Setup VPN Between FortiGate and Azure-Part1

The goal for this post is simple, to setup VPN connection between a FortiGate EC2 on AWS and Azure VPN service. For this post, I will run through the configuration of FortiGate only. Let’s get started!

Give your VPN connection a name, choose Custom.

For Network section, key in necessary information. IP Address is the public IP of Azure VPN service. To be precise, the IP Address of Virtual Network Gateway.

I only have one NIC for FortiGate EC2, so port1 is the only choice. Otherwise, choose your WAN port.

For Authentication, enter the Pre-shared Key entered during Azure Virtual Network Gateway creation.

For Phase 1 Proposal, settings below is minimum/enough. You can configure more if you want to/needed.

For Phase 2 Selectors, for simplicity, I configure for Local and Remote Address.

That’s it, save and exit. At this moment, your IPSec Tunnel will not be up. You need to add a Firewall Policy to allow IPSec outbound traffic, so it can communicate with Azure VPN service.

For simplicity, I set all to Source/Destination/Service. Please configure according to your needs. Since we are configuring outbound traffic, so incoming traffic is from local port (port1) and outbound through VPN tunnel (AWSandAzure). I left the rest settings as default.

Once done, you should see your VPN changed from red to green (up). I used my already setup configuration for screenshot, so it is already green.

At this point, the minimum requirement to setup IPSec VPN is done.

Next, I am going to test the connectivity between AWS( and Azure( through the tunnel. I already have VM setup behind FortiGate and Azure.

In order for AWS VM able to ping Azure VM, we need to set a Static Route to tell FortiGate, when traffic is going to Azure, go through VPN tunnel.

When choose VPN tunnel for Interface, it doesn’t matter if Dynamic Gateway is enable or not.

With this static route, AWS VM is now able to access Azure VM.

BUT, at this point, Azure VM is not able to ping AWS VM, cause Firewall Policy has no such allow rule yet, therefore we need to setup it up.

The logic to setup this policy is just opposite from toAzureDemo. Since we are allowing Azure VM to ping AWS VM, so the Incoming Interface will be VPN tunnel and Outgoing Interface will be whichever port AWS VM is connected to. In my case, port1.

With this policy setup, we can new verify from Azure VM pinging AWS VM.

That’s it for part1, see you around in part2!!

AWS Certified SA, SysOps & Developer Associate, Alibaba Cloud certified SA. Focusing on Azure, Prometheus w/ Grafana, ELK and K8S now.