Fortinet black logo

SD-WAN / SD-Branch Architecture for MSSPs

Home FortiGate / FortiOS 7.2.0 SD-WAN / SD-Branch Architecture for MSSPs
7.2.0
7.2.0
7.0.0
6.4.0

Overlay network

Overlay network

The first step in transforming a group of autonomous FortiGate devices into an SD-WAN Solution is to build an overlay network that interconnects all sites. FortiGates deployed at the perimeter of each site will become the SD-WAN nodes in our solution, and each FortiGate is "responsible" for the site behind it.

We will use IPsec tunnels to build the overlay network over all available underlay transports, forming a Hub-and-Spoke topology. This way we can secure corporate (site-to-site) traffic and provide confidentiality, integrity, and mutual site authentication, as expected from an industry-standard IPsec suite.

Hub-and-Spoke topologies are highly scalable, and they have an important Zero-Touch property: when adding or removing a Spoke, configuration of all other devices remains untouched. Hub-and-Spoke topologies can also be enhanced with redundancy options (such as Dual-Hub), and they can be extended to multiple regions (which are multiple Hub-and-Spoke topologies interconnected together) for large-scale deployments. We will discuss these options in more detail in Overlay network designs.

Auto-Discovery VPN (ADVPN), which is our dynamic tunneling technology, is enabled in our Hub-and-Spoke topology. ADVPN dynamically builds direct Spoke-to-Spoke tunnels (also known as shortcuts) when they are needed, and tears down the tunnels when no longer in use. It maintains a Zero-Touch property of a Hub-and-Spoke and helps avoid the complexity of a Full-Mesh, while preserving the benefits of direct site-to-site communication without bottlenecks.

An SD-WAN/ADVPN Hub-and-Spoke topology is the most fundamental building block of our SD-WAN Solution. All the overlay tunnels are configured as the SD-WAN Members, in addition to the underlay interfaces. SD-WAN rules can then be used to steer corporate traffic, applying the same strategies we have briefly discussed in the previous section.

Note

Overlays are optional in our SD-WAN Solution. They are the most common and secure way of interconnecting your sites. But what if you provide a private transport circuit fully under your control (both from routing and security perspective)? These cases are rare, but they happen.

As you have already learned, the SD-WAN functionality on the FortiGates can steer the traffic both to the overlays and directly to the underlays. Hence, you can opt to skip building the overlay network over (some of) your transports, as long as the transport network can route the traffic properly and guarantee the required levels of security.

Similarly, ADVPN is optional too. The SD-WAN functionality can be applied to a classic Hub-and-Spoke topology (or in any desired topology for that matter).

That being said, in this document we will stick to the overlay network built over all available underlay transports, with ADVPN enabled, as this is the most common and recommended approach.
Previous
Next

Overlay network

The first step in transforming a group of autonomous FortiGate devices into an SD-WAN Solution is to build an overlay network that interconnects all sites. FortiGates deployed at the perimeter of each site will become the SD-WAN nodes in our solution, and each FortiGate is "responsible" for the site behind it.

We will use IPsec tunnels to build the overlay network over all available underlay transports, forming a Hub-and-Spoke topology. This way we can secure corporate (site-to-site) traffic and provide confidentiality, integrity, and mutual site authentication, as expected from an industry-standard IPsec suite.

Hub-and-Spoke topologies are highly scalable, and they have an important Zero-Touch property: when adding or removing a Spoke, configuration of all other devices remains untouched. Hub-and-Spoke topologies can also be enhanced with redundancy options (such as Dual-Hub), and they can be extended to multiple regions (which are multiple Hub-and-Spoke topologies interconnected together) for large-scale deployments. We will discuss these options in more detail in Overlay network designs.

Auto-Discovery VPN (ADVPN), which is our dynamic tunneling technology, is enabled in our Hub-and-Spoke topology. ADVPN dynamically builds direct Spoke-to-Spoke tunnels (also known as shortcuts) when they are needed, and tears down the tunnels when no longer in use. It maintains a Zero-Touch property of a Hub-and-Spoke and helps avoid the complexity of a Full-Mesh, while preserving the benefits of direct site-to-site communication without bottlenecks.

An SD-WAN/ADVPN Hub-and-Spoke topology is the most fundamental building block of our SD-WAN Solution. All the overlay tunnels are configured as the SD-WAN Members, in addition to the underlay interfaces. SD-WAN rules can then be used to steer corporate traffic, applying the same strategies we have briefly discussed in the previous section.

Note

Overlays are optional in our SD-WAN Solution. They are the most common and secure way of interconnecting your sites. But what if you provide a private transport circuit fully under your control (both from routing and security perspective)? These cases are rare, but they happen.

As you have already learned, the SD-WAN functionality on the FortiGates can steer the traffic both to the overlays and directly to the underlays. Hence, you can opt to skip building the overlay network over (some of) your transports, as long as the transport network can route the traffic properly and guarantee the required levels of security.

Similarly, ADVPN is optional too. The SD-WAN functionality can be applied to a classic Hub-and-Spoke topology (or in any desired topology for that matter).

That being said, in this document we will stick to the overlay network built over all available underlay transports, with ADVPN enabled, as this is the most common and recommended approach.
Previous
Next