Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Sam_Brown
New Contributor

Microsoft Azure Fortigate Appliance - How to deal with DMZ

Hi All,

 

To date I've traditionally been an on prem engineer however we've started looking into Azure for some of our recent clients. One clients requirements for a cloud migration project was that they wanted to use Fortigate Appliance in Azure as they already have Fortigates in their multiple sites. No issue.

 

So we've set up Azure with the appliance and S2S VPN between the Fortigate and their sites. All working well. Security Group to lock down the public IP to the external IP of the clients sites so nice and secure. Also all servers in Azure use the appliance as their default gateway using a User Defined Route so all traffic currently going via the Fortigate Appliance.

 

Now... We want to expose some of the servers in Azure to the internet (web server \ adfs proxy etc etc). If this was on prem we'd create a DMZ on a different subnet and more than likely using a dedicated physical interface on the fortigate and either run it over a dedicated DMZ switch or VLAN it out and tighten it up with ACLs. Now doing some research it appears Azure is a bit of a funny beast and the idea of using a dedicated interface isn't the way to do this so I guess I'm looking for some advice on how to best do this. 

 

We have a VNET in Azure with a Server Subnet and separate DMZ Subnet. I was thinking about just using User Defined Rules to ensure all servers in the DMZ Subnet also go via the appliance but I can't get a separate nic on the fortigate to stick it on the same subnet! So do I just stick all the servers in the same subnet and then have to manually create different rules on a server by server basis with a deny \ deny as default? I get the feeling the idea of zones isn't really going to work but I'm keep on seeing what other people have done to solve the same issue and what the best practice might be and what cookbooks are available for this. Only issue is to date if I talk to Fortigate Support I get a "oh you need to talk to Microsoft to do this" and talking to Microsoft then send me right back to Fortigate to get help so I'm kinda stuck in a no mans land with no one wanting to help!!! 

 

Anyway hoping someone on here would be kind enough to give me some decent pointers :)

3 REPLIES 3
bmduncan34
New Contributor III

I see it was crickets after your post.  How did you make out?  We're looking at extending our network into Azure and want to use a FGT vm in place of the native Microsoft security.  Just interested in what happened with you.

 

Thanks.

 

 

Sam_Brown

We have the appliance in place now and it is working well. There were some frustrations with the initial implementation and a lot of back and forwards between Microsoft and Fortigate pointing fingers. In the end I had a moan on reddit and someone from MS reached out to me directly and said there was a "bug" around billing and some  appliances not working with CSP model Azure Subscriptions which causes an issue during the deployment stage.

Not had any issues since then. Unsure if that was related to our tenant specifically or a wider issue but we're all good at the moment.

bamather
New Contributor

Sam - How did you end up setting this up?

Labels
Top Kudoed Authors