Redundant Fortigate-Azure VPN

Question

Hi all,

Im wondering could I get some advice on how I could setup a redundant VPN between FGT and Azure.

I have two completely separate active-active DCs, with FGT HA clusters in each, and would like one Azure VPN active to say DC1, and if that connection goes down, auto failover to DC2.

I assume this is possible, but in terms of the failover mechanism, Im not sure where the failover configuration is deployed primarily - AZ or FGT?

I know when building Azure VPNs, it automatically creates a second tunnel. Im wondering is that what I should use for the standby tunnel, and have Azure failover when it identifies a drop in connection? Or is that second VPN endpoint only backup for the same endpoint?

Also, I was thinking, because this is an active-active DC environment, would a more prudent option be to have two separate / active VPNs into their Azure environment?

Im not completely sure if we might have routing issues when the backup VPN automatically comes online through DC2, or how that might look from the customer side of things.

Note, theres no connection between the DC1 and DC2 FGT HA clusters. And I dont have ability to use BGP to failover, at this point at least.

Any thoughts very welcome!

Answer 1

• https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable?WT.mc_id=AZ-MVP-5004796

I believe the secondary connection is only for backup of the same endpoint, but depending on the Gateway SKU can be changed to Active/Active.

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-activeactive-rm-powershell?WT.mc_id=AZ-MVP-5004796

Although its not something I have tested (and on my list to test), the Azure side should failover automatically, if one of the connections drops but the fortigates will need to drop their routes and redirect over the other link, most of these options require BGP however.