Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
S2S VPN using Azure vWAN
Search
Phil Huang
October 24, 2022
Technology
0
29
S2S VPN using Azure vWAN
Use FortiGate 60E as on-premise VPN device
Phil Huang
October 24, 2022
Tweet
Share
More Decks by Phil Huang
See All by Phil Huang
20240814-採用 Azure VMware Solution 啟動你的 Azure 雲端服務
pichuang
0
16
20240425 Play and Discuss the game “K8S LAN Party”
pichuang
0
120
20231210 Azure Kubernetes Services 永續性軟體工程設計方針
pichuang
1
94
20231129 如何選擇適當的 CNCF Project 來使用
pichuang
0
120
Cloud Native Taiwan User Group: Governance of Open-Source Communities in Non-English Region
pichuang
0
27
20231024 CNSW Lightning Talk: TAG Environmental Sustainability
pichuang
0
120
20230913_採用 Azure OpenAI 和 Azure Kubernetes Service 來建構您自己的 AI 應用程式
pichuang
1
140
20230615 Kubernetes Scalable Workloads
pichuang
1
290
混合雲基礎架構探討 Microsoft Azure Infrastructure
pichuang
0
160
Other Decks in Technology
See All in Technology
Agile in Automotive Industry, puzzles and lights.
hiranabe
3
1.4k
突撃! 隣のAmazon Bedrockユーザー 〜YouはどうしてAWSで?〜
minorun365
PRO
3
390
ネットワークだけ隔離されたコンテナ作成デモ / Kichijoji.pm36
tenforward
1
230
自作Cコンパイラ 8時間の奮闘
soukouki
0
840
サーバー管理しないサーバーサービスManaged DevOps Pool
kkamegawa
0
130
言葉は感情の近似値である。その感情と言葉の誤差を最小化しよう ~コミュニケーションにおけるアナログ/デジタル変換の課題に立ち向かう~
nktamago
0
210
リアルお遍路+SORACOM IoT
ozk009
1
140
どこよりも遅めなWinActor Ver.7.5.0 新機能紹介
tamai_63
0
210
eBPFのこれまでとこれから
yutarohayakawa
10
3.2k
SORACOMで実現するIoTのマルチクラウド対応 - IoTでのクリーンアーキテクチャの実現 -
kenichirokimura
0
390
Next.js のページ遷移を全力で止める
ypresto
5
2.9k
20240912 JJUGナイトセミナー
mii1004
0
140
Featured
See All Featured
Raft: Consensus for Rubyists
vanstee
135
6.5k
How to Think Like a Performance Engineer
csswizardry
16
960
Navigating Team Friction
lara
183
13k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3.4k
GraphQLとの向き合い方2022年版
quramy
43
13k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.3k
VelocityConf: Rendering Performance Case Studies
addyosmani
322
23k
Building a Modern Day E-commerce SEO Strategy
aleyda
36
6.8k
The Power of CSS Pseudo Elements
geoffreycrofte
71
5.3k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
157
15k
Creatively Recalculating Your Daily Design Routine
revolveconf
215
12k
Thoughts on Productivity
jonyablonski
66
4.2k
Transcript
S2S VPN using Azure vWAN Phil Huang <
[email protected]
> Sr. Cloud
Solution Architect 2022/10/24 Use FortiGate 60E as on-premise VPN device
What is the gap?
雲地混合網路決策樹 (1/2) 預設路由走不 走 Internet? 地端上雲/ 用雲/ 混合雲 線路備援 選擇?
