Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
S2S VPN using Azure vWAN
Search
Phil Huang
October 24, 2022
Technology
0
16
S2S VPN using Azure vWAN
Use FortiGate 60E as on-premise VPN device
Phil Huang
October 24, 2022
Tweet
Share
More Decks by Phil Huang
See All by Phil Huang
20240425 Play and Discuss the game “K8S LAN Party”
pichuang
0
88
20231210 Azure Kubernetes Services 永續性軟體工程設計方針
pichuang
1
56
20231129 如何選擇適當的 CNCF Project 來使用
pichuang
0
100
Cloud Native Taiwan User Group: Governance of Open-Source Communities in Non-English Region
pichuang
0
10
20231024 CNSW Lightning Talk: TAG Environmental Sustainability
pichuang
0
88
20230913_採用 Azure OpenAI 和 Azure Kubernetes Service 來建構您自己的 AI 應用程式
pichuang
1
110
20230615 Kubernetes Scalable Workloads
pichuang
1
230
混合雲基礎架構探討 Microsoft Azure Infrastructure
pichuang
0
110
20230328 ARO Technical Workshop
pichuang
0
90
Other Decks in Technology
See All in Technology
ルーターでプレゼンする
puhitaku
1
3.4k
【基本】データベース設計
oracle4engineer
PRO
2
250
リテール金融(キャッシュレス・ネット銀行・ネット証券)の競争環境と経済圏
8maki
0
1.7k
生産性向上チームの紹介
cybozuinsideout
PRO
1
960
しくじり先生、PharmaXのLLMアプリケーション開発の失敗を語る
pharma_x_tech
0
100
How to do well in consulting–Balkan Ruby 2024
irinanazarova
0
170
非同期推論システムによるコスト削減と信頼性向上
koki_nishihara
1
380
AWSやJAWS-UGとの出会いを振り返る
yoyoyopg
1
130
Azureの基本的な権限管理の勉強会
yhana
1
2.2k
GrafanaMeetup_AmazonManagedGrafanaのアクセス制御機能とマルチテナント環境下でのアクセス制御について
daitak
0
440
競技としてのKaggle、役に立つKaggle
yu4u
7
2.4k
M5と自作基板をくっつけてみた〜M5 Japan Tour 2024 Spring 福冈 (Fukuoka|福岡)〜
keropiyo
0
190
Featured
See All Featured
How to train your dragon (web standard)
notwaldorf
75
5.2k
Adopting Sorbet at Scale
ufuk
69
8.6k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
123
39k
Building a Scalable Design System with Sketch
lauravandoore
457
32k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3.1k
Bootstrapping a Software Product
garrettdimon
PRO
302
110k
Principles of Awesome APIs and How to Build Them.
keavy
121
16k
What's new in Ruby 2.0
geeforr
337
31k
4 Signs Your Business is Dying
shpigford
176
21k
Agile that works and the tools we love
rasmusluckow
325
20k
Imperfection Machines: The Place of Print at Facebook
scottboms
261
12k
GitHub's CSS Performance
jonrohan
1025
450k
Transcript
S2S VPN using Azure vWAN Phil Huang <
[email protected]
> Sr. Cloud
Solution Architect 2022/10/24 Use FortiGate 60E as on-premise VPN device
What is the gap?
雲地混合網路決策樹 (1/2) 預設路由走不 走 Internet? 地端上雲/ 用雲/ 混合雲 線路備援 選擇?
