Azure VPN w/ BGP to Fortigate w/ 2 ISP Uplinks

28. July 2022 Community, Level300, Microsoft 0

As a showed last time with mikrotik, there is a easy way to connect your OnPremises Infrastructure to your Azure vNet. But this time I show you how to do that with an Fortigate Firewall. Because this time there are some different setting because all vendors have their specials πŸ˜‰
So let’s have a look what we have done because there are some different tasks and thinking of how vendors are getting the thing done. Many thanks to my college Johannes Kainz how was helping me to overcome the tricky things.

The different thing this time was the clustering an thus the one management intereface of the Fortigate system OnPremises. So there was no way to set two BGP Session to just one Azure VPN Gateway Management IP because the logical one firewall cluster need two differnt endpoints for its BGP peering address, so the result was an Azure active/active Gateway so that ends up in two public IP-Addresses but more important two internal Management IP-Addresses and so the Fortigate Firewall had two destination to connect. That’s it πŸ˜‰ The Rest is just do it and straight forward.

The picture below show the lab setup where 2 different subsriptions where connected by vNet-Peering and brings you in mind that “global vNet Peering” is still a nice feature! So Addressspace (aka vNet) 10.10.4.0/22 lives in Central WestGermany Region which means Frankfurt. The main vNet 10.10.0.0/22 live in WestEurope which means Amsterdam which hostes the VPN-Gateway with the SKU VpnGw1 plus an additional Public IP Address. For Cost Perspective read futher down..

Hardware:

  • Fortigate 60F in a Cluster for redunancy – FGT60F-7.0.6-FW-build0366
  • Azure VPN Gateway VpnGw1 with BGP
  • second public IP Address for active/active VPN Gateway

the WAN plan

10.10.4.0/22 (Germany West) <–> 10.10.0.0/22 (Western Europe) <–> 10.99.128.0/24 (Feldbach city)

As you can see there is a config for redunand VPN connection to your Azure vNet. For the showcase I did a second vNet in a different reagion just to show that “global vNet Peering” is possible and also part of perfect connectivity.

Lets start with the part for the Fortigate Firewall and how to setup the IPSec Tunnel with BGP Routing. I just show the relevant parts. Someone doing that should be able to setup the rest of the firewall so that internet access is possible…

There are some parts of course:

The Fortigate part

The new thing here is the second Loopback Address because we need two separate BGP Session or BGP Destinations to the Azure VPN Gateway. Because of that we needed the active/active Azure VPN Gateway because this brings us access to the second Gateway Instance and a seconde BGP Peering address!

2 loopback interfaces as 2 different source addresses

of course 2 different IPSec Interfaces for the 2 tunnels, IP Addresses are not interested

the result looks like that πŸ˜‰

The IPSec Setting are well known but i put it here – please note that there are of course 2 Tunnels:
We tried to put the most secure settings which are working! So take that and its working…

the FIRST Tunnel – base settings
IPSec Phase I
IPSec Phase II – keep in mind no Traffic selectors are taken
the SECOND Tunnel, the rest is the same – skipped.

do some BGP stuff

now some BGP Settings. If you are new to Routing: BGP is the most common routing protocol because the whole Internet is based on it. For internal routing it is quite new. BGP Session are 1:1 session based on tcp/179 so, source and destination router must be reachable by static routes which is done by the firewall and Azure gateway automatic.

note the 2 BGP peer addresses from Azure VPN Gateway as remote peer
first we announce just one local network, there are more possibilities like redistribution
straight forward
note the multihop switch for eBGP and iBGP

lets do the Azure part

Here are some steps you have to do on Azure:

Add an vNet with your desired IP Range here in my case it is 10.10.0.0/22 with some Subnets in the region of West Europe… Just as showcase i added another vNet in a different Azure Region “Gemany West Central” just to show that this is easy going and possible. The feature is called vNet-Peering within an region and Global vNet Peering cross Regions. Here it is 10.10.40/22 in Frankfurt.

So add an vNet 10.10.0.0/22 and add an VPN Gateway with active/activ enabled!

after about 45mintues; that is the result

I the screenshot above you can see the two public IP Addresses to connect from OnPremises but more important the two BGP peering addresses which has the VPN Gateway Cluster on Azure to connect within the IPSec Tunnel for the BGP Sessions.

we added to IPSec Connections to both ISP Uplink addresses. you need “local network gateway”
the result are the announced OnPrem route on Azure and vice versa
here the “local network gateay and its config, should be clear and straight forward. note: no traffic selector
the config of the Connection inbetween

the result

2 routes over 2 paths
Ping Host1 –Western Europe -> Feldbach

Ping Host2 – West Central Germany -> Western Europe -> Feldbach

as always – when you do things right – it works πŸ˜‰

Cost Perspective

The greatest myth in cloud: Costs πŸ˜‰

I think that is really wrong because there is nothing which is more going in detail than costs. I kept the shown infrastucture running for a while so I show you the very sure cost from ervery day runrate.

sorry quite long but useful…

That’s all folks!