Securing Your On-Premise Network with Fortinet and Extending Connectivity into Azure or AWS Using VXLAN (Layer 2 over Layer 3)

June 20, 2026 Faeem AWS, AZURE, BLOGS, CLOUD, FORTINET, FORTIVM, MICROSOFT, NETWORK, NETWORK & SECURITY, SECURITY 0

Overview

In today’s hybrid-cloud world, organisations need to securely connect on-premise infrastructure to cloud environments while maintaining consistent security, visibility, and operational control. Fortinet’s FortiGate platform enables this by combining Next-Generation Firewall (NGFW) capabilities, SD-WAN, IPsec VPNs, and VXLAN overlay networking to create secure connectivity between data centres and public cloud platforms such as Microsoft Azure and Amazon Web Services (AWS).

By leveraging FortiGate appliances on-premise and FortiGate-VM instances in the cloud, organisations can establish secure hybrid connectivity while supporting specific use cases that require Layer 2 adjacency across Layer 3 networks.

This article provides a technical blueprint for:

  • Securing your on-premise network with Fortinet.
  • Building secure connectivity to Azure or AWS.
  • Deploying VXLAN overlays to extend selected Layer 2 networks across Layer 3 infrastructure.
  • Understanding the benefits, limitations, and considerations of Layer 2 extension into the cloud.

Step 1: Securing Your On-Premise Network with Fortinet

Before extending services into Azure or AWS, organisations should establish a strong security foundation within the data centre or campus network.

Fortinet’s Security Fabric provides centralised visibility, policy enforcement, threat intelligence, and security orchestration across the environment.

Key Security Configurations

Zero-Trust Segmentation

Create dedicated VLANs and security zones for departments, applications, and services. Restrict east-west traffic using explicit firewall policies rather than relying solely on traditional network segmentation.

Intrusion Prevention and Application Control

Enable Intrusion Prevention System (IPS), Application Control, DNS Filtering, and Web Filtering profiles to inspect traffic and detect threats at Layers 3 through 7.

SSL Inspection and Threat Intelligence

Where organisational policy permits, enable SSL inspection to identify encrypted threats and leverage FortiGuard threat intelligence services for real-time protection.

High Availability (HA)

Deploy FortiGate appliances in Active-Passive or Active-Active High Availability configurations to eliminate single points of failure and improve resilience.

Centralised Management and Logging

Use FortiManager for policy management and FortiAnalyzer for centralised logging, reporting, and compliance auditing.

A well-secured on-premise environment provides the foundation required for secure cloud connectivity.

Step 2: Creating Secure Connectivity into Azure or AWS

Once the local network is secured, the next step is to establish secure communication between on-premise infrastructure and cloud workloads.

The most common approach is to deploy FortiGate-VM instances within Azure or AWS and establish encrypted IPsec tunnels between the environments.

Azure Integration

Deploy FortiGate-VM

Deploy FortiGate-VM within an Azure Virtual Network (VNet) and position it as the primary security gateway for cloud workloads.

Establish IPsec Connectivity

Configure an IPsec VPN between the on-premise FortiGate and the Azure FortiGate-VM or Azure VPN Gateway.

Dynamic Routing

Implement Border Gateway Protocol (BGP) across the VPN tunnel to automate route advertisement and reduce administrative overhead.

Policy Synchronisation

Where appropriate, use FortiManager to standardise security policies across both on-premise and cloud deployments.

AWS Integration

Deploy FortiGate-VM

Launch FortiGate-VM instances within an AWS Virtual Private Cloud (VPC).

Create Secure VPN Connectivity

Configure AWS Customer Gateway and VPN services or establish VPN connectivity directly between FortiGate appliances.

Monitoring and Visibility

Integrate FortiGate logs with FortiAnalyzer and leverage AWS CloudWatch for operational monitoring and alerting.

Security Best Practices

  • Use IKEv2 for VPN negotiation.
  • Use AES-256 encryption where organisational standards require it.
  • Restrict VPN traffic to authorised CIDR ranges.
  • Enable MFA for administrative access.
  • Monitor VPN health and performance continuously.
  • Log all security events to FortiAnalyzer or an enterprise SIEM platform.

Step 3: Deploying VXLAN for Layer 2 Extension Across Layer 3 Networks

VXLAN (Virtual Extensible LAN) is an overlay technology that encapsulates Ethernet frames within UDP packets, enabling Layer 2 networks to traverse Layer 3 infrastructure.

It is important to note that Azure and AWS remain fundamentally Layer 3 networking platforms. VXLAN does not convert Azure or AWS into native Layer 2 environments. Instead, FortiGate appliances create an overlay network that provides Layer 2 adjacency between selected endpoints.

VXLAN should typically be considered for:

  • Legacy application migration.
  • Temporary coexistence during cloud migration.
  • Applications requiring Layer 2 adjacency.
  • Certain clustering and failover scenarios.

Whenever possible, organisations should design applications to operate across routed Layer 3 networks rather than extending Layer 2 domains.

