Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiDave
New Contributor III

Created on ‎05-14-2022 12:03 AM Edited on ‎05-14-2022 12:10 AM

Redundant Fortigate-Azure VPN

Hi,

Could I get some advice on how I could setup a redundant VPN between FGT and Azure.

 

I have two completely seperate active-active DCs, with FGT HA clusters in each, and would like one Azure VPN active to say DC1, and if that connection goes down, auto failover to DC2. 

 

I assume this is possible, but in terms of the failover mechanism, is most of the configuration on the Azure side?  Or FGT also?

 

I know when building Azure VPNs, it automathically creates a second tunnell. Im wondering is that what I should use for the standby tunnell, and have Azure failover when it identifies a drop in connection?

 

I was thinking, because this is an active-active DC environment, would a more prudent option be to have two separate and active VPNs into Azure?

 

Im not completely sure if we might have routing issues when the backup VPN automathically comes online through DC2, or how that might look from the FGT side of things.

 

Note, theres no connection between the DC1 and DC2 FGT HA clusters.

 

Any thoughts very welcome!

D

Labels:
2457
0 Kudos
5 REPLIES 5
vponmuniraj
Staff
Staff

Created on ‎05-14-2022 08:50 PM

Hi,

 

You can use BGP to advertise the FGT segments and that should failover the traffic automatically. 

 

Ensure that DC1 is preferred over DC2. 

 

 

Regards,

Vignesh
2397
0 Kudos
FortiDave
New Contributor III
In response to vponmuniraj

Created on ‎05-15-2022 03:34 AM

Thanks. At this point, I dont believe we have the availability to use BGP.

Is it possible to manage this using FGT / Azure configuration?

2394
0 Kudos
FortiDave
New Contributor III

Created on ‎05-16-2022 12:55 AM

Also, I know on the Fortigates, we could deploy two route-based VPNs on each cluster, and have the backup tunnel set with a lower AD. Would that be another possible option?
2385
0 Kudos
vponmuniraj
Staff
Staff
In response to FortiDave

Created on ‎05-22-2022 11:17 PM

Hi,

 

Yes, but that does not control the traffic routing from Azure side. The return traffic can be sent to any cluster the Azure route lookup selects. 

 

 

Regards,

Vignesh
2312
0 Kudos
FortiDave
New Contributor III

Created on ‎05-23-2022 01:24 AM Edited on ‎05-23-2022 01:24 AM

The following Microsoft doc outlines exactly what I want to acheive. 

 

Screenshot 2022-05-23 at 09.19.10.png

In terms of the "BGP Failover" piece. Is that something both on Fortigates and Azure VPN Gateway?
Im not too familiar with BGP deployments, so just trying to get it clear in my head technically what exactly is required here. 

I assume the Fortigates would also need to resdistribute routes to the internal network when one of the tunnels go down?

2306
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.