Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sumjsan
New Contributor

Created on ‎01-19-2025 10:08 AM Edited on ‎01-19-2025 11:55 AM

Advice on FortiGate NAT configuration for Azure Virtual Desktop

Overview/Scenario


1. I have a use case for configuring NAT where in which an isolated Azure virtual desktop session host will traverse a NEW public ip address assigned to my Fortigate Azure NGFW virtual machine's WAN interface.
2. Any IPs requiring egress traffic outbound will use cenrtal SNAT in a one-to-one mapping for all ip addresses within my AVD subnet range: `192.168.235.0/24`


Questions:

1. Could you please critique my implementation logic below? Relativley new to FortiGate, so please excuse the basic questions. I sourced FGT docs on [central SNAT](https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/421028/central-snat)
2. As the new Azure public ip is assigned to the WAN interface of my FGT device, would DNAT be required? Not sure how FGT would route traffic from the new public IP inbound to my AVD subnet. However, there is currently no requirement to translate destination addresses to specific services within the isolated AVD subnet

 

Proposed Azure deployment steps

1. Within VNet: `zct-NE-Prod-AVD-Vnet01`, create a new subnet `AVD-Isolated_Synapse`
> Subnet CIDR: 192.168.235.0/24
> Subnet NSG association: zct-NE-Prod-AVD-Vnet01-nsg
Subnet RT association: zct-NE-Prod-AVD-Vnet01-rt

 

2. New FGT isolated subnet public ip (PIP)
> Create a public Standard SKU, zone-redundant IP, labelled: `AVD-Isolated-synapse-nat-pip`

 

3. Assign new PIP to ip configuration of FGT primary NIC interface: `zct-NE-NVA-FGT-A-Nic1`
> Navigation: `zct-NE-NVA-FGT-A-Nic1` > ip configurations > add

```
Name = AVD-Isolated-synapse-nat-pip
Private IP address settings = Static ( 192.168.3.8)
Associate public IP address = `AVD-Isolated-synapse-nat-pip`
```

> Log the private ip associated to the public ip address linked to the public interface ( 192.168.3.8)

 

Proposed FortiGate deployment steps

 

1. Create an address group and assign the private ip address associated to public ip: `AVD-Isolated-Snet-NAT-pip`
> Address group name = zct-AVD-Isolated_Synapse-SNET
> Member = zct-avd-isolated-nat-ip ( 192.168.3.8/32 )
> Member = zct-avd-isolated-snet ( 192.168.235.0/24 )

 

2. Create an IP pool.
> Navigate to: policy & objects > ip pools > create
> Enter details:

```
Name =AvdIsolatedSynapsePool
Comment = AVD Isolated Synapse subnet NAT IP pool
Type = One-to-one
External IP address/range = 192.168.3.8-192.168.3.8
ARP Reply = enabled
```

> This will ensure all AVD traffic from the isolated subnet traverses the newly created public ip in Azure: `AVD-Isolated-synapse-nat-pip`, associated to the WAN interface

 

3. Create an Central SNAT (for outbound traffic from the AVD session host subnet)
> Navigation: Policy & Object > Central SNAT > New
> Enter details

```
Incoming interface = Azure (port 2)
Outgoing interface = WAN (port 1)
Source Address = zct-AVD-Isolated_Synapse-SNET
Destination address = all

NAT = enabled
Ip pool configuration == Use Dynamic IP Pool
IP pool = AvdIsolatedSynapsePool
Protocol = any
Comments = AVD Isolated Synapse subnet central SNAT
```

 

Labels:
398
0 Kudos
1 Solution
firacode
New Contributor II

Created on ‎01-21-2025 10:26 PM

Your proposed FortiGate NAT configuration for Azure Virtual Desktop (AVD) is well-structured, with a solid approach for handling outbound traffic using Central SNAT. By assigning the public IP to the FortiGate WAN interface and configuring the SNAT with a one-to-one IP pool, you ensure that traffic from the isolated AVD subnet will egress using the new public IP. Additionally, since there’s no need to translate destination addresses, DNAT is unnecessary. Ensure that your Azure route tables, NSG configurations, and FortiGate firewall policies are set correctly to allow outbound traffic. Testing the setup and enabling logging will be key for troubleshooting, and verifying that all traffic flows correctly without exposing unnecessary services is important.

View solution in original post

306
2 REPLIES 2
Anthony_E
Community Manager
Community Manager

Created on ‎01-21-2025 09:02 PM

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
325
0 Kudos
firacode
New Contributor II

Created on ‎01-21-2025 10:26 PM

Your proposed FortiGate NAT configuration for Azure Virtual Desktop (AVD) is well-structured, with a solid approach for handling outbound traffic using Central SNAT. By assigning the public IP to the FortiGate WAN interface and configuring the SNAT with a one-to-one IP pool, you ensure that traffic from the isolated AVD subnet will egress using the new public IP. Additionally, since there’s no need to translate destination addresses, DNAT is unnecessary. Ensure that your Azure route tables, NSG configurations, and FortiGate firewall policies are set correctly to allow outbound traffic. Testing the setup and enabling logging will be key for troubleshooting, and verifying that all traffic flows correctly without exposing unnecessary services is important.

307
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.