Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiDave
New Contributor III

Redundant Fortigate-Azure VPN

Hi,

Could I get some advice on how I could setup a redundant VPN between FGT and Azure.

 

I have two completely seperate active-active DCs, with FGT HA clusters in each, and would like one Azure VPN active to say DC1, and if that connection goes down, auto failover to DC2. 

 

I assume this is possible, but in terms of the failover mechanism, is most of the configuration on the Azure side?  Or FGT also?

 

I know when building Azure VPNs, it automathically creates a second tunnell. Im wondering is that what I should use for the standby tunnell, and have Azure failover when it identifies a drop in connection?

 

I was thinking, because this is an active-active DC environment, would a more prudent option be to have two separate and active VPNs into Azure?

 

Im not completely sure if we might have routing issues when the backup VPN automathically comes online through DC2, or how that might look from the FGT side of things.

 

Note, theres no connection between the DC1 and DC2 FGT HA clusters.

 

Any thoughts very welcome!

D

5 REPLIES 5
vponmuniraj
Staff
Staff

Hi,

 

You can use BGP to advertise the FGT segments and that should failover the traffic automatically. 

 

Ensure that DC1 is preferred over DC2. 

 

 

Regards,

Vignesh
FortiDave

Thanks. At this point, I dont believe we have the availability to use BGP.

Is it possible to manage this using FGT / Azure configuration?

FortiDave
New Contributor III

Also, I know on the Fortigates, we could deploy two route-based VPNs on each cluster, and have the backup tunnel set with a lower AD. Would that be another possible option?
vponmuniraj

Hi,

 

Yes, but that does not control the traffic routing from Azure side. The return traffic can be sent to any cluster the Azure route lookup selects. 

 

 

Regards,

Vignesh
FortiDave
New Contributor III

The following Microsoft doc outlines exactly what I want to acheive. 

 

Screenshot 2022-05-23 at 09.19.10.png

In terms of the "BGP Failover" piece. Is that something both on Fortigates and Azure VPN Gateway?
Im not too familiar with BGP deployments, so just trying to get it clear in my head technically what exactly is required here. 

I assume the Fortigates would also need to resdistribute routes to the internal network when one of the tunnels go down?

Labels
Top Kudoed Authors