Clicking the Launch Now button opens the Github Actions tab, click the "Run Workflow" button on the right-hand side, enter your email address and click the lower "Run Workflow" button.
The workflow starts the TEChnical Recipe environment provisioning process. An email is sent to the provided email address when the environment provisioning process is complete. The email contains environment details, including all required access credentials and links, as well as environment duration period. When the environment duration period has passed the environment and all resources will be removed.
TEChnical Recipes provide the learner with the opportunity to put into practice newly developed skills in an easy to launch environment that can be used for customer engagements. At a minimum a TEChnical Recipe will include the following:
-
A use case description
-
An integrated lab and demo environment
- Informational call-outs for key points to discuss or highlight to a customer
- Questions that could be asked while giving the TEChnical Recipe as a demo
- Points of value that relate the business value to the technical feature
-
A reference architecture(s)
Optional components may be included for certain use cases
The TEChnical Recipe will not be a completely, self-contained learning experience for a single product. A TEChnical Recipe will cover features and often multiple products where they relate to the use case of interest.
Deployments will be automated for those tasks that are not salient to the learning or demonstration activity in the use case. For example, for a TEChnical Recipe focused on Indicators of Compromise, the system may deploy a FortiGate and FortiAnalyzer with configurations for these systems. However, the leaner will have to configure the Event Handlers for IOC setup.
Introduction: As enterprises adopt the cloud as the new core for application hosting, remote sites require secure, reliable connectivity with an optimal user experience to access those cloud and SaaS applications. In fact, cloud access is SD-WAN's primary use case for IaaS and SaaS-hosted services. Fortinet's Cloud On-Ramp capabilities using SD-WAN are differentiated in the following ways:
- Integrated Security and SD-WAN policy configuration and workflows
- Unique ability to provide scale up performance for higher bandwidth into cloud environments
- Decentralized orchestration for better survivability and easier deployment of SD-WAN overlays
- Single OS for consistent policy and overlay deployment on all software-defined networks (SDNs)
The purpose of this TEChnical Recipe is to familiarize the learner with routing, data-plane, and architectural concepts specific to the Azure Cloud environment. Other TEChnical Recipes are available to cover SD-WAN feature deployment.
- Deploy the SDWAN architecture using Terraform
- Configure Azure components
- Load Balancer
- VNET Peering
- Route Server
- vWAN and vWAN Hub
- Understand the different available architecture options
[Deployment exercise - estimated duration 40min]
-
Login to Azure Cloud Portal https://portal.azure.com/ with the provided login/password
-
Click on Cloud Shell icon on the Top Right side of the portal
-
Select Bash
-
Click on Show advanced settings
-
Select
- Use existing Resource Group - it should auto populate with USERXX-workshop-sdwan (USERXX is your Username)
- Use existing Storage account - it should auto populate with USERXX##########workshopsdwa (########## is a random string)
- Use existing File Share - type cloudshell
-
Click "Attach Storage"
-
You should now have access to Azure Cloud Shell console
Perform the following step in your Cloudshell console to create your environment.
- Clone the Github repo
- Change directory to the se-conf-sdwan-workshop/se-summit folder
- Initialize Terraform
- Create Terraform Plan
- Apply Terraform Plan
Copy and paste these commands into your Cloudshell console. The terraform variable
username
will be populated with the value of the environment variableUSER
git clone https://github.com/FortinetSecDevOps/se-conf-sdwan-workshop.git
cd ./se-conf-sdwan-workshop/se-summit/
terraform init
terraform plan -var="username=${USER}"
terraform apply -var="username=${USER}"
-
Using the Terraform output, verify that you have Web and SSH access to the FortiGates.
-
Terraform output can be redisplayed at any point as long as you are in the
./se-conf-sdwan-workshop/se-summit/
directory, by using the commandterraform output
cd cd se-conf-sdwan-workshop/se-summit/ terraform output
-
-
Connect to the Branch sites FortiGates and check the VPN status.
-
Connect to the Hub FortiGates and check the WAN IP
-
FortiGates in the Hub do not have public IPs, how are they accessible via the Web UI?
-
Why are the VPN connections down?