Example Scenario

An organisation has:

  • VLAN 10 (10.10.10.0/24) running on-premise.
  • A FortiGate appliance at the data centre.
  • A FortiGate-VM deployed in Azure.

The organisation requires selected workloads to communicate as though they reside on the same Layer 2 segment.

Configuration Overview

Create the VXLAN Interface

Example:

  • VNI: 10010
  • Source Interface: WAN or SD-WAN Interface
  • Destination IP: Azure FortiGate WAN Interface

Create the Local VLAN Interface

Example:

  • VLAN ID: 10
  • Subnet: 10.10.10.0/24

Create a Virtual Switch

Add both interfaces to a virtual switch:

  • VLAN10
  • VXLAN10010

This bridges the local VLAN to the VXLAN overlay.

Configure the Cloud-Side FortiGate

Create a matching VXLAN configuration:

  • Same VNI
  • Same UDP Port (4789)
  • Matching peer configuration

Verify Connectivity

Validate:

  • ARP propagation
  • MAC address learning
  • End-to-end connectivity
  • VXLAN tunnel status

Traffic Flow

  1. A host on VLAN 10 sends an Ethernet frame.
  2. The on-premise FortiGate encapsulates the frame into a VXLAN packet.
  3. The VXLAN packet traverses the WAN connection.
  4. The Azure or AWS FortiGate receives and decapsulates the traffic.
  5. The original Ethernet frame is delivered to the destination network.

For security, VXLAN traffic traversing public networks should be encapsulated within an IPsec tunnel because VXLAN itself does not provide encryption or authentication.

Architectural Benefits

FeatureBenefit
Fortinet Security FabricConsistent security policies across environments
VXLAN OverlayLayer 2 extension without MPLS circuits
Dynamic Routing (BGP)Automated route exchange
IPsec EncryptionSecure transport across public networks
SD-WAN IntegrationDynamic path selection and failover
Multi-VNI SupportSegmentation of multiple workloads and tenants
FortiManager IntegrationCentralised management and governance

Security and Performance Recommendations

Protect VXLAN with IPsec

VXLAN provides encapsulation but does not provide encryption. Always use IPsec when VXLAN traverses untrusted networks.

Consider MTU and MSS Settings

VXLAN and IPsec introduce additional packet overhead. Depending on the underlying transport, organisations may need to:

  • Reduce interface MTU values.
  • Implement TCP MSS clamping.
  • Validate packet fragmentation behaviour.

Jumbo frame support should only be used when supported end-to-end.

Enable Security Inspection

Apply IPS, Application Control, and logging policies to traffic entering and exiting VXLAN-connected environments.

Monitor Continuously

Use FortiAnalyzer, FortiMonitor, or enterprise monitoring platforms to monitor:

  • Tunnel availability
  • Latency
  • Packet loss
  • Security events

Prevent Layer 2 Loops

Where Layer 2 extension is used, carefully design switching and bridging domains to avoid loops and broadcast-related issues.

Important Design Considerations

While VXLAN can be extremely useful, extending Layer 2 domains across geographical locations should be approached carefully.

Modern cloud architectures generally favour:

  • Layer 3 routing
  • Load balancing
  • DNS-based service discovery
  • Cloud-native application architectures

VXLAN is best suited for specific business requirements rather than as a default cloud networking strategy.

Some FortiGate models and FortiOS versions may have platform-specific limitations regarding VXLAN performance, hardware acceleration, or supported deployment modes. These should be verified against current Fortinet documentation before implementation.

Expert in the Cloud Insight

Hybrid infrastructure is no longer a transitional state—it has become a permanent operating model for many organisations.

By combining Fortinet’s Security Fabric, secure IPsec connectivity, cloud-based FortiGate virtual appliances, and VXLAN overlays where appropriate, organisations can create a secure and scalable network architecture spanning on-premise infrastructure and public cloud environments.

The key is to use VXLAN strategically for workloads that genuinely require Layer 2 adjacency while leveraging modern Layer 3 cloud-native designs wherever possible. In many cases, applications can be redesigned or modernised to operate across routed networks, reducing the complexity associated with extending Layer 2 domains between locations.

It is also important to remember that Fortinet continuously enhances FortiOS capabilities and supported deployment models. Features such as VXLAN bridging, virtual switch configurations, hardware acceleration, and cloud integration capabilities may vary between FortiGate hardware platforms, FortiGate-VM editions, and FortiOS releases. Before implementing any production design, organisations should validate the proposed architecture against the applicable Fortinet documentation and software version.

From an architectural perspective, the goal should not be to extend Layer 2 simply because it is possible. The goal should be to choose the most appropriate design for the workload, balancing security, performance, operational complexity, and future scalability.

When implemented correctly, Fortinet provides a powerful platform for securely connecting on-premise infrastructure with Azure and AWS while maintaining consistent visibility, governance, and protection across the entire hybrid environment.

Expert in the Cloud – The Future Is Now.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.