Hello @Henry D'souza ,
Thank you for the update.
If you are going with normal ExpressRoute setup with a FortiGate firewall in between then below is the process:
Deploy FortiGate firewall in your Azure Vnet.
For On-premise to Azure traffic:
Advertise a default route of 0.0.0.0/0 via BGP from your on-premises to Azure, so that all your Azure traffic is sent to your on-premises via the ExpressRoute.
GatewaySubnet do not support 0.0.0.0/0 UDRs but it supports UDRs with other address prefixes.
Hence, you can add a UDR to the ExpressRoute GatewaySubnet with the address prefix of your Vnet range with next hop type Virtual Appliance and IP address of your FortiGate firewall. This will make sure that any traffic that comes from your on-premises for your Azure Vnet range, when reaches your ExpressRoute gateway will be forwarded to the firewall for scanning.
So the routing from On-prem to Azure will go as below:
On-premises --> ExpressRoute gateway --> FortiGate firewall --> All subnets.
Return Azure to On-premise traffic:
To filter all the traffic going out of Azure by the firewall, you can add a UDR with 0.0.0.0/0 on all the subnets (except the NVA subnet) with next hop as your FortiGate Firewall.
This setup will take care of the routing from Azure to on-prem which will go as below:
All subnets --> FortiGate firewall --> ExpressRoute gateway --> On-premises.
If you want to go with IPsec over ExpressRoute setup with a FortiGate firewall, then I will check with the ExpressRoute product group team to validate if there are any special considerations as the encrypted ExpressRoute traffic depends on the advertising preferred routes over the encrypted path.
Kindly let us know if the above helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.