Quiz 1 Answers
-
FortiGates in the Hub do not have public IPs, how are they accessible via the Web UI?
- The Public IPs on the external load balancers for the Hub, Branch1 and Branch2 FortiGates have inbound NAT rules setup.
-
Why are the VPN connections down?
- The external load balancer for the Hub FortiGates needs load balancing rules for UDP 500 and UDP 4500.
Fortinet provides a large library of infrastructure as code (IaC) templates to deploy baseline and iterate POC and production environments in public cloud. IaC support includes Terraform, Ansible, and cloud-specific services such as Azure ARM, AWS Cloudformation, and Google Deployment (jinja) templates. Terraform Providers are available for FortiGate and FortiManager to insert and iterate running configuration.
For more information, review the following:
When giving this TEChnical Recipe as as demo, the following questions will provide a basis for next steps and future meetings:
- Has your organization standardized on an IaC tool-set for infrastructure provisioning and iteration?
- How are the responsibilities for infrastructure assigned? Does cloud network fall under a DevOps, Cloud Networking, or Application Delivery team, as examples?
- What is view on how IaC can improve workflows?
- Is workflow automation in cloud and cross-organizational collaboration important within your cloud business?
[Configuration exercise - estimated duration 20min]
- Select the Hub External Load Balancer sdwan-USERXX-workshop-hub1-elb1
- Click on Backend pools
- Add FortiGate1 and FortiGate2 port1 interfaces and then click on Save
-
Select the Hub External Load Balancer sdwan-USERXX-workshop-hub1-elb1
-
Click on Load balancing rules
-
Create Load balancing rules for UDP 500 and UDP 4500 - one rule for each
Verify that the FortiGates are responding to Azure Load Balancer Health Checks
-
Select the Hub External Load Balancer sdwan-USERXX-workshop-hub1-elb1
-
Click on Insights - Click the "Refresh" button a few times, eventually (~30 seconds) the FortiGate reachability will be indicated.
-
Verify that the VPN connections from the Branch to the Hub are UP
-
Verify that the BGP peering with the Hub is UP and that the Branch FortiGate learned the Hub and other Branches' CIDRs. Run the Command
get router info routing-table all
on all the Branch FortiGates.
-
Why is one FortiGate depicted as unhealthy by the Azure Hub External Load Balancer?
-
Why is NAT used to access the FortiGates, but for IPSEC VPN traffic Load balancing rules are used?
-
Do FortiGates in the Branches learn Spoke11 and Spoke12 CIDRs?
Quiz 2 Answers
-
Why is one FortiGate depicted as unhealthy by the Azure Hub External Load Balancer?
- The passive FortiGate does not respond to the load balancer health probes. Only after a failover event will the newly active FortiGate start responding to health probes.
-
Why is NAT used to access the FortiGates, but for IPSEC VPN traffic Load balancing rules are used?
- NAT allows each individual FortiGate to be accessed via the Public IP of the load balancer. A load balancer rule would only allow access to the Active FortiGate.
-
Do FortiGates in the Branches learn Spoke11 and Spoke12 CIDRs?
- Spoke11 and Spoke12 CIDRs are not yet known to the Hub FortiGate so the Branches will not learn them yet.
When discussing load balanced traffic with the customer, point out key details about the Azure Load Balancers such as the following:
- Azure LB uses 5-tuple hash for traffic distribution
- IPSec in an Active/Active configuration is not supported as session stability cannot be guaranteed to IkE rekeys, and deterministic IP termination.
- TCP/UDP headers are rewritten to the backend pool. HTTP/s headers are not changed.
- Legacy applications or those requiring long-lived sessions could see performance issues due to TTL limitations on the LB.
When connecting IPSec traffic from remote inter-regional sites, the customer's architecture could benefit from dedicated FortiGates to support IPSec. This is a benefit where large traffic loads are supported for deep packet inspection and where there is a lot of E/W traffic. Dedicated FortiGates for IPSec allow the opportunity to scale VPN traffic using IPSec Aggregate without impacting performance of traffic inspection. Details on IPSec Aggregate can be found here.
