Description
This article describes how to build redundant VPN tunnels from an on-premises FortiGate to an Azure VNET.
Scope
Any supported version of FortiGate, Microsoft Azure.
Solution
Prerequisites:
- A VNET created inside an Azure Resource Group. If one has not already been made, follow the instructions in the Microsoft documentation to create one:
https://learn.microsoft.com/en-us/azure/virtual-network/quick-create-portal
- Instances deployed inside a subnet in the VNET. If not already done, follow the instructions in the Microsoft documentation to create them:
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/quick-create-portal
Steps
1) Log into the AZURE portal and navigate to [Resource Group Name] -> [VNET Name] -> Subnets -> Add Gateway Subnets.
In the pop-up that appears, select Save. (Make changes to the subnet block as desired.)
2) The next step is to create a Virtual network gateway. Navigate to the Virtual network gateways section and select Create.
Select VPN as the Gateway type and specify Route as the VPN type. SKU can be chosen according to requirements (prices vary). Select the VNET created above. Choose a new public address for tunnel-A and tunnel-B or use previously allocated dedicated public IP addresses.
The routing section will be at the bottom:
Scenario 1: BGP.
If this option is chosen, the Azure environment will set up BGP automatically. Change the AS number as required.
Follow the steps in this knowledge base article to set up BGP on the tunnel interface in FortiGate
Scenario 2: Static.
If this option is chosen, static routing needs to be set up on the FortiGate along with the static route to the local subnet of FortiGate in AZURE VNET. This can be achieved by going to the routing table of the VNET:
Select Review + create:
3) Create a local network gateway to add to the on-premise FortiGate information. Navigate to Local network gateways and select Create:
Provide a name and the same resource group used above. Fill the IP address field with the public IP address of the FortiGate. The Address spaces section will have the PHASE-2 selectors of the FortiGate LAN.
In the advanced section, set up BGP with the peer AS number and IP address as required.
Next, select Create.
4) Navigate back to the Virtual network gateway created in step 2. Choose the Connections section and select Add.
Provide a Name and select 'Site-to-site' as the Connection type. Choose the local network gateway created in step 3 and provide a PSK to be used in FortiGate. Select the appropriate IKE version according to requirements, and specify BGP or private IP address as the routing type (depending on which was configured in step 2 and 3).
Select OK to complete the setup.
5) Obtain the 2 Public IP addresses in the 'Configuration' section of the virtual network gateway.
Lastly, complete the IPSEC VPN configuration on the FortiGate. Refer to the following documents:
- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Redundant-IPSEC-Tunnel-using-single-WAN-co....
- https://community.fortinet.com/t5/FortiGate/Technical-Note-Dynamic-routing-BGP-over-IPsec-tunnel/ta-....
Also, to find the correct cryptographic encryption/authentication algorithms used, follow the steps in the following Microsoft articles:
- Cryptographic requirements for VPN gateways - Azure VPN Gateway | Microsoft Learn.
- About VPN devices for connections - Azure VPN Gateway | Microsoft Learn.
