Network Setup

In this section, we'll create the network foundation for your connectivity hub, including the virtual network, Azure Bastion, and all required subnets.

On this page

• Virtual Network Planning
• Creating the Hub Network
• Azure Bastion Setup
• Subnet Architecture
• Subnet Configuration
• Network Validation

Virtual Network Planning

How are we going to network this stuff?

In the physical world, we have cables and switches to connect everything together! But how do we build network connectivity in Azure? We use the concept of a virtual network and subnets to build a network between our virtual machines and appliances.

Routing in Azure differs from traditional datacenter environments because it’s based on system-managed routing tables rather than fully manual configurations. In an on-premise setup, firewalls and routers typically control all subnet-to-subnet routing directly, and VPNs often require explicit routes (static or dynamically advertised). In Azure, however, each virtual network (VNet) automatically creates routes between its subnets, meaning traffic could bypass a firewall unless you specifically configure User-Defined Routes (UDRs) to force it through. Similarly, when using VPN gateways, Azure handles the propagation of routes into the VNet, but you’ll often need to fine-tune UDRs to ensure traffic flows through security appliances like FortiGate rather than taking the default system path. This shift from hardware-centric to platform-managed routing is a key difference to keep in mind when designing secure architectures.

Creating the Hub Network

1. Click Create.

   

2. You will be taken to the Marketplace.

3. In the search field type virtual network and hit enter.

4. Click on the Virtual Network box.

   

   Step13

   Step12

5. Click Create.

   

6. Type vnet-hub-azlab in the Virtual Network name textbox.

7. Ensure Region is set to Canada Central.

8. Click Next Security

   

Azure Bastion Setup

We are now going to create an Azure Bastion which is a paid service that provides secure RDP/SSH connectivity to your virtual machines over TLS. When you connect via Azure Bastion, your virtual machines do not need a public IP address.

1. Click Enable Bastion.

2. Rename it to bastion-hub-azlab.

3. Click on the blue Create a public IP address.

   

   

   

4. Change the Name to pip-bas-hub-azlab then Click OK.

   

5. Click the Next: IP addresses button at the bottom of the screen.

6. Change the IP address to 10.2.0.0 /16 as shown below.

   

7. After several minutes your screen will look similar to the screen shot below.

8. Click Go to resource.

   

Subnet Architecture

The next step is to prepare the necessary network to enable connectivity to the FortiGate-VMs. Four interfaces are most commonly used, one for the dedicated public or untrusted zone, one for the private or trusted zone, one for out-of-band management, and one for the dedicated channel for session and cluster syncing (as required).

Subnet Configuration

1. On the left-hand side, expand the Settings menu

2. Click on Subnets.

   

3. Notice the subnets we created earlier are listed here. Let's create four new subnets.

4. Click on the Subnet button (see screenshot above).

5. Change the name to Public

6. Ensure the starting address is 10.2.2.0 and the Size is /24.

   

7. Please repeat the process of creating the remaining three subnets as per the table below:

   Subnet Name	Starting Address	Size
   Private	10.2.3.0	/24
   Management	10.2.4.0	/24
   HA_Intra-Cluster	10.2.5.0	/24
   ProtectedA	10.2.6.0	/24

Network Validation

1. Please confirm your results look like the screenshot below.

   

---

Next Step: FortiGate Deployment to add security and high availability to your network.