Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
subramanis
Staff
Staff

Created on ‎11-08-2024 04:36 AM Edited on ‎11-08-2024 04:40 AM By Community Manager

Article Id 353394

Technical Tip: How to access a loopback interface in Azure

Description This article describes how to access a loopback interface on a Fortinet firewall in Azure from a different VNet and region.
Scope FortiGate.
Solution

Azure-loopback.png

 

Port1 ExternalSubnet 10.0.1.0/24
Port2 InternalSubnet 10.0.2.0/24
Port3 HASyncSubnet 10.0.3.0/24
Port4 HAMGMTSubnet 10.0.4.0/24

ProtectedSubnet 10.0.5.0/24
LoopbackSubnet 10.0.6.0/24

 

This guide provides steps and considerations for enabling access to a loopback interface on a Fortinet firewall deployed in Azure, from a separate VNet and region.

 

Scenario 1: Enabling Access to a Loopback Interface within the Same VNet.


In this scenario, the loopback interface (LoopbackSubnet) is configured on the firewall as an internal network (Logical interface), a logical interface without a physical Network Interface Card (NIC). Azure does not inherently recognize routes to the subnet associated with this loopback interface (e.g., 10.0.6.1).

By default, subnets within the same VNet can communicate each other without any explicit route configuration. However, to allow access to the loopback interface at IP 10.0.6.1 from ProtectedSubnet, it is necessary to add a User-Defined Route (UDR). This UDR should specify the InternalLB at IP 10.0.2.4 as the gateway for traffic destined for the loopback subnet.

 

Scenario 2: Enabling Access to the Loopback Interface Across Different VNets.


To allow a user on WindowsPC in VNet2 to access the loopback interface, VNet peering is required. This is because VNets in Azure do not communicate by default without such configuration. Establish VNet peering between VNet1 and VNet2 to enable traffic flow between these VNets.
Additionally, create User-Defined Routes (UDRs) in Region-C, directing traffic to the InternalLB at IP 10.0.2.4 to serve as the gateway.

 

Scenario 3: Standalone Fortinet VM Configuration without InternalLB.


In both scenarios above, if the Fortinet firewall is deployed as a standalone single VM, configure the UDR to direct traffic to Port2 IP as the gateway.

 

For additional guidance on configuring VNet peering, refer to the Azure documentation on VNet Peering Configuration.

For additional guidance on configuring User-Defined Routes, refer to the Azure documentation on User-Defined Routes Configuration.
165
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.