Microsoft Azure Fortigate Appliance - How to deal with DMZ
To date I've traditionally been an on prem engineer however we've started looking into Azure for some of our recent clients. One clients requirements for a cloud migration project was that they wanted to use Fortigate Appliance in Azure as they already have Fortigates in their multiple sites. No issue.
So we've set up Azure with the appliance and S2S VPN between the Fortigate and their sites. All working well. Security Group to lock down the public IP to the external IP of the clients sites so nice and secure. Also all servers in Azure use the appliance as their default gateway using a User Defined Route so all traffic currently going via the Fortigate Appliance.
Now... We want to expose some of the servers in Azure to the internet (web server \ adfs proxy etc etc). If this was on prem we'd create a DMZ on a different subnet and more than likely using a dedicated physical interface on the fortigate and either run it over a dedicated DMZ switch or VLAN it out and tighten it up with ACLs. Now doing some research it appears Azure is a bit of a funny beast and the idea of using a dedicated interface isn't the way to do this so I guess I'm looking for some advice on how to best do this.
We have a VNET in Azure with a Server Subnet and separate DMZ Subnet. I was thinking about just using User Defined Rules to ensure all servers in the DMZ Subnet also go via the appliance but I can't get a separate nic on the fortigate to stick it on the same subnet! So do I just stick all the servers in the same subnet and then have to manually create different rules on a server by server basis with a deny \ deny as default? I get the feeling the idea of zones isn't really going to work but I'm keep on seeing what other people have done to solve the same issue and what the best practice might be and what cookbooks are available for this. Only issue is to date if I talk to Fortigate Support I get a "oh you need to talk to Microsoft to do this" and talking to Microsoft then send me right back to Fortigate to get help so I'm kinda stuck in a no mans land with no one wanting to help!!!
Anyway hoping someone on here would be kind enough to give me some decent pointers :)