Don't forget that the CLI is still a great place to get targeted information with a single command. For example, viewing the FortiGate known routes with the CLI command get router info routing-table all
When giving this TEChnical Recipe as as demo, the following questions will provide a basis for next steps and future meetings:
- How sensitive are your applications to session timeout? Do they require large TTL values for long-lived sessions?
- What type of VPN scaling (tunnel count and bandwidth) are required for your deployment?
- How much east/west traffic versus north/south traffic will be supported?
- What types of inspection will be required between various VNets?
- Is advanced BGP configuration required? (FortiGate-to-FortiGate can support advanced BGP metrics unlike Azure's services)
[Presentation about Azure Route Server- estimated duration 30min]
The Azure Route Server (ASR) is used to connect NVAs to the Azure network to simplify VNet routing with external networks. SD-WAN is a primary use case for the ASR where BGP routes are exchanged between a premise-based and the ASR to advertise premise-originated routes to the VNets and VNet routes to the premise. For many customers, this may be a great fit. For some customers, there may be more complex routing requirements such as multiple egress points,load balanced routes, large number of BGP peers, large volume of routes (>1000); where these needs require advanced BGP. More complex use cases will require FortiGate to FortiGate peering in those cases. Let your customer know about Fortinet's ability to support advanced dynamic routing services.
When giving this TEChnical Recipe as as demo, the following questions will provide a basis for next steps and future meetings:
- Describe your organizations routing requirements.
- Does your environment require more than 8 BGP peers or more than 1000 routes
- Do you need to extend other routing protocols, such OSPF or ISIS into the Azure environment?
[Configuration and troubleshooting exercise - estimated duration 40min]
Create a VNET peering between the Spoke11 VNET and the Hub VNET
-
Select the Spoke VNET, USERXX-workshop-sdwan-spoke11 - (replace USERXX with your username)
-
Click on Peerings
-
Add peering to Hub VNET, USERXX-workshop-sdwan-hub1
-
Repeat the above between Spoke12 VNET, USERXX-workshop-sdwan-spoke12 and the Hub VNET
You will see errors until all the correct selections are made.
- Verify that the Branch FortiGates have learned the Spoke11 VNET and Spoke12 VNET CIDRs. Run the Command get router info routing-table all on all the Branch FortiGates.
-
Select the Azure Route Server USERXX-workshop-sdwan-RouteServer contained within your Resource Group.
-
Click on Peers on the left side of the menu, verify the connection to the Hub FortiGates
-
List the routes learned by Azure Route Server, run the commands below from your Azure Cloud Shell
- The variable
${USER}
in the commands reads your username from the environment
az network routeserver peering list-learned-routes -g ${USER}-workshop-sdwan --routeserver ${USER}-workshop-sdwan-RouteServer --name sdwan-fgt1
az network routeserver peering list-learned-routes -g ${USER}-workshop-sdwan --routeserver ${USER}-workshop-sdwan-RouteServer --name sdwan-fgt2
The passive FortiGate will produce empty output
{
"RouteServiceRole_IN_0": [],
"RouteServiceRole_IN_1": [],
"value": null
}
- Can the Hub FortiGate Azure SDN Connector read the Azure environment?
-
Troubleshoot and Make the required changes to allow the FortiGate to retrieve the SDN filters.
-
Hub FortiGate debug the Azure SDN Connector
diagnose debug application azd -1 diagnose debug enable
-
-
Hints:
- FGT Branch3 is able to retrieve the filters, why that is not the case for the FortiGates behind Load Balancers?
- FGT Branch3 is standalone, all other FortiGates are in A-P HA, how does that affect traffic to retrieve SDN information?
- Hub External Load Balancer needs a management nic backend pool and a TCP rule, any port suffices. This rule is about letting TCP traffic out. The External Load Balancer will let the response traffic back in because the traffic originated internally.
-
-
Create a backend pool on the Hub load balancer using the Hub FortiGate Management Interfaces
- 10.10.4.4
- 10.10.4.5
-
Create a TCP Load Balancer Rule, any port will do, e.g. 13000. This rule will allow TCP response traffic back through the load balancer, when to a TCP request originated from a device in a backend pool associated to the load balancer.
