S2S VPN using Azure vWAN

Transcript

1. S2S VPN using Azure vWAN Phil Huang <[email protected]> Sr. Cloud

   Solution Architect 2022/10/24 Use FortiGate 60E as on-premise VPN device

2. What is the gap?

3. 雲地混合網路決策樹 (1/2) 預設路由走不 走 Internet? 地端上雲/ 用雲/ 混合雲 線路備援 選擇?

   主備線路 路由方式? Express Route S2S VPN Express Route S2S VPN

4. 雲地混合網路決策樹 (2/2) 主備線路 路由方式 雲地 DNS 選擇? Finish Azure Private

   DNS Resolver DNS Forwarder VM DNS Master / Slave Azure VPN Gateway Azure vWAN Azure Route Server

5. Topology Overview

6. Ref: FortiGate 60E ASN: 65533 BGP IP: 168.254.99.100 wan1 Public

   IP: x.x.x.x internal1 192.168.100.254/24 Surface 192.168.100.6/24 Azure vWAN Name: wan-eastus Name: vhub-eastus Private address space: 10.10.0.0/24 ASN: 65515 VPN GW Instance 0 Public IP: y.y.y.y Private IP: 10.10.0.4 BGP IP: 10.10.0.12 VPN GW Instance 1 Public IP: z.z.z.z Private IP: 10.10.0.5 BGP IP: 10.10.0.13 BGP Peers 1 IP: 10.10.0.68 BGP Peers 2 IP: 10.10.0.69 vnet-spoke-eastus 10.11.0.0/16

7. Initial Step 0

8. 0 Initial Setup FortiGate 60E ASN: 65533 BGP IP: 168.254.99.100

   wan1 Public IP: x.x.x.x internal1 192.168.100.254/24 Surface 192.168.100.6/24 vnet-spoke-eastus 10.11.0.0/16

9. Create Azure vWAN Step 1

10. 1 Create Azure vWAN FortiGate 60E ASN: 65533 BGP IP:

    168.254.99.100 wan1 Public IP: x.x.x.x internal1 192.168.100.254/24 Surface 192.168.100.6/24 Azure vWAN Name: wan-eastus vnet-spoke-eastus 10.11.0.0/16

11. Create vWAN - Azure vWAN vHub: 實際上提供連線能力的服務

12. Create Azure vWAN vHub Step 2

13. 2 Create Azure vHub FortiGate 60E ASN: 65533 BGP IP:

    168.254.99.100 wan1 Public IP: x.x.x.x internal1 192.168.100.254/24 Surface 192.168.100.6/24 Azure vWAN Name: wan-eastus Name: vhub-eastus Private address space: 10.10.0.0/24 ASN: 65515 VPN GW Instance 0 Public IP: y.y.y.y Private IP: 10.10.0.4 BGP IP: 10.10.0.12 VPN GW Instance 1 Public IP: z.z.z.z Private IP: 10.10.0.5 BGP IP: 10.10.0.13 BGP Peers 1 IP: 10.10.0.68 BGP Peers 2 IP: 10.10.0.69 vnet-spoke-eastus 10.11.0.0/16

14. Complete Create vHub Azure vWAN Name: wan-eastus Name: vhub-eastus Private

    address space: 10.10.0.0/24 ASN: 65515 VPN GW Instance 0 Public IP: y.y.y.y Private IP: 10.10.0.4 BGP IP: 10.10.0.12 VPN GW Instance 1 Public IP: z.z.z.z Private IP: 10.10.0.5 BGP IP: 10.10.0.13 BGP Peers 1 IP: 10.10.0.68 BGP Peers 2 IP: 10.10.0.69 • vHub 內全部 IP 為自動配置，無須手動設定

15. Create vHub with S2S VPN

16. Get the VPN Gateway configuration (1/2) 自動配置 IP

17. Get the VPN Gateway configuration (2/2) Azure vWAN Name: wan-eastus

    Name: vhub-eastus Private address space: 10.10.0.0/24 ASN: 65515 BGP Peers 1 IP: 10.10.0.68 BGP Peers 2 IP: 10.10.0.69 VPN GW Instance 0 Public IP: y.y.y.y Private IP: 10.10.0.4 BGP IP: 10.10.0.12 VPN GW Instance 1 Public IP: z.z.z.z Private IP: 10.10.0.5 BGP IP: 10.10.0.13

