Setting Up a Site-to-Site VPN Between Azure and Fortigate

Statement from Microsoft Turkey’s General Manager Levent Özbilgin:

“In the Official Gazette published on March 12, 2024, and enacted on June 1, 2024, it was emphasized that Article 9 of the Personal Data Protection Law (KVKK) No. 6698 was aligned with the European Union General Data Protection Regulation (GDPR). In line with this new regulation, we at Microsoft have taken the necessary steps to help our customers comply with the legislation. As a result, the Standard Contracts published by the Personal Data Protection Authority (KVKK) on July 10, 2024, have become part of our corporate agreement package. Therefore, every corporate customer in Turkey using or planning to use Microsoft cloud services will be able to securely store the personal data they process in the Microsoft cloud and benefit from services that offer the highest level of regulatory compliance globally. We thank all our stakeholders, especially the Personal Data Protection Authority, who contributed to the legislation of this important regulation.”

This announcement signifies the expansion of Microsoft Azure cloud services and the continuation of many companies operating in hybrid environments in Türkiye. In hybrid cloud solutions, VPN (Virtual Private Network) technology is frequently used to securely integrate on-premises infrastructures with cloud environments.

In this post, I will discuss configuring an IPsec-based site-to-site VPN between a Fortigate Firewall and the Azure cloud environment. A site-to-site VPN is a critical solution that provides secure and encrypted data transmission between networks in different geographic locations. This setup has become a core component of hybrid cloud strategies by offering both security and flexibility.

Some advantages of IPsec site-to-site VPN include:

• Security: Data is transmitted through encrypted tunnels, enhancing data security.
• Flexibility: Easily connects networks in different locations, providing a flexible structure.
• Cost-Effectiveness: It is more cost-effective compared to physical connections.
• Easy Management: VPN connections can be easily managed through a centralized management interface.

In this post, while highlighting the importance and advantages of using VPNs in hybrid cloud environments, I also provide a summary of how to configure a VPN between Fortigate and Azure. I hope this is helpful! If you need assistance with another topic, please feel free to reach out to me.

1. Create a Resource Group

First, create a Resource Group in the Azure portal. A Resource Group helps you organize and manage your Azure resources.

• Region: Select the nearest region. In this example, we will use “Germany West Central”.
• Resource Group Name: Give it a meaningful name.
  

2. Create a Virtual Network

A Virtual Network (VNet) allows your Azure resources to communicate with each other. Follow these steps to create a VNet:

• Address Range: 10.0.0.0/23
• Subnet Name: “Azure_internal_network”
• Subnet Address Range: 10.0.1.0/24
  

3. Add a New Subnet to the Virtual Network

You need to create a special subnet for the VPN Gateway, called the Gateway subnet.

• Subnet Name: “GatewaySubnet”
• Address Space: 10.0.0.0/24
  

4. Add a Local Network Gateway

Create a Local Network Gateway in the Azure portal. This defines how your on-premises network is seen from Azure.

• IP Address: The external IP address of your on-premises internet
• Address Space(s): Your local network subnet
  

5. Create a Virtual Network Gateway

The Virtual Network Gateway connects your Azure VNet to other networks. Follow these steps to create a Virtual Network Gateway:

• Gateway Type: VPN
• VPN Type: Route-based
• SKU: VpnGw1 (For pricing details, you can check Azure VPN Gateway Pricing).
• Generation: 1
• Public IP Address: Create a new public IP address and name it.
  

6. Create a Connection in the Virtual Network Gateway Interface

Go to the Virtual Network Gateway interface in the Azure portal and create a new connection:

• Connection Type: Site-to-site (IPSec)
• Local Network Gateway: Select the local network gateway you created earlier.
• Shared Key (PSK): Use a secure and complex key.
  

Fortigate Configuration

Follow these steps to configure the VPN connection on your Fortigate device.

7. Create a New VPN in the IPSec Wizards Tab

In the Fortigate interface, go to the VPN tab and create a new VPN using the IPSec Wizards option:

• Template: Custom
• Remote Gateway: Static IP Address
• IP Address: Enter the public IP address you created in Azure.
• Dead Peer Detection: On Idle
• Authentication Method: Pre-Shared Key
• Pre-shared Key: Enter the secure key you created in Azure.
• IKE Version: 2
• IPsec/IKE Parameters: Use the default settings from the Azure IPsec/IKE Parameters page:
  • AES256 – SHA256
  • AES256 – SHA1
  • AES128 – SHA1
  • 3DES – SHA1
  • Diffie-Hellman Group: 2
  • Key Lifetime: 28800
  • PFS: Disabled

Set the same encryption parameters for Phase 2.

8. Create a Fortigate Policy

Create a policy to ensure the VPN connection works correctly:

• Incoming Interface: Local network
• Outgoing Interface: Azure_VPN_tunnel
• Source: The IP or IP blocks you want to access Azure.
• Destination: Azure local network
• NAT: Disabled
  

9. Create a Fortigate Static Route

Create a static route to direct traffic to Azure:

• Destination: Subnet 10.0.1.0/24
• Interface: Azure_VPN_tunnel
• Administrative Distance: 2
  

10. Bring Up the VPN in the Fortigate VPN Tab

Finally, go to the VPN tab in the Fortigate interface and bring up the VPN connection.

By following these steps, you can establish a secure Site-to-Site VPN connection between Azure and Fortigate.