-
Create a dynamic address object on the Hub FortiGate, named
Spoke_VNETs
that resolves to the Spoke VNETs VMs -
Use the object in an existing Policy named
Branch to Cloud
to restrict traffic coming from the Branches to only VMs in the Spoke VNETs.
-
Generate Traffic from Branch1 Primary FortiGate:
- Connect to the Branch1 Primary FortiGate
- Configure ping-options to initiate traffic from FortiGate's private nic (port2).
execute ping-options source 172.16.2.5
- source IP depends on which Branch1 FortiGate is primary br1fgt1 or br1fgt2execute ping-options repeat-count 100
- Initiate a ping to Spoke11 and Spoke12 Linux VMs (10.11.1.4 and 10.12.1.4)
execute ping 10.11.1.4
execute ping 10.12.1.4
-
Generate Traffic from Branch1 Linux VM:
-
Enable serial console access on Branch1 Linux VM
-
Initiate a ping to Spoke11 and Spoke12 Linux VMs
ping 10.11.1.4 ping 10.12.1.4
-
Does it work?
-
-
At the end of this step you should have the following architecture
-
What was missing to allow the FortiGates to retrieve SDN connector filters?
-
Why is the FortiGate only able to retrieve the SDN connector filters in its own Resource Group?
-
Why is the Branch FortiGate able to reach the remote Spoke VNETs VMs (10.11.1.4 and 10.12.1.4) but the Linux VM behind the Branch1 FortiGate cannot?
-
FortiGates at Branch1 and Branch2 site are both behind Azure Load Balancers (behind NAT). Will Branch1 to Branch2 traffic successfully establish an ADVPN shortcut?
Quiz 4 Answers
-
What was missing to allow the FortiGates to retrieve SDN connector filters?
- The FortiGate's management interfaces need access to the Azure APIs via a public IP address. This required adding a backend pool for the FortiGate management interfaces and a TCP load balancing rule to let the API response to an internal request back through the external load balancer.
-
Why is the FortiGate only able to retrieve the SDN connector filters in its own Resource Group?
- The FortiGate VM Azure Identity was given the "Reader" role with the scope of the Resource Group.
-
Why is the Branch FortiGate able to reach the remote Spoke VNETs VMs (10.11.1.4 and 10.12.1.4) but the Linux VM behind the Branch1 FortiGate cannot?
- The Linux VM does not know how to get to the FortiGate because no default route was defined for the route table which controls the subnet the Linux VM is in.
-
FortiGates at Branch1 and Branch2 site are both behind Azure Load Balancers (behind NAT). Will Branch1 to Branch2 traffic successfully establish an ADVPN shortcut?
- Yes
Azure Virtual Network (VNET) Peering provides the ability to connect multiple VNETs together and direct traffic flow based on existence of a gateway in a connected peer or with a user defined route (UDR) in a route table.
Utilizing an Azure Route Server (ARS) and setting the FortiGates as a BGP peers enables the FortiGates to be updated with newly available routes or the removal of routes as VNETs are peered or when a peering relationship is removed.
From a FortiGate Policy perspective the ability to be dynamically aware of a changing environment is provided by the Azure SDN Connector. The SDN Connector is continually polling the environment and logging the changes, FortiGate dynamic address objects and Automation Stitches can take full advantage of the SDN connector to update policy and effect internal and external changes.
An Azure Route Table provides a way to specifically direct traffic, when used in conjunction with an ARS or FortiGate static routes protected workload traffic can be fully managed.
Several settings in Azure determine traffic flow review the following for Azure Routing
- Do you currently use, planning to use or just learning about VNET peering?
- Are you aware of the capabilities that the Azure SDN Connector provides?
- Are you using dynamic address objects or Automation Stitches?
[Configuration exercise - estimated duration 20min]
-
Click on the Branch1 private route table sdwan-USERXX-workshop-branch1_rt
-
Click Routes
-
Add a default route for
0.0.0.0/0
that points to the Branch1 Internal Load balancer listener IP -
Repeat the previous step for the Branch2 and Branch3 Route Tables
- Be sure to use the correct IP as the next hop, that is the correct Internal Load balancer listener IP or FortiGate internal interface.