18. Create Azure vHub S2S VPN Site (1/2) • 需準備地端 VPN

    資訊才能 填寫 • 支援常見 VPN 設備如以下 但不限於 • FortiGate 5.6+ • Cisco ASR 15.2+ • Cisco ASA 8.4+ • JunOS 12.x • ... Ref: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#devicetable 地端設備廠商，可任意取名

19. Create Azure vHub S2S VPN Site (2/2) 連線名稱，可任意取名 連線速路，單位為 Mbps

    Ref: https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal#site 實體線路提供商，可任意取名 地端 VPN 連線對外 IP 建立 S2S VPN 後，地端使用的 BGP IP 建立 S2S VPN 後，地端使用的 BGP ASN • 需準備地端 VPN 資訊才能填寫 • 一站可建立多個 Link

20. Edit VPN Connection (1/2)

21. Edit VPN Connection (2/2) 建立 S2S VPN 連線所需的 PSK 密鑰

    如果是在 ExpressRoute 中，建立 S2S VPN 才使用 如果 VPN Device 有特殊加密選項則可以 勾選 Custom 進行細節設定 若採用 static route 則不需要使用此選項

22. Create VPN Tunnel Step 3

23. 3 Create S2S VPN Connections Ref: FortiGate 60E ASN: 65533

    BGP IP: 168.254.99.100 wan1 Public IP: x.x.x.x internal1 192.168.100.254/24 Surface 192.168.100.6/24 Azure vWAN Name: wan-eastus Name: vhub-eastus Private address space: 10.10.0.0/24 ASN: 65515 VPN GW Instance 0 Public IP: y.y.y.y Private IP: 10.10.0.4 BGP IP: 10.10.0.12 VPN GW Instance 1 Public IP: z.z.z.z Private IP: 10.10.0.5 BGP IP: 10.10.0.13 BGP Peers 1 IP: 10.10.0.68 BGP Peers 2 IP: 10.10.0.69 vnet-spoke-eastus 10.11.0.0/16

24. Create IPsec Tunnel (1/2) VPN GW Instance 0 Public IP:

    y.y.y.y y.y.y.y Ref: https://docs.fortinet.com/document/fortigate/6.4.8/administration-guide/255100/ipsec-vpn-to-azure-with-virtual-network-gateway

25. Create IPsec Tunnel (2/2) Ref: https://docs.fortinet.com/document/fortigate/6.4.8/administration-guide/255100/ipsec-vpn-to-azure-with-virtual-network-gateway y.y.y.y

26. Create IPsec Tunnel (3/3) Ref: https://docs.fortinet.com/document/fortigate/6.4.8/administration-guide/255100/ipsec-vpn-to-azure-with-virtual-network-gateway

27. Check Connectivity Status from Azure View

28. Check Connectivity Status from VPN Device View y.y.y.y z.z.z.z

29. 驗證 BGP IP 路由可達

30. 確認路由表

31. Ref: FortiGate 60E ASN: 65533 BGP IP: 168.254.99.100 wan1 Public

    IP: x.x.x.x internal1 192.168.100.254/24 Surface 192.168.100.1/24 Azure vWAN Name: wan-eastus Name: vhub-eastus Private address space: 10.10.0.0/24 ASN: 65515 VPN GW Instance 0 Public IP: y.y.y.y Private IP: 10.10.0.4 BGP IP: 10.10.0.12 VPN GW Instance 1 Public IP: z.z.z.z Private IP: 10.10.0.5 BGP IP: 10.10.0.13 BGP Peers 1 IP: 10.10.0.68 BGP Peers 2 IP: 10.10.0.68 vnet-spoke-eastus 10.11.0.0/16 4 vNet Peering

32. VNet Peering

33. Ref: FortiGate 60E ASN: 65533 BGP IP: 168.254.99.100 wan1 Public

    IP: x.x.x.x internal1 192.168.100.254/24 Surface 192.168.100.6/24 Azure vWAN Name: wan-eastus Name: vhub-eastus Private address space: 10.10.0.0/24 ASN: 65515 VPN GW Instance 0 Public IP: y.y.y.y Private IP: 10.10.0.4 BGP IP: 10.10.0.12 VPN GW Instance 1 Public IP: z.z.z.z Private IP: 10.10.0.5 BGP IP: 10.10.0.13 BGP Peers 1 IP: 10.10.0.68 BGP Peers 2 IP: 10.10.0.69 vnet-spoke-eastus 10.11.0.0/16

34. Invent with purpose.