Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
subramanis
Staff
Staff

Created on ‎11-08-2024 04:36 AM Edited on ‎12-22-2024 11:40 PM By Community Manager

Article Id 353394

Technical Tip: How to access a loopback interface in Azure

Description This article describes how to access a loopback interface on a Fortinet firewall in Azure from a different VNet and region.
Scope FortiGate.
Solution

Azure-loopback.png

 

Port1 ExternalSubnet 10.0.1.0/24
Port2 InternalSubnet 10.0.2.0/24
Port3 HASyncSubnet 10.0.3.0/24
Port4 HAMGMTSubnet 10.0.4.0/24

ProtectedSubnet 10.0.5.0/24
LoopbackSubnet 10.0.6.0/24

 

This guide provides steps and considerations for enabling access to a loopback interface on a Fortinet firewall deployed in Azure, from a separate VNet and region.

 

Scenario 1: Enabling Access to a Loopback Interface within the Same VNet.


In this scenario, the loopback interface (LoopbackSubnet) is configured on the firewall as an internal network (Logical interface), a logical interface without a physical Network Interface Card (NIC). Azure does not inherently recognize routes to the subnet associated with this loopback interface (e.g., 10.0.6.1).

By default, subnets within the same VNet can communicate each other without any explicit route configuration. However, to allow access to the loopback interface at IP 10.0.6.1 from ProtectedSubnet, it is necessary to add a User-Defined Route (UDR). This UDR should specify the InternalLB at IP 10.0.2.4 as the gateway for traffic destined for the loopback subnet.

 

Scenario 2: Enabling Access to the Loopback Interface Across Different VNets.


To allow a user on WindowsPC in VNet2 to access the loopback interface, VNet peering is required. This is because VNets in Azure do not communicate by default without such configuration. Establish VNet peering between VNet1 and VNet2 to enable traffic flow between these VNets.
Additionally, create User-Defined Routes (UDRs) in Region-C, directing traffic to the InternalLB at IP 10.0.2.4 to serve as the gateway.

 

Scenario 3: Standalone Fortinet VM Configuration without InternalLB.


In both scenarios above, if the Fortinet firewall is deployed as a standalone single VM, configure the UDR to direct traffic to Port2 IP as the gateway.

 

For additional guidance on configuring VNet peering, refer to the Azure documentation on VNet Peering Configuration.

For additional guidance on configuring User-Defined Routes, refer to the Azure documentation on User-Defined Routes Configuration.

 

 

The following example represents the access to the Loopback Interface Across Different VNETs (Scenario 2):

Connecting two or more Virtual Networks in Azure is achieved by virtual network peering. 
If the Virtual Networks are located on different Azure regions, global virtual network peering should be used.

Refer to the Virtual network peering Azure documentation for more details:
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

 

Step 1: Create a Loopback interface and allocate a dedicated subnet in the same address space as FortiGate VNET.

config system interface
    edit "LoopBack"
        set vdom "root"
        set ip 10.0.6.1 255.255.255.0
        set allowaccess ping https ssh 
        set type loopback
        set role lan
    next
end

 

Step 2: Create the same subnet to the FortiGate VNET in Azure.

 

1.png

 

Note:

 Leave all other settings as default.

 

Step 3: Create a Route Table and associate it with the other VNET where Host-VM (WindowsPC) is located.

 

2.png

 

From the left menu pane, navigate to 'Routes' and fill in all the required information as follows:

  • Route name: ToLoopback.
  • Destination type: IP Addresses.
  • Destination IP addresses/CIDR ranges: 10.0.6.0/24 (Subnet of the Loopback).
  • Next hop type: Virtual Appliance.
  • Next hop address: 10.0.2.4 (IP Address of the Internal Load-Balancer).

 

Step 4: Associate the created route table to the subnet where the Host-VM is located.

 

3.png

 

Step 5: To prevent asymmetric routing, create a static route for the Host-VM subnet, pointing towards 'port2' of the FortiGate.

 

4.png

 

config router static
    edit 5
        set dst 172.16.0.0 255.255.255.0
        set gateway 10.0.2.1
        set device "port2"
    next
end

 

Step 6: Adjust the firewall policies to allow traffic from 'port2' to the Loopback interface.

 

7.png

 

config firewall policy
    edit 10
        set name "From-Port2-To-LoopBack"
        set srcintf "port2"
        set dstintf "LoopBack"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

 

Step 7: Check the connectivity between the Host-VM and Loopback Interface of the FortiGate.

 

8.png
436
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.