Contributors: Karthik T, Principal Cloud Architect at Powerupcloud Technologies.
“Networking is the cornerstone of communication and Infrastructure”
Microsoft Azure Virtual WAN allows to enable simplified connectivity to Azure Cloud workloads and to route traffic across the Azure backbone network and beyond. Azure provides 54+ regions and multiple points of presence across the globe Azure regions serve as hubs that you can choose to connect to the branches. After the branches are connected, use the Azure cloud service through hub-to-hub connectivity. You can simplify connectivity by applying multiple Azure services including hub peering with Azure VNETs. Hubs serve as traffic gateways for the branches.
Fortinet with Azure VWAN
Connecting Fortinet Firewalls to a Microsoft Azure Virtual WAN hub can be done automatically. The automatic configuration provides a robust and redundant connection by introducing two active-active IPSec IKEv2 VPN tunnels with the respective BGP setup and fully automated Azure Virtual WAN site creation on Microsoft Azure. The finished deployment allows full connectivity between branch-office sites and resources in Azure Virtual Networks via the Azure VPN Hub.
Microsoft Azure Virtual WAN offers the following advantages:
Integrated connectivity solutions in hub and spoke
Automated setup and configuration
Organizations can use Azure Virtual WAN to connect branch offices around the globe. An Azure Virtual WAN consists of multiple virtual hubs, and an organization can create virtual hubs in different Azure regions.
For on-premises devices to connect into Azure a controller is required. A controller ingests Azure APIs to establish site-to-site connectivity with the Azure WAN and a Hub.
Microsoft Azure Virtual WAN includes the following components and resources:
WAN: Represents the entire network in Microsoft Azure. It contains links to all Hubs that you would like to have within this WAN. WANs are isolated from each other and cannot contain a common hub, or connections between two hubs in different WANs.
Site: Represents your on-premises VPN device and its settings. A Site can connect to multiple hubs.
Hub: Represents the core of your network in a specific region. The Hub contains various service endpoints to enable connectivity and other solutions to your on-premises network. Site-to-site connections are established between the Sites to a Hubs VPN endpoint.
Hub virtual network connection: Hub network connects the Azure Virtual WAN Hub seamlessly to your virtual network. Currently, connectivity to virtual networks that are within the same Virtual Hub Region is available.
Branch: The branches are the on-premises Fortinet appliances, which exist in customer office locations. The connection originates from behind these branches and terminates into Azure.
Prerequisites and requirements
The following prerequisites required for configuring Azure and Fortinet to manage branch sites connecting to Azure hubs.
- Have white-listed Azure subscription for Virtual WAN.
- Have an on-premise appliance such as a Fortinet appliance to establish IPsec connection into Azure resources.
- Have Internet links with public IP addresses. Though a single Internet link is enough to establish connectivity into Azure, you need two IPsec tunnels to use the same WAN link.
- SD-WAN controller — a controller is the interface responsible for configuring appliances connecting into Azure.
- A VNET in Azure that has at least one workload. For instance, a VM, which is hosting a service. Consider the following points:
- The virtual network should not have an Azure VPN or Express Route gateway, or a network virtual appliance.
- The virtual network should not have a user-defined route, which routes traffic to a non-Virtual WAN virtual network for the workload accessed from the on-premise branch.
- Appropriate permissions to access the workload must be configured. For example, port 22 SSH access for a Ubuntu VM.
Step 1. Configure Microsoft Azure Virtual WAN Service
Step 2. Configure and Connect the Fortinet Firewall
Step 3. Associate Sites to the Hub
Step 4. Verify Connectivity and Routing
There you go the connection is established and network flows:)
Virtual WAN enables centralized, simple and fast connection of several branches, with each other and with Microsoft Azure.
If you need any help on Virtual WAN Implementation, Please do reach out to us.
from Powerupcloud Tech Blog – Medium