主備線路 路由方式? Express Route S2S VPN Express Route S2S VPN
雲地混合網路決策樹 (2/2) 主備線路 路由方式 雲地 DNS 選擇? Finish Azure Private
DNS Resolver DNS Forwarder VM DNS Master / Slave Azure VPN Gateway Azure vWAN Azure Route Server
Topology Overview
Ref: FortiGate 60E ASN: 65533 BGP IP: 168.254.99.100 wan1 Public
IP: x.x.x.x internal1 192.168.100.254/24 Surface 192.168.100.6/24 Azure vWAN Name: wan-eastus Name: vhub-eastus Private address space: 10.10.0.0/24 ASN: 65515 VPN GW Instance 0 Public IP: y.y.y.y Private IP: 10.10.0.4 BGP IP: 10.10.0.12 VPN GW Instance 1 Public IP: z.z.z.z Private IP: 10.10.0.5 BGP IP: 10.10.0.13 BGP Peers 1 IP: 10.10.0.68 BGP Peers 2 IP: 10.10.0.69 vnet-spoke-eastus 10.11.0.0/16
Initial Step 0
0 Initial Setup FortiGate 60E ASN: 65533 BGP IP: 168.254.99.100
wan1 Public IP: x.x.x.x internal1 192.168.100.254/24 Surface 192.168.100.6/24 vnet-spoke-eastus 10.11.0.0/16
Create Azure vWAN Step 1
1 Create Azure vWAN FortiGate 60E ASN: 65533 BGP IP:
168.254.99.100 wan1 Public IP: x.x.x.x internal1 192.168.100.254/24 Surface 192.168.100.6/24 Azure vWAN Name: wan-eastus vnet-spoke-eastus 10.11.0.0/16
Create vWAN - Azure vWAN vHub: 實際上提供連線能力的服務
Create Azure vWAN vHub Step 2
2 Create Azure vHub FortiGate 60E ASN: 65533 BGP IP:
168.254.99.100 wan1 Public IP: x.x.x.x internal1 192.168.100.254/24 Surface 192.168.100.6/24 Azure vWAN Name: wan-eastus Name: vhub-eastus Private address space: 10.10.0.0/24 ASN: 65515 VPN GW Instance 0 Public IP: y.y.y.y Private IP: 10.10.0.4 BGP IP: 10.10.0.12 VPN GW Instance 1 Public IP: z.z.z.z Private IP: 10.10.0.5 BGP IP: 10.10.0.13 BGP Peers 1 IP: 10.10.0.68 BGP Peers 2 IP: 10.10.0.69 vnet-spoke-eastus 10.11.0.0/16
Complete Create vHub Azure vWAN Name: wan-eastus Name: vhub-eastus Private
address space: 10.10.0.0/24 ASN: 65515 VPN GW Instance 0 Public IP: y.y.y.y Private IP: 10.10.0.4 BGP IP: 10.10.0.12 VPN GW Instance 1 Public IP: z.z.z.z Private IP: 10.10.0.5 BGP IP: 10.10.0.13 BGP Peers 1 IP: 10.10.0.68 BGP Peers 2 IP: 10.10.0.69 • vHub 內全部 IP 為自動配置,無須手動設定
Create vHub with S2S VPN
Get the VPN Gateway configuration (1/2) 自動配置 IP
Get the VPN Gateway configuration (2/2) Azure vWAN Name: wan-eastus
Name: vhub-eastus Private address space: 10.10.0.0/24 ASN: 65515 BGP Peers 1 IP: 10.10.0.68 BGP Peers 2 IP: 10.10.0.69 VPN GW Instance 0 Public IP: y.y.y.y Private IP: 10.10.0.4 BGP IP: 10.10.0.12 VPN GW Instance 1 Public IP: z.z.z.z Private IP: 10.10.0.5 BGP IP: 10.10.0.13
Create Azure vHub S2S VPN Site (1/2) • 需準備地端 VPN
資訊才能 填寫 • 支援常見 VPN 設備如以下 但不限於 • FortiGate 5.6+ • Cisco ASR 15.2+ • Cisco ASA 8.4+ • JunOS 12.x • ... Ref: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#devicetable 地端設備廠商,可任意取名
