East-West traffic being forced to FortiGates vs NSG's being used for East-West Traffic

Copper Contributor

Good day everyone,


I wanted to get some opinions on a proposed Networking idea I have for my organization. We will be deploying a new environment based on the CAF model (Hub & Spoke) which will have various Subscriptions for different types of workloads (Core, Non-Prod, UAT, Prod etc.)


Each Subscription will have 1 VNet which is peered back to only the Core. I am proposing to have an N-Tier structure for the Subnets i.e IaaS-WEB, IaaS-APP & IaaS-DB as well as PaaS & SaaS (possibly) Subnets for Private Endpoints when needed.


In our Core Subscription we will be using FortiGates as our Firewall. My idea was to force all Outbound and internal VNet traffic to the FortiGates and manage all the rules and logs from one central location (FortiGate). This would mean we wouldn't be leveraging NSG's between the Subnets for managing rules between workloads and they would only have allow rules for traffic from the Firewall and potentially any other Azure Services i.e App Gateway, Load Balancer etc.


My reasoning in sending all the traffic to the FortiGates was to leverage it's security features and to have a central location to manage traffic flow rules and logs.


Looking for feedback.






1 Reply
Nothing wrong with this. It's quite a common deployment scenario.