目前位置: 新聞總覽 -> 最新訊息 -> Connectivity between Azure Virtual WAN and Fortinet Appliance

2019年06月12日

Connectivity between Azure Virtual WAN and Fortinet Appliance

Connectivity between Azure Virtual WAN and Fortinet Appliance

Contributors: Karthik T, Principal Cloud Architect at Powerupcloud Technologies.

“Networking is the cornerstone of communication and Infrastructure”

Azure VWAN

Microsoft Azure Virtual WAN allows to enable simplified connectivity to Azure Cloud workloads and to route traffic across the Azure backbone network and beyond. Azure provides 54+ regions and multiple points of presence across the globe Azure regions serve as hubs that you can choose to connect to the branches. After the branches are connected, use the Azure cloud service through hub-to-hub connectivity. You can simplify connectivity by applying multiple Azure services including hub peering with Azure VNETs. Hubs serve as traffic gateways for the branches.

Fortinet with Azure VWAN

Connecting Fortinet Firewalls to a Microsoft Azure Virtual WAN hub can be done automatically. The automatic configuration provides a robust and redundant connection by introducing two active-active IPSec IKEv2 VPN tunnels with the respective BGP setup and fully automated Azure Virtual WAN site creation on Microsoft Azure. The finished deployment allows full connectivity between branch-office sites and resources in Azure Virtual Networks via the Azure VPN Hub.

VWAN Offerings:

Microsoft Azure Virtual WAN offers the following advantages:

Integrated connectivity solutions in hub and spoke

Automated setup and configuration

Intuitive troubleshooting

Organizations can use Azure Virtual WAN to connect branch offices around the globe. An Azure Virtual WAN consists of multiple virtual hubs, and an organization can create virtual hubs in different Azure regions.

For on-premises devices to connect into Azure a controller is required. A controller ingests Azure APIs to establish site-to-site connectivity with the Azure WAN and a Hub.

Microsoft Azure Virtual WAN includes the following components and resources:

WAN: Represents the entire network in Microsoft Azure. It contains links to all Hubs that you would like to have within this WAN. WANs are isolated from each other and cannot contain a common hub, or connections between two hubs in different WANs.

Site: Represents your on-premises VPN device and its settings. A Site can connect to multiple hubs.

Hub: Represents the core of your network in a specific region. The Hub contains various service endpoints to enable connectivity and other solutions to your on-premises network. Site-to-site connections are established between the Sites to a Hubs VPN endpoint.

Hub virtual network connection: Hub network connects the Azure Virtual WAN Hub seamlessly to your virtual network. Currently, connectivity to virtual networks that are within the same Virtual Hub Region is available.

Branch: The branches are the on-premises Fortinet appliances, which exist in customer office locations. The connection originates from behind these branches and terminates into Azure.

Prerequisites and requirements

The following prerequisites required for configuring Azure and Fortinet to manage branch sites connecting to Azure hubs.

1. Have white-listed Azure subscription for Virtual WAN.
2. Have an on-premise appliance such as a Fortinet appliance to establish IPsec connection into Azure resources.
3. Have Internet links with public IP addresses. Though a single Internet link is enough to establish connectivity into Azure, you need two IPsec tunnels to use the same WAN link.
4. SD-WAN controller — a controller is the interface responsible for configuring appliances connecting into Azure.
5. A VNET in Azure that has at least one workload. For instance, a VM, which is hosting a service. Consider the following points:
6. The virtual network should not have an Azure VPN or Express Route gateway, or a network virtual appliance.
7. The virtual network should not have a user-defined route, which routes traffic to a non-Virtual WAN virtual network for the workload accessed from the on-premise branch.
8. Appropriate permissions to access the workload must be configured. For example, port 22 SSH access for a Ubuntu VM.

Step 1. Configure Microsoft Azure Virtual WAN Service

Fig 1.1 Virtual Network Configuration Fig 1.2 Virtual WAN Creation Fig 1.3 Virtual WAN Fig 1.4 Virtual Hub Fig 1.5 Hub status with no sites configured

Step 2. Configure and Connect the Fortinet Firewall

Fig 1.6 Fortinet Firewall Configuration Fig 1.7 Fortinet Phase 1 & Phase 2 Proposal Fig 1.8 Azure to Fortinet Rule Fig 1.9 Fortinet to Azure Rule

Step 3. Associate Sites to the Hub

Fig 1.10 Add a connection between hub and site Fig 1.11 Associate site with one or more hubs

Step 4. Verify Connectivity and Routing

Fig 1.12 Hub status with VPN site Fig 1.13 VWAN Heath and Gateway status Fig 1.14 Fortinet Gateway status

There you go the connection is established and network flows:)

Virtual WAN enables centralized, simple and fast connection of several branches, with each other and with Microsoft Azure.

If you need any help on Virtual WAN Implementation, Please do reach out to us.

資料來源:
https://blog.powerupcloud.com/connectivity-betweenazure-virtual-wan-and-fortinet-appliance-e5c66e66367f

標籤 : Phitech, 懇懋科技, Fortinet, Azure