Share via

Global vent peering through Fortinet Firewall

Mohammed Thahif BK 346 Reputation points Microsoft Employee
2022-06-02T05:56:31.833+00:00

Hello,

we have a prod(UK South) and DR(UK West) setup on Azure. A global vnet peering is setup between these 2 regions.One of the requirement from security team is to route inter region traffic through a Fortinet firewall deployed in the hub.

Can we achieve this scenario? is it possible to route inter region traffic through FW and then over Azure backbone?
Please help.

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
Windows for business | Windows Client for IT Pros | Networking | Network connectivity and file sharing
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. risolis 8,801 Reputation points
    2022-06-02T06:16:04.447+00:00

    Hello @Mohammed Thahif BK

    Thank you for your post.

    Please read the following article that may fit into your network design which is the one below:

    https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about

    Looking forward to your feedback,

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  2. ChaitanyaNaykodi-MSFT 27,661 Reputation points Microsoft Employee Moderator
    2022-06-10T21:20:02.017+00:00

    Hello @Mohammed Thahif BK ,

    As per my understanding from the question above you have two regions (UK South) and (UK West) which have global peering set-up and now you have requirement to send all inter region communication via Fortinet firewall deployed in the Hub vnet.

    As mentioned by @risolis this architecture is definitely achievable, you can refer this architecture which resembles your requirement. You can implement user-defined routes (UDRs) to force traffic destined to a spoke to be sent to Azure Firewall or a network virtual appliance acting as a router at the hub. For spoke connectivity you can create routes to forward traffic from the spoke to the firewall or network virtual appliance, which can then route to the second spoke. In this scenario, you must configure the peering connections to allow forwarded traffic.

    Based on your questions above.

    is it possible to route inter region traffic through FW and then over Azure backbone?

    Once peered, the virtual networks exchange traffic by using the Azure backbone.

    Do we need to have a S2S vpn b/n these 2 firewalls? using their private IP as peer addresses?

    As mentioned in the architecture documentation shared above you can also use a VPN gateway to route traffic between spokes but since your requirement is to send traffic via Firewall in your Hub vnet, global vnet peering with UDR will be a better option here.

    You can also go through this documentation for additional details on Requirements and constraints for Vnet peering.

    Hope this helps! Please let me know if you have any additional questions. Thank you!

    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.