Share via

AZURE FIREWALL - ROUTE

Gabriel Moraes 370 Reputation points
2024-08-19T11:32:02.74+00:00

Hello.

Please, I would like to better understand the current scenario I am working on.

I have a VM that needs external access via public IP, which will also be a domain, this VM hosts a public website.

My question:

I have another Fortigate Firewall VM, whenever I need to route internal traffic, I create the routes in the Route Table and it works perfectly.

In the case above for a website, how to let the Firewall manage all external traffic? How to let the Fortigate Firewall ping the public IP of the Website's VM and thus manage all security.

Should I leave this site VM in the same vnet as the Fortigate VM or in another vnet and perform peering?

Knowing that this FortiGate VM has only 2 nics, internal and external, unfortunately the current size does not support more than 2 nics.

What is the best path in this scenario?

Thank you in advance.

Thanks.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
781 questions
Accepted answer
  1. Vinodh247 34,741 Reputation points MVP Volunteer Moderator
    2024-08-19T14:53:25.4+00:00

    Hi Gabriel Moraes,

    Thanks for reaching out to Microsoft Q&A.

    To effectively manage external traffic for your VM hosting a public website while utilizing a Fortigate Firewall in Azure, there are several key considerations and configurations to implement:

    1. Public IP Management

    You should not assign a public IP directly to the VM that hosts your website. Instead, configure the Fortigate Firewall with a public IP. This allows the firewall to manage all incoming and outgoing traffic, ensuring better security and control. You can utilize Destination Network Address Translation (DNAT)rules on the Fortigate to route traffic from the public IP to the private IP of the VM hosting the website.

    1. Virtual Network Setup

    It is recommended to keep the VM and the Fortigate Firewall in thesame virtual network (VNet). This simplifies routing and ensures that the firewall can easily manage traffic between the public internet and your internal resources. If you choose to place them in separate VNets, you would need to set up VNet peering, which adds complexity to the configuration.

    1. Route Table Configuration

    You will need to create a route table that directs all outbound traffic through the Fortigate Firewall. This can be done by setting a default route (0.0.0.0/0) in the route table, with the next hop pointing to the private IP of the Fortigate Firewall. This setup ensures that all traffic, both ingress and egress, is routed through the firewall for inspection and security management.

    1. Firewall Configuration

    Ensure that the Fortigate Firewall is configured to allow ICMP (ping) traffic if you want to ping the public IP of the VM. This involves creating appropriate firewall policies that permit ICMP traffic from the firewall's external interface to the internal VM's IP address. Additionally, configure the firewall to handle other necessary protocols and ports required by your web application.

    Please 'Upvote'(Thumbs-up) and 'Accept' as an answer if the reply was helpful. This will benefit other community members who face the same issue.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.