Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,287 questions
Routing traffic through fortigate appliance from other subnets than the one the appliance is in.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 69%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
Simon Blomsterlund
0
Reputation points
Hi!
I need to route traffic from a VNet to an on premise network through a fortigate virtual appliance. Since I'll need to use container environments I can't place the fortigate appliance in the same subnet as the container environment, since its subnet needs to be delegated to mcrsft.Apps/Environments.
I don't have access to edit the fortigate appliance's configuration. And I'm trying to debug this using a VM.
I have tried setting up a route table associated with the subnet connected to the VM. I have double checked that the network interface on the fortigate appliance is set to "allow IP forwarding".
I'm at the end of my wits and can not understand what I'm doing wrong.
I have disabled all NSG features during testing.
Fortigate appliance has the IP 172.16.2.10
The IP addresses I'm trying to access through the fortigate appliance are 195.80.240.0/20.
| Subnet | CIDR |
|---|---|
| Subnet A (contains fortigate appliance) | 172.16.2.0/24 |
| Subnet B (contains my test VM) | 172.16.3.0/24 |
I have set up the UDR
| CIDR | Next hop | Associated subnet |
|---|---|---|
| 195.80.240.0/20 | 172.16.2.10 | SubnetB |
But I can't ping anything in the 195.80.240.0/20 network. And I can't ping the fortigate interface IP from the test VM in the other subnet. If I place my test VM in the SubnetA I can access the target network.
{count} votes
-
KapilAnanth-MSFT 40,911 Reputation points Microsoft Employee2024-07-10T10:13:18.5066667+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
Point to Note wrt "Since I'll need to use container environments I can't place the fortigate appliance in the same subnet as the container environment, since its subnet needs to be delegated to mcrsft.Apps/Environments."
- Despite whether or not a subnet has delegation, it is always a good idea to deploy the NVA in it's own subnet
- This is because, the NVA subnet should not have a UDR on itself and if you were to place a testVM and the NVA in same subnet, you will not be able to add a UDR to the testVM without affecting the NVA's routing.
Looking at your verbatim,
- You can check the effective routes of a VM : Check NIC Effective routes
- Can you check for TestVM and confirm the nextHop of 195.80.240.0/20 is the NVA's IP.
- Can you confirm if the network range "195.80.240.0/20" is in Azure (VNET Peering or same VNET) or connected to Azure via VPN/ExpressRoute?
- From the NVA, are you able to ping/telnet to "195.80.240.0/20" ?
- If the NIC Effective routes indicate the packets are indeed being routed to the NVA, your next steps would be to
- Check the NVA's configuration
- Make sure the packet actually reached the NVA or not by checking the NVA's logs
- Because, it is highly possible that the NVA is simply dropping the packets destined to "195.80.240.0/20"
Cheers,
Kapil
-
Simon Blomsterlund 0 Reputation points
2024-07-10T12:17:04.6766667+00:00 Thanks Kapil!
- Yeah I checked the effective routes, and it seems to direct requests correctly to the NVA. Next hop for requests towards target network from VM in subnetB is the fortigate.
- I have reached out to the service partner to check the NVA configuration. I'll try to update this thread if that is the case if someone else are trying to solve similar issues.
Cheers,
Simon
-
KapilAnanth-MSFT 40,911 Reputation points Microsoft Employee
2024-07-11T08:42:06.3933333+00:00 Sure.
Let us know if the packets actually reached the NVA and if so, did NVA drop the packet or forwarded to the destination "195.80.240.0/20".
Sign in to comment