Martin Twombly, Senior Principal Cloud Architect

Ali Bidabadi, Senior Director, Cloud Consulting & Architecture

REPLAY ON DEMAND: https://attendee.gotowebinar.com/register/8194142711928266508
Agenda

• Secure Cloud on-ramp

• Azure Virtual WAN and FortiGate integration
• FortiGate VM running natively in vWAN Hub
• SD-WAN Hub in Azure design patterns
• Demo
• How to get started
• Q&A
Martin Twombly Ali Bidabadi​
Senior Principal Cloud Senior Director
Architect Global Cloud Consulting &
Architecture​

© Fortinet Inc. All Rights Reserved. 2

Secure Cloud On-Ramp

App Workloads App Workloads App Workloads

Network Multi-cloud SD-WAN

Azure AWS Transit
Connectivity
Virtual WAN Gateway
Center Seamless overlay network and consistent security
policies for Multi-cloud IT.
FortiGate VM
SD-WAN Enable Multi-Cloud Applications without the
Complexity

Orchestration, Automation, Central Management Simplify and consolidate cloud network and
security
Cloud On-Ramp Multi-Cloud
• Seamless Multi-cloud SD-WAN network
SD-WAN SD-WAN
FortiGate
• High performance IPsec

• Single pane of glass management simplifies

Edge Datacenter
security administration

• Consistent Security Posture

End to end SD-WAN and security
Cloud-native integration

© Fortinet Inc. All Rights Reserved. 3

What is Azure Virtual WAN ?

• Networking service that enable many

security/networking use cases:
 Branch connectivity
 Site-to-site VPN connectivity
 Point-to-site connectivity
 Traffic inspection (3rd party firewalls)
 …

• Leverages Azure backbone to enable a

global transit network architecture

© Fortinet Inc. All Rights Reserved. 4

 Fortinet Azure Virtual WAN Integration –
First Generation Architecture
10.0.41.0/24, 10.3.1.0/24
10.0.70.0/24

Branch Office
– Australia

Azure Virtual Private VNet A

Internet WAN – Regional VNet Connection
Hub

10.3.1.0/24
172.16.1.0/24

Branch Office
– US East Zero touch
provisioning of
IPSec tunnels Private VNet B
Azure
Function
VPN Configurator

© Fortinet Inc. All Rights Reserved. 5

 Custom Route Table RT_Shared
Fortinet Azure Virtual WAN Spoke1 Spoke2 Route Destinati Destination Next
Architecture w/ Virtual WAN name on Type Prefix Hop
192.168.50.0/24 192.168.100.0/24
Routing Enhancements
Routing Configuration of VNET connections 4, 5
Static Route added to Custom Route Table RT_V2B associatedRouteTable RT_Shared
Route Destinati Destination Next
172.22.50.100(External) propagatedRouteTable RT_Shared
name on Type Prefix Hop Hub 1 172.23.50.100(External)
VNET5
RT_V2B CIDR 10.0.11.0/24, vnet4conn Service VNET
10.0.15.0/24 (VNET4) 172.23.50.0/24
172.22.50.0/24
172.22.50.200(Internal) 172.23.50.200(Internal) Static Route added to HUB 1 DefaultRouteTable
Static Routes configured on NVA VNET Connection vnet4conn
Route Destin Destination Next Hop
Route Destination Next Hop name ation Prefix
name Prefix Type
RT_B2V1 CIDR 192.168.50.0/24 vnet4conn
1 10.0.11.0/24 172.22.50.200
Express Route
Routing Configuration of VNET connections 1, 2 RT_B2V2 CIDR 192.168.100.0/24 vnet4conn

associatedRouteTable RT_V2B

propagatedRouteTable RT_V2B, RT_Shared

Routing Configuration of VPN connection
10.0.11.4 10.0.15.4
associatedRouteTable Default
Branch1 Branch2
10.0.11.0/24 10.0.15.0/24
propagatedRouteTable Default, RT_Shared

© Fortinet Inc. All Rights Reserved. 6

 Solution
Azure VirtualOverview
WAN – FGT Native Integration

Virtual Network Connection Virtual Network Connection

First Integrated Secure SD-WAN

AND First Converged Secure SD-WAN /
Virtual Network
Next Generation
Connections Firewall NGFW in Azure Virtual WAN
Virtual WAN Hub Router

in Azure Virtual WAN

Virtual WAN Hub Router A converged NGFW and secure SD-WAN deployed
and run natively inside Azure Virtual WAN
BGP BGP
Enable secure cloud on-ramp from your SD-WAN
BGP BGP
FortiGate
Benefits in Azure Virtual WAN
FortiGate
Scale Set
Scale Set
Securely extent your SD-WAN into Azure Virtual
Virtual WAN Hub
Virtual WAN Hub WAN
Vetted Architecture by Azure and Fortinet architects
Secured SD-WAN
Simple, structured
Secured deployment model
SD-WAN Overlay Overlay • Branch to Azure Virtual WAN Connectivity