Hint: The next hop is a load balancer or a stand-alone FortiGate.
-
Connect to the Branch1 Linux Host via the serial console
-
Generate traffic to Hub
ping 10.11.1.4 ping 10.12.1.4
-
Does it work now?
-
Click on Spoke11 Linux VM sdwan-USERXX-workshop-spoke11-subnet1-lnx
-
Click on Networking in the Navigation Menu
-
Click on the VM nic
-
Click on Effective routes
-
Check that Azure Route Server has injected the Branch sites CIDRs learnt from the FGT
-
Click on the Hub FGT VM sdwan-USERXX-workshop-hub1-fgt1
-
Click on Networking in the Navigation Menu
- Has Azure Route Server injected the Branch sites CIDRs learnt from the FGT? Why ?
-
Connect to the Branch1 Linux Host via the serial console - sdwan-USERXX-workshop-br1lnx1
-
Generate traffic to Branch2 Linux Host
ping 172.17.5.4
-
Check if an ADVPN shortcut has been created. Run the command
get router info routing-table bgp
-
Why has the Azure Route Server (ARS) injected Branch site CIDRs to the Spoke VNET protected subnet but not the FortiGate private subnet?
-
The Branch external load balancer has two front end public IP. How do we ensure that traffic egressing Branch1 on port1 (isp1) always has the same public IP applied? Same for traffic egressing Branch1 on port3 (isp2)
Quiz 5 Answers
-
Why has the Azure Route Server (ARS) injected Branch site CIDRs to the Spoke VNET protected subnet but not the FortiGate private subnet?
- Route propagation into the FortiGate private subnet is set to no.
-
The Branch external load balancer has two front end public IP. How do we ensure that traffic egressing Branch1 on port1 (isp1) always has the same public IP applied? Same for traffic egressing Branch1 on port3 (isp2)?
- By using outbound rules associated to backend pools connected to those ports on each FortiGate.
Through the use of IPSEC an ADVPN is established between branches, the complexity of branch to branch connectivity is seamlessly added to the environment. Determining workload traffic routing can be done by reviewing the network interface's effective routes. When troubleshooting a perceived networking issue, checking an interfaces effective routes is a first step in determining if the interface has awareness of the routes or what the next-hop is for the route.
ping
can be an effective way to determine reachability in the Cloud, however a ping
may not fully exercise the services provided by the workloads. FortiGate policy should be set to allow/disallow service ports and protocols.
- Is ADVPN establishment important to your deployments?
- How certain are you that your workloads are not aware of other routes?
- Have you experienced traffic to your workloads that has been inspected by the FortiGates on arrival but is not seen returning through the FortiGate?
[failover exercise - estimated duration 20min]*
- Connect to the Branch1 Linux Host via the serial console - sdwan-USERXX-workshop-br1lnx1
- Ping a resource in a remote branch site - sdwan-USERXX-workshop-spoke11-subnet1-lnx
ping 10.11.1.4
- Let the ping run
-
Connect to the Branch1 Primary FortiGate . Initiate a failover by rebooting the primary FortiGate or by forcing a failover via the CLI
execute ha failover set 1
-
Monitor the number of lost Pings and the failover time
-
How long did it take?
-
Have the VPNs to the Hub been renegotiated upon failover or maintained?
-
Ensure that both Branch1 FortiGates in the cluster are up and running
-
Connect to the Branch1 Linux Host via the serial console - sdwan-USERXX-workshop-br1lnx1
-
Generate an SSH session to the Spoke Linux VM - sdwan-USERXX-workshop-spoke11-subnet1-lnx
-
From Spoke Linux VM SSH session generate a continuous stream of connections to track the failover event
while true; date; do curl -I -sw '%{http_code}' https://www.lemonde.fr/ ; echo -e "\n================="; sleep 1 ; done
-
Connect to the Branch1 Primary FortiGate . Initiate a failover by rebooting the primary FortiGate or by forcing a failover via the CLI
-
Monitor the SSH connection
-
Did you lose the TCP connection?
-
How long was your failover time?
-
Why did we lose the SSH (TCP) session with a "short" failover time?
Quiz 6 Answers
-
How long was your failover time?