主備線路 路由方式? Express Route S2S VPN Express Route S2S VPN
雲地混合網路決策樹 (2/2) 主備線路 路由方式 雲地 DNS 選擇? Finish Azure Private
DNS Resolver DNS Forwarder VM DNS Master / Slave Azure VPN Gateway Azure vWAN Azure Route Server
Topology Overview
Ref: FortiGate 60E ASN: 65533 BGP IP: 168.254.99.100 wan1 Public
IP: x.x.x.x internal1 192.168.100.254/24 Surface 192.168.100.6/24 Azure vWAN Name: wan-eastus Name: vhub-eastus Private address space: 10.10.0.0/24 ASN: 65515 VPN GW Instance 0 Public IP: y.y.y.y Private IP: 10.10.0.4 BGP IP: 10.10.0.12 VPN GW Instance 1 Public IP: z.z.z.z Private IP: 10.10.0.5 BGP IP: 10.10.0.13 BGP Peers 1 IP: 10.10.0.68 BGP Peers 2 IP: 10.10.0.69 vnet-spoke-eastus 10.11.0.0/16
Initial Step 0
0 Initial Setup FortiGate 60E ASN: 65533 BGP IP: 168.254.99.100
wan1 Public IP: x.x.x.x internal1 192.168.100.254/24 Surface 192.168.100.6/24 vnet-spoke-eastus 10.11.0.0/16
Create Azure vWAN Step 1
1 Create Azure vWAN FortiGate 60E ASN: 65533 BGP IP:
168.254.99.100 wan1 Public IP: x.x.x.x internal1 192.168.100.254/24 Surface 192.168.100.6/24 Azure vWAN Name: wan-eastus vnet-spoke-eastus 10.11.0.0/16
Create vWAN - Azure vWAN vHub: 實際上提供連線能力的服務
Create Azure vWAN vHub Step 2
2 Create Azure vHub FortiGate 60E ASN: 65533 BGP IP:
168.254.99.100 wan1 Public IP: x.x.x.x internal1 192.168.100.254/24 Surface 192.168.100.6/24 Azure vWAN Name: wan-eastus Name: vhub-eastus Private address space: 10.10.0.0/24 ASN: 65515 VPN GW Instance 0 Public IP: y.y.y.y Private IP: 10.10.0.4 BGP IP: 10.10.0.12 VPN GW Instance 1 Public IP: z.z.z.z Private IP: 10.10.0.5 BGP IP: 10.10.0.13 BGP Peers 1 IP: 10.10.0.68 BGP Peers 2 IP: 10.10.0.69 vnet-spoke-eastus 10.11.0.0/16
Complete Create vHub Azure vWAN Name: wan-eastus Name: vhub-eastus Private
address space: 10.10.0.0/24 ASN: 65515 VPN GW Instance 0 Public IP: y.y.y.y Private IP: 10.10.0.4 BGP IP: 10.10.0.12 VPN GW Instance 1 Public IP: z.z.z.z Private IP: 10.10.0.5 BGP IP: 10.10.0.13 BGP Peers 1 IP: 10.10.0.68 BGP Peers 2 IP: 10.10.0.69 • vHub 內全部 IP 為自動配置,無須手動設定
Create vHub with S2S VPN
Get the VPN Gateway configuration (1/2) 自動配置 IP
Get the VPN Gateway configuration (2/2) Azure vWAN Name: wan-eastus
Name: vhub-eastus Private address space: 10.10.0.0/24 ASN: 65515 BGP Peers 1 IP: 10.10.0.68 BGP Peers 2 IP: 10.10.0.69 VPN GW Instance 0 Public IP: y.y.y.y Private IP: 10.10.0.4 BGP IP: 10.10.0.12 VPN GW Instance 1 Public IP: z.z.z.z Private IP: 10.10.0.5 BGP IP: 10.10.0.13
Create Azure vHub S2S VPN Site (1/2) • 需準備地端 VPN
資訊才能 填寫 • 支援常見 VPN 設備如以下 但不限於 • FortiGate 5.6+ • Cisco ASR 15.2+ • Cisco ASA 8.4+ • JunOS 12.x • ... Ref: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#devicetable 地端設備廠商,可任意取名