High Availability • Secure Branch to Branch Connectivity

Performance/Scale • Dynamic Path Selection

• Custom Application Awareness

• Secure and Resilient Office 365 Connectivity

Branch Location 1 Manufacturing Location 1
With FortiGate With FortiGate
Branch Location 1 Manufacturing Location 1
With FortiGate With FortiGate

©©Fortinet
FortinetInc.
Inc.All
AllRights
RightsReserved.
Reserved. 7
24
Key Use Cases
Single Virtual Hub with FortiGate
East-West Branch to Branch
1
East-West VNet to VNet
6
5
North-South Branch to VNET
2 Microsoft.com
North-South VNET to Branch Fortinet.com 1
North-South Branch to Internet 2 3 4
3
North-South VNet to Internet
Virtual WAN Hub 1 5 4 Virtual WAN Hub 2

Inter-hub and Hybrid Scenarios with FortiGate 1 2

East-West Branch to Branch 6
4 3
East-West VNet to VNet

North-South Branch to VNET

5
North-South VNET to Branch

Azure ExpressRoute to VNET Branch Location 1 Branch Location 2 Branch Location 3 Branch Location 4
6 With FortiGate With FortiGate With FortiGate With ExpressRoute
Azure ExpressRoute to SD-WAN
© Fortinet Inc. All Rights Reserved. 8
SD-WAN Hub in Azure

FortiGate Hub A
FortiGate Hub B

52.178.195.12
Transit Subnet 10.0.1.0/24
52.17.15.12
WAN Subnet- 10.0.0.0/24

Services Subnet - 10.0.2.0/24

Azure SD-WAN Hub
Virtual Network

© Fortinet Inc. All Rights Reserved. 9

SD-WAN Hub in Azure
.1 Subnet

Azure Virtual WAN Hub

Subnet
.1
Azure User Defined R
0.0.0.0/0 – Virtual A

FortiGate Hub A
FortiGate Hub B .1 Subnet
52.178.195.12
Transit Subnet 10.0.1.0/24 Subnet
.1
52.17.15.12 WAN Subnet- 10.0.0.0/24 Azure User Defined R
Azure SD-WAN Hub 0.0.0.0/0 – Virtual Ap
Virtual Network

.1 Subnet

Subnet
.1
Azure User Defined R
0.0.0.0/0 – Virtual Ap
© Fortinet Inc. All Rights Reserved. 10
Demo Architecture
Virtual Network Connection Virtual Network Connection

Virtual WAN Hub Router

BGP BGP

FortiGate
Scale Set

Virtual WAN Hub

Secured SD-WAN
Overlay

Branch Location 1
With FortiGate
© Fortinet Inc. All Rights Reserved. 11
How to Get Started
Start Your Test Deployment Today

Start deployment in non-prod accounts Engage consulting services

Contact azurevwan@fortinet.com FortiGate VM in Azure Virtual WAN
To get your customer access to the can involve complex design. Engage
preview Fortinet Cloud Consulting Services
team to help your customer design
and implement a best practice
architecture

© Fortinet Inc. All Rights Reserved. 14

Cloud Consulting Services  Architectural design
 Security posture,
systems and processes
 Security gap Analysis
Architect - Design Automation  Cloud migration
Template - Deploy - Assess Security  Infrastructure as Code
Posture

Procurement:
• Simply per-day FortiCare consulting SKU that can be used for any/all services up to one year from purchase
• FP-10-PS-001-831-01-01 ($3,000/day); no contracts to sign, simply activated like any other license in FortiCare portal
• Dedicated Cloud Engineer SKU will be available starting Q2 2022

© Fortinet Inc. All Rights Reserved. 15

Current Multinational Retail Customer Project

• Engaged by Microsoft to assist

• Can we do this today?

• What options do we have to deploy now and migrate?

Internet Edge Inbound Internet Edge Inbound

Virtual WAN Hub Virtual WAN Hub Virtual WAN Hub

Azure Workloads

© Fortinet Inc. All Rights Reserved. 16

For more information or to get access to the preview
contact us:

azurevwan@fortinet.com

https://www.fortinet.com/products/sd-wan
Fortinet Azure Virtual WAN Blog