adding a inline fw to express route

Henry D'souza 6 Reputation points
2021-11-07T14:39:23.533+00:00

Our Customer has an ExpressRoute connection from Microsoft Azure to a data center. They want to
secure communication over ExpressRoute, and to install an in-line FortiGate to perform intrusion
prevention system (IPS) and antivirus scanning.
What can we use to ensure that all traffic from the data center is sent through
FortiGate over ExpressRoute?
My Options are

  • Install FortiGate in Azure and build a VPN tunnel to the data center over ExpressRoute
  • Configure a user-defined route table
  • Enable the redirect option in ExpressRoute to send data center traffic to a user-defined route table
  • Configure the gateway subnet as the subnet in the user-defined route table
  • Define a default route where the next hop IP is the FortiGate WAN interface
Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
342 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 49,261 Reputation points Microsoft Employee
    2021-11-09T01:55:55.833+00:00

    Hello @Henry D'souza ,

    Thank you for the update.

    If you are going with normal ExpressRoute setup with a FortiGate firewall in between then below is the process:

    Deploy FortiGate firewall in your Azure Vnet.

    For On-premise to Azure traffic:
    Advertise a default route of 0.0.0.0/0 via BGP from your on-premises to Azure, so that all your Azure traffic is sent to your on-premises via the ExpressRoute.
    GatewaySubnet do not support 0.0.0.0/0 UDRs but it supports UDRs with other address prefixes.
    Hence, you can add a UDR to the ExpressRoute GatewaySubnet with the address prefix of your Vnet range with next hop type Virtual Appliance and IP address of your FortiGate firewall. This will make sure that any traffic that comes from your on-premises for your Azure Vnet range, when reaches your ExpressRoute gateway will be forwarded to the firewall for scanning.
    So the routing from On-prem to Azure will go as below:
    On-premises --> ExpressRoute gateway --> FortiGate firewall --> All subnets.

    Return Azure to On-premise traffic:
    To filter all the traffic going out of Azure by the firewall, you can add a UDR with 0.0.0.0/0 on all the subnets (except the NVA subnet) with next hop as your FortiGate Firewall.
    This setup will take care of the routing from Azure to on-prem which will go as below:
    All subnets --> FortiGate firewall --> ExpressRoute gateway --> On-premises.

    If you want to go with IPsec over ExpressRoute setup with a FortiGate firewall, then I will check with the ExpressRoute product group team to validate if there are any special considerations as the encrypted ExpressRoute traffic depends on the advertising preferred routes over the encrypted path.

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  2. GitaraniSharma-MSFT 49,261 Reputation points Microsoft Employee
    2021-11-12T23:51:58.65+00:00

    Hello @Henry D'souza ,

    The steps to configure IPsec over ExpressRoute setup with a FortiGate firewall, you need to follow the below:

    1) Configure a Site-to-Site VPN connection over ExpressRoute private peering by following the below article:
    https://video2.skills-academy.com/en-au/azure/vpn-gateway/site-to-site-vpn-private-peering?toc=/azure/expressroute/toc.json

    2) Deploy FortiGate firewall in Azure.

    3) For on-premises to Azure traffic:
    Advertise default route (0.0.0.0/0) via both the ExpressRoute private peering BGP, and the VPN BGP. The result is two network routes (paths) toward Azure from the on-premises networks:
    • One network route over the IPsec-protected path.
    • One network route directly over ExpressRoute without IPsec protection.

    To apply encryption to the communication, you must make sure that Azure routes via the on-premises VPN gateway are preferred over the direct ExpressRoute path.

    In this setup, the UDR needs to be implemented on the VPN gateway subnet not on ExpressRoute Gateway. ExpressRoute is just an underlay, it’s the VPN gateway where IPSEC tunnel is terminating.

    GatewaySubnet do not support 0.0.0.0/0 UDRs but it supports UDRs with other address prefixes.
    You need to configure VNET specific UDR on the VPN Virtual Gateway subnet with NVA as next hop.
    So the routing from On-prem to Azure will go as below:
    On-premises --> Encrypted gateway --> FortiGate firewall --> All subnets.

    4) Return Azure to On-premise traffic:
    To filter all the traffic going out of Azure by the firewall, you can add a UDR with 0.0.0.0/0 on all the subnets (except the NVA subnet) with next hop as your FortiGate Firewall.
    Then add routes on NVA to forward all the traffic to the VPN gateway, which will provide connectivity between VNET resource and VPN gateway.
    This setup will take care of the routing from Azure to on-prem which will go as below:
    All subnets --> FortiGate firewall --> Encrypted gateway --> On-premises.

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.