Fortinet black logo

SD-WAN Architecture for Enterprise

Home FortiGate / FortiOS 7.0.0 SD-WAN Architecture for Enterprise

Cloud on-ramp for dynamic environments

7.0.0
7.2.0
7.0.0
Copy Link
Copy Doc ID 7030e0d2-4287-11ec-bdf2-fa163e15d75b:932774
Download PDF

Cloud on-ramp for dynamic environments

Dynamic environments refer to deployments and services where the IP address and location of the FortiGate VM changes. Auto-scaling deployments where a new FortiGate VM is spun up and deleted on-demand is an example of such an environment. Since there is no static IP address to use as the destination for branches, a new design is required.

Instead of configuring the FortiGate VM to act as a dialup server, these environments will instead act as a dial up client to another gateway (such as the datacenter SD-WAN gateway). ADVPN will then be utilized for branch-to-cloud dynamic connectivity. This allows the cloud gateway(s) to spin up from any location with various different IP addresses and still provide access to branch sites through the dynamic nature of the ADVPN protocol.

Considerations:

  • At least one static gateway is required to act as ADVPN sender. This gateway, or gateways, will act as the dialup server for branches and cloud gateways.
  • In this design, cloud gateways are treated similarly to a branch dialup client. This lets the gateway initiate the IPsec connection to the gateway when it comes online.
  • Cloud gateways advertise their networks to the ADVPN sender (the datacenter gateway in this diagram), which in turn makes those networks accessible to other branches by using BGP.
  • When a branch needs a service or resource behind the cloud gateway, it will dynamically connect through ADVPN directly.
  • For the correct operation of ADVPN, it is required to preserve all sites’ prefixes unchanged, including their original BGP next-hop values. Hence, it is impossible to replace the specific routes with summaries (unlike in a static hub-and-spoke topology). Hence, the BGP RR function is mandatory: the gateway must reflect the original routes between the spokes without altering them.
Previous
Next

Cloud on-ramp for dynamic environments

Dynamic environments refer to deployments and services where the IP address and location of the FortiGate VM changes. Auto-scaling deployments where a new FortiGate VM is spun up and deleted on-demand is an example of such an environment. Since there is no static IP address to use as the destination for branches, a new design is required.

Instead of configuring the FortiGate VM to act as a dialup server, these environments will instead act as a dial up client to another gateway (such as the datacenter SD-WAN gateway). ADVPN will then be utilized for branch-to-cloud dynamic connectivity. This allows the cloud gateway(s) to spin up from any location with various different IP addresses and still provide access to branch sites through the dynamic nature of the ADVPN protocol.

Considerations:

  • At least one static gateway is required to act as ADVPN sender. This gateway, or gateways, will act as the dialup server for branches and cloud gateways.
  • In this design, cloud gateways are treated similarly to a branch dialup client. This lets the gateway initiate the IPsec connection to the gateway when it comes online.
  • Cloud gateways advertise their networks to the ADVPN sender (the datacenter gateway in this diagram), which in turn makes those networks accessible to other branches by using BGP.
  • When a branch needs a service or resource behind the cloud gateway, it will dynamically connect through ADVPN directly.
  • For the correct operation of ADVPN, it is required to preserve all sites’ prefixes unchanged, including their original BGP next-hop values. Hence, it is impossible to replace the specific routes with summaries (unlike in a static hub-and-spoke topology). Hence, the BGP RR function is mandatory: the gateway must reflect the original routes between the spokes without altering them.
Previous
Next