Create Azure vHub S2S VPN Site (2/2) 連線名稱,可任意取名 連線速路,單位為 Mbps
Ref: https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal#site 實體線路提供商,可任意取名 地端 VPN 連線對外 IP 建立 S2S VPN 後,地端使用的 BGP IP 建立 S2S VPN 後,地端使用的 BGP ASN • 需準備地端 VPN 資訊才能填寫 • 一站可建立多個 Link
Edit VPN Connection (1/2)
Edit VPN Connection (2/2) 建立 S2S VPN 連線所需的 PSK 密鑰
如果是在 ExpressRoute 中,建立 S2S VPN 才使用 如果 VPN Device 有特殊加密選項則可以 勾選 Custom 進行細節設定 若採用 static route 則不需要使用此選項
Create VPN Tunnel Step 3
3 Create S2S VPN Connections Ref: FortiGate 60E ASN: 65533
BGP IP: 168.254.99.100 wan1 Public IP: x.x.x.x internal1 192.168.100.254/24 Surface 192.168.100.6/24 Azure vWAN Name: wan-eastus Name: vhub-eastus Private address space: 10.10.0.0/24 ASN: 65515 VPN GW Instance 0 Public IP: y.y.y.y Private IP: 10.10.0.4 BGP IP: 10.10.0.12 VPN GW Instance 1 Public IP: z.z.z.z Private IP: 10.10.0.5 BGP IP: 10.10.0.13 BGP Peers 1 IP: 10.10.0.68 BGP Peers 2 IP: 10.10.0.69 vnet-spoke-eastus 10.11.0.0/16
Create IPsec Tunnel (1/2) VPN GW Instance 0 Public IP:
y.y.y.y y.y.y.y Ref: https://docs.fortinet.com/document/fortigate/6.4.8/administration-guide/255100/ipsec-vpn-to-azure-with-virtual-network-gateway
Create IPsec Tunnel (2/2) Ref: https://docs.fortinet.com/document/fortigate/6.4.8/administration-guide/255100/ipsec-vpn-to-azure-with-virtual-network-gateway y.y.y.y
Create IPsec Tunnel (3/3) Ref: https://docs.fortinet.com/document/fortigate/6.4.8/administration-guide/255100/ipsec-vpn-to-azure-with-virtual-network-gateway
Check Connectivity Status from Azure View
Check Connectivity Status from VPN Device View y.y.y.y z.z.z.z
驗證 BGP IP 路由可達
確認路由表
Ref: FortiGate 60E ASN: 65533 BGP IP: 168.254.99.100 wan1 Public
IP: x.x.x.x internal1 192.168.100.254/24 Surface 192.168.100.1/24 Azure vWAN Name: wan-eastus Name: vhub-eastus Private address space: 10.10.0.0/24 ASN: 65515 VPN GW Instance 0 Public IP: y.y.y.y Private IP: 10.10.0.4 BGP IP: 10.10.0.12 VPN GW Instance 1 Public IP: z.z.z.z Private IP: 10.10.0.5 BGP IP: 10.10.0.13 BGP Peers 1 IP: 10.10.0.68 BGP Peers 2 IP: 10.10.0.68 vnet-spoke-eastus 10.11.0.0/16 4 vNet Peering
VNet Peering
Ref: FortiGate 60E ASN: 65533 BGP IP: 168.254.99.100 wan1 Public
IP: x.x.x.x internal1 192.168.100.254/24 Surface 192.168.100.6/24 Azure vWAN Name: wan-eastus Name: vhub-eastus Private address space: 10.10.0.0/24 ASN: 65515 VPN GW Instance 0 Public IP: y.y.y.y Private IP: 10.10.0.4 BGP IP: 10.10.0.12 VPN GW Instance 1 Public IP: z.z.z.z Private IP: 10.10.0.5 BGP IP: 10.10.0.13 BGP Peers 1 IP: 10.10.0.68 BGP Peers 2 IP: 10.10.0.69 vnet-spoke-eastus 10.11.0.0/16
Invent with purpose.