Routing through Fortigate

Anonymous

Hello,

I'm new in Azure and have question regarding routing.

My scenario is next:

I have resource group "Firewall" where I added route table, virtual networks and Fortigate as a Default gateway. I separated virtual networks to several subnets(Subnet-1, Subnet-2). My aim is route and filter all network through this Fortigate.

Then I added resource group "group-1" assign one subnet(Subnet-1) from resource group "Firewall" and then added one pc to this resource.

Then I added resource group "group-2" assign one subnet(Subnet-2) from resource group "Firewall" and then added one pc to this resource.

I would like to restrict access from group-1 to group-2. I added deny policy in to Fortigate but traffic still pass. I can restrict access from group-1\group-2 to Internet from Fortigate, but cant restrict between group-1 and group-2.

I don't know why?

Anonymous

2023-06-29T17:18:43.0733333+00:00

How do I need to configure UDR for this scenario?

Do I need to add route table for each recourse group?
ChaitanyaNaykodi-MSFT 26,101 Reputation points Microsoft Employee

2023-06-30T21:51:50.6666667+00:00

@Anonymous

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

3 answers

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more
ChaitanyaNaykodi-MSFT 26,101 Reputation points Microsoft Employee

2023-06-30T01:54:24.65+00:00

@Anonymous

Thank you for reaching out.

If I have understood the question correctly, you want all the traffic from your Virtual Network via Fortinet, but the PCs deployed in the Subnet-1 and Subnet-2 in the same Virtual Network still can communicate with each other even though you have restricted this communication in Fortinet.

Based on my understanding above, I think the PCs are stilll able to communicate with each other because Azure routes traffic between all subnets within a virtual network, by default. In order to restrict this access you will have to create custom UDR. In the route table you need to create a route for Subnet-1 with the Next Hop as Virtual Appliance and link this route table to Subnet-2, similarly you can create another route table and link it to Subnet-1.

A similar scenario is explained clearly in this tutorial. You can follow it to get more information on the required routes.

Hope this answers your query. If I did not understand your questions clearly, it will help if you could provide a rough network diagram of your set-up. Thank you!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
Anonymous

2023-07-01T09:51:13.4133333+00:00

I Would like to restrict access between Subnet-1 and Subnet-2. They are in one Virtual Network. If I understood correctly, I need to create separate Route Table for Subnet-1 and add route to the virtual Appliance?

Anonymous

2023-07-01T09:51:54.0266667+00:00

Then add second separate Route Table for Subnet-2 and add route to the Virtual Appliance?

Anonymous

2023-07-01T09:52:22.8433333+00:00

I would like to have one central place for policing and routing.

Anonymous

2023-07-01T09:53:32.9633333+00:00

I would like to permit\restrict access between all subnets (which are in one virtual network, but in separate resource group) just with Fortigate, not with Azure native NGS policies.

Anonymous

2023-07-01T09:54:21.2+00:00

I can restrict access to the internet for All subnets through Fortigate, but can't restrict between subnets

ChaitanyaNaykodi-MSFT 26,101 Reputation points Microsoft Employee

2023-07-04T22:22:32.82+00:00

@Imm

Thank you for getting back.

As an example suppose the address space of Subnet-1 is 10.0.1.0/24 and Subnet-2 address space is 10.0.2.0/24 and Fortigate's IP Address is 10.0.3.5.

For Subnet-1 to Subnet-2 communication the steps will be as shown below.

Create a route table (steps here)

Add a route with the details as below.

Route Name: Subnet1Subnet2

Address prefix destination: Select IP Addresses.

Destination IP addresses/CIDR ranges: enter 10.0.2.0/24 (Subnet-2 address range)

Next hop type: select Virtual Appliance

Next hop address: enter 10.0.3.5 (Fortigate's IP address)

Click Add

Associate this Route table to Subnet-1 as shown here.

For Subnet-2 to Subnet-1 communication, follow the similar steps above but replace Destination IP address to Subnet-1's IP range and associate this route table to Subnet-2.

Hope this helps. Please let me know if there are any issues. Thank you!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Anonymous

2023-07-04T05:14:44.4733333+00:00

Still waiting your help
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Routing through Fortigate

3 answers

Your answer