Create Azure vHub S2S VPN Site (2/2) 連線名稱,可任意取名 連線速路,單位為 Mbps
Ref: https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal#site 實體線路提供商,可任意取名 地端 VPN 連線對外 IP 建立 S2S VPN 後,地端使用的 BGP IP 建立 S2S VPN 後,地端使用的 BGP ASN • 需準備地端 VPN 資訊才能填寫 • 一站可建立多個 Link
Edit VPN Connection (1/2)
Edit VPN Connection (2/2) 建立 S2S VPN 連線所需的 PSK 密鑰
如果是在 ExpressRoute 中,建立 S2S VPN 才使用 如果 VPN Device 有特殊加密選項則可以 勾選 Custom 進行細節設定 若採用 static route 則不需要使用此選項
Create VPN Tunnel Step 3
3 Create S2S VPN Connections Ref: FortiGate 60E ASN: 65533
BGP IP: 168.254.99.100 wan1 Public IP: x.x.x.x internal1 192.168.100.254/24 Surface 192.168.100.6/24 Azure vWAN Name: wan-eastus Name: vhub-eastus Private address space: 10.10.0.0/24 ASN: 65515 VPN GW Instance 0 Public IP: y.y.y.y Private IP: 10.10.0.4 BGP IP: 10.10.0.12 VPN GW Instance 1 Public IP: z.z.z.z Private IP: 10.10.0.5 BGP IP: 10.10.0.13 BGP Peers 1 IP: 10.10.0.68 BGP Peers 2 IP: 10.10.0.69 vnet-spoke-eastus 10.11.0.0/16
Create IPsec Tunnel (1/2) VPN GW Instance 0 Public IP:
y.y.y.y y.y.y.y Ref: https://docs.fortinet.com/document/fortigate/6.4.8/administration-guide/255100/ipsec-vpn-to-azure-with-virtual-network-gateway
Create IPsec Tunnel (2/2) Ref: https://docs.fortinet.com/document/fortigate/6.4.8/administration-guide/255100/ipsec-vpn-to-azure-with-virtual-network-gateway y.y.y.y
Create IPsec Tunnel (3/3) Ref: https://docs.fortinet.com/document/fortigate/6.4.8/administration-guide/255100/ipsec-vpn-to-azure-with-virtual-network-gateway
Check Connectivity Status from Azure View
Check Connectivity Status from VPN Device View y.y.y.y z.z.z.z
驗證 BGP IP 路由可達
確認路由表
Ref: FortiGate 60E ASN: 65533 BGP IP: 168.254.99.100 wan1 Public
IP: x.x.x.x internal1 192.168.100.254/24 Surface 192.168.100.1/24 Azure vWAN Name: wan-eastus Name: vhub-eastus Private address space: 10.10.0.0/24 ASN: 65515 VPN GW Instance 0 Public IP: y.y.y.y Private IP: 10.10.0.4 BGP IP: 10.10.0.12 VPN GW Instance 1 Public IP: z.z.z.z Private IP: 10.10.0.5 BGP IP: 10.10.0.13 BGP Peers 1 IP: 10.10.0.68 BGP Peers 2 IP: 10.10.0.68 vnet-spoke-eastus 10.11.0.0/16 4 vNet Peering
VNet Peering
Ref: FortiGate 60E ASN: 65533 BGP IP: 168.254.99.100 wan1 Public
IP: x.x.x.x internal1 192.168.100.254/24 Surface 192.168.100.6/24 Azure vWAN Name: wan-eastus Name: vhub-eastus Private address space: 10.10.0.0/24 ASN: 65515 VPN GW Instance 0 Public IP: y.y.y.y Private IP: 10.10.0.4 BGP IP: 10.10.0.12 VPN GW Instance 1 Public IP: z.z.z.z Private IP: 10.10.0.5 BGP IP: 10.10.0.13 BGP Peers 1 IP: 10.10.0.68 BGP Peers 2 IP: 10.10.0.69 vnet-spoke-eastus 10.11.0.0/16
Invent with purpose.