPN A to the GLB global IP, as well as VPN B to the new regional ELB IP, simultaneously.
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My colleague ended up working out a clever solution.
A second public facing regional IP was spun up and applied to the ELB. Load balancing rules were applied using that front-end IP and the same backend IPs (the outside vNICs of the HA pair), allowing UDP 500 and 4500 for IPSec.
An additional requirement of this config is the use of loopback interfaces on the FGT representing the public IPs of the GLB, and both public IPs of the ELB. We then turn on the floating IP option in the Azure load balancing rule.
The backend pool (both inside vNICs of the HA pair) remains unchanged.
We can now terminate VPN A to the GLB global IP, as well as VPN B to the new regional ELB IP, simultaneously.
Announcements
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
Labels
-
FortiGate
7 -
Azure
5 -
Microsoft Azure
3 -
SAML
2 -
Migration
1 -
SDN connector
1 -
FortiGate VM
1 -
marketplace
1 -
FortiGate 7.2 and above
1 -
Azure vWAN
1 -
SDN
1 -
MFA
1 -
IPsec
1 -
SSO
1 -
HA
1 -
Authentication
1 -
SSL-VPN
1 -
FortiGateCloud
1 -
FortiGate-VM
1 -
FortiManager
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.