Implementing BGP instead static route for Azure ExpressRoute reason
It is my first post in a community. Hope someone can help me.
We have 2xFortigate 200E as A-P cluster, some vlans, SSL VPN, IPSec for some clients and Azure, static route. Active and passive nodes are connected to the same ISP-1 for HA. We are thinking to have Azure ExpressRoute and it needs BGP configuration. Unfortunately, haven't found good explanation how to migrate from static route to BGP. Or, perhaps, it is possible to stay static route and add BGP only for ExpressRoute (not sure, it is good idea). I have attached physical connection scheme.
Could anyone recommend me anything about this situation?
I know nothing about Azure ExpressRoute but assuming it's just another private link into Azure cloud, which advertises a bunch of public subnets over the link. Since they're many and might change time to time, BGP is necessary for the client side to learn those routes.
Based on the assumption, you probably don't have to change anything on the current/existing static routes unless some of them include those ExpressRoutes' destination subnets. Likely you have one default route to the ISP1 and that's all for the internet side.
I would just follow what MS provided you to configure in BGP and more; ASN, enighbor IP(s), SNAT, etc.
I don't think anything like "migration" would be involved.
@Toshi_Esumi many thanks for answer. Well, ExpressRoute has to have BGP as mandatory. I know that it is possible to have static route and BGP (OSPF, EIGRRP etc) in Cisco routers on the same time, but not sure about Fortiagate. If I have default route to ISP-1 and will set BGP for ExpressRoute, will traffic for networks from BGP go to default route as it has high priority?
I've never seen in my life any routers/FWs that support multiple routing protocols also can't activate them at the same time. Routing decisions are made by RIB(routing information base) and each protocol including static routes sends its best candidates to RIB. Depending on admin distance of each protocol, which might differ vendor to vendor, what goes into RIB is decided.
As I said, unless the ExpressRoute advertises a conflict/competing route, i.e. default route in your case, only the default static route goes into RIB. You must have gotten some documentation explaining what kind of routes would be advertised from MS. I would never imagine they advertise a default route.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.