- It should have been between 15 - 25 seconds.
-
Why did we lose the SSH (TCP) session with a "short" failover time?
- TCP sessions are not maintained by the Azure load balancer.
In Active/Passive FortiGate deployments the failover methodology has an impact on the continuation of traffic flow. Utilizing Azure Load Balancers as traffic direction devices in a FortiGate Active/Passive deployment, the load balancer will only send traffic to the FortiGate that is responding to the load balancer's health probe. A FortiGate in passive mode will not respond to the load balancer health probe, causing the load balancer to mark the passive FortiGate as unhealthy and not send traffic to the passive FortiGate. In a failover event the previously passive FortiGate will start responding to the load balancer health probe, resulting in traffic being directed to the newly active FortiGate.
Azure load balancers do not maintain TCP sessions which will need to be restarted, however UDP sessions, specifically IPSEC connections are readily available in a failover scenario.
Reiterating, ping
can be an effective way to determine reachability in the Cloud, however a ping
may not fully exercise the services provided by the workloads. FortiGate policy should be set to allow/disallow service ports and protocols. In this section a loop utilizing curl to make http calls to a website was a better method to determine reachability in conjunction with functionality.
- Is a highly available FortiGate deployment required for your workloads?
- Current Azure failover times for an Active/Passive deployment with load balancers is 5-10 seconds, can you applications support that?
- There are multiple tools to test system reachability adn service availability, what are your methods?
[Presentation about FGT A/A and SDWAN use case - estimated duration 20min]
Active/Active FortiGate deployments can scale both horizontally and vertically, additionally there is a lower interface requirement resulting in an ability to deploy smaller Azure instance types. However, SDWAN Active/Active FortiGate deployments come with some limitations, mainly traffic asymmetry and a larger IPSEC deployment. For example, a two FortiGate Active/Active deployment would require each branch FortiGate to maintain four IPSEC connections to each Active/Active FortiGate.
Active/Passive FortiGate deployments only support vertical scalability, but only need two IPSEC connections per FortiGate Active Passive pairs.
- Can your applications support asymmetric traffic?
- Do you have the need to scale horizontally?
[Configuration exercise - estimated duration 20min]
-
Create your vWAN and the vWAN Hub using the CLI commands below. Use the Hub FortiGate location for the VWAN location.
- You can find the location of your Hub FortiGates with this Azure CLI Command
az vm show -g ${USER}-workshop-sdwan -n sdwan-${USER}-workshop-hub1-fgt1 -o table
-
The variable
${USER}
in the commands reads your username from the environmentaz network vwan create --name sdwan-${USER}-workshop-vwan --resource-group ${USER}-workshop-sdwan --location your-hub-location --type Standard
If you are prompted to install the extension
virtual-wan
answerY
az network vhub create --address-prefix 10.14.0.0/16 --name ${USER}-vwanhub --resource-group ${USER}-workshop-sdwan --vwan sdwan-${USER}-workshop-vwan --location your-hub-location --sku Standard
The second command can take several minutes to run, do not Ctrl-C to break out or stop the command. If your Cloudshell session disconnects, reconnects and run
ps -ef
to determine ifaz network vhub create...
command is still running. Once the command is no longer seen in theps
output the VWAN should be created. Use the commandaz network vhub list
to view your VWAN hub. -
Navigate to your Resource Group and verify that you see your vWAN
-
Click on your vWAN and verify that you see the virtual Hub you just deployed
-
Click on the vWAN Hub and verify that the deployment and routing status complete
-
Go to your resource Group and then click on the Hub VNET - USERXX-workshop-sdwan-hub1
-
Delete the Hub to Spoke VNET peerings, delete both Spoke11 and Spoke12 peerings
-
Create Virtual WAN Route Tables
-
Create Virtual WAN VNET Connections
-
Go to the vWAN, Click on Virtual Network Connection
-
Create a VNET connection for Spoke11, attach it to the Spoke-VNETS Route Table and propagate it to FGT-VNET Route Table - select your resource group and VNET - USERXX
-
Repeat the same for Spoke12
-
Repeat the same for FGT VNET connection, attach it to the FGT-VNET Route Table but do not propagate to other Route Tables.
- Is the connection for FGT VNET created?
- Why not?
-
Locate your own Azure Route Server and delete it
-
Try now to connect the FGT VNET to the vWAN Hub, attach it to the FGT-VNET Route Table.
-
-
-
Configure Spoke-VNETS Route Table
-
Go your vWAN Hub, click on Routing and then click on Spoke-VNETS Route Table
-
-
At the end of this step you should have the following architecture
-
Connect to the Branch1 Linux Host via the serial console
-
Generate traffic to Hub
ping 10.11.1.4
-
Does it work ?
-
Troubleshoot and make all the required changes to make it work
-
Hints:
- FGT Branch1 does it learn routes to spokes from the Hub?
- Configure the Hub FGT to advertise Spoke11 and Spoke12 CIDRs to the Branches
-
On the Hub FGT, add Static Routes to Spoke11 and Spoke12. What would be the next-hop?
-
Add Spoke11 and Spoke12 to the list of networks under BGP configuration
config router bgp config network edit 1 set prefix 10.10.255.1 255.255.255.255 next edit 2 set prefix 10.11.0.0 255.255.0.0 next edit 3 set prefix 10.12.0.0 255.255.0.0 next end end
-
Verify that Branches are now receiving Spoke11 and Spoke12 CIDRs. Use the command
get router info routing-table all
-
Does it work now or not yet ?
-
Take a packet capture on the Hub, Do you see echo-requests arriving?
diagnose sniffer packet any 'net 10.11.0.0/16' 4 0 a
-
Traffic is egressing the Hub FGT on port2, but you don't see any reply?... What is missing?
- Check FGT Hub port2 effective routes?
- Do you see spoke11 and spoke12 CIDRs? Why is the vWAN not propagating them to the Route Table attached to the FGT private subnet, sdwan-USERXX-workshop-hub1_fgt-priv_rt?
- Check the Route Table configuration settings
-
-
-
Why were we not able to attach the Hub FortiGate VNET to vWAN until we deleted Azure Route Server?
-
Why was the vWAN not able to inject Spoke11 and Spoke12 VNETs CIDRs to FortiGate Private UDR?
-
The above setting is normally set to "yes", why did we set it to "no" ? Hint: We had Azure Route Server before
-
In the Spoke-VNETS vWAN Route Table, the next-hop is the Primary FortiGate IP. What should we add/do to handle failover?
Quiz 8 Answers
-
Why were we not able to attach the Hub FortiGate VNET to vWAN until we deleted Azure Route Server?
- An Azure VNET cannot receive routes from the vWAN and the RouteServer at the same time.
-
Why was the vWAN not able to inject Spoke11 and Spoke12 VNETs CIDRs to FortiGate Private UDR?
- Route propagation for the FortiGate route table sdwan-USERXX-workshop-hub1_fgt-priv_rt was set to no.
-
The above setting is normally set to "yes", why did we set it to "no"?
- Azure RouteServer provided the routes
-
In the Spoke-VNETS vWAN Route Table, the next-hop is the Primary FortiGate IP. What should we add/do to handle failover?
- An internal load balancer could be added and use that IP as the next hop or an automation stich could be run at failover to update the Spoke-VNETS vWAN Route Table to point to the newly active FortiGate private interface.
Azure Virtual WAN and Azure Route Server cannot both supply routing information in the same VNET, because both supply BGP. FortiGate NVAs can be deployed in an Azure vWAN a few different ways, in this scenario the FortiGates were deployed in their own VNET and traffic was directed to the FortiGate VNET using route tables.
FortiGates integrated in to the Azure vWAN hub to support SDWAN is currently available. FortiGates supporting Firewall services integrated in to the vWAN hub is coming in 2023. The current limitation is related to Azure routing intent
Azure Virtual WAN can greatly simplify connectivity but there are routing considerations, when routes should be propagated and when they should not. Additionally attention should be given to VNET layout with respect to east-west and north-south traffic flows.
- How large is your Cloud presence?
- Would your Cloud deployments benefit from Azure vWAN or would Azure Route Server suffice?
- Could you Cloud deployment be managed through route tables, user defined routes and FortiGate static routes?