I'll preface this by saying I've very little experience with BGP, so sorry in advance if I've missed something obvious!
What I'm trying to establish
When using an active-active VPN gateway in Azure, they require you to use BGP to establish routes. They provide 2 public IP addresses to terminate 2 IPSec tunnels, and 2 private IPs in the VPN gateway subnet, to peer with for BGP. There's one IP per tunnel.
However for the local connection, Azure only lets you specify 1 local BGP peer IP address for your local public IP address. This means you can't have 2 local addresses to peer with for BGP for each shared public IP. The solution then would be to use a loopback address with a dedicated IP, that both Azure instances behind each tunnel could peer with. However I can't seem to get it working.
What's Working
IPsec VPN connected to Azure gateway
Tunnel is assigned a private IP address, that matches local BGP peer IP address configured in Azure.
Remote address on tunnel is first Azure BGP peer IP address in gateway subnet.
Remote BGP neighbour on FortiGate configured with first Azure BGP peer IP address, set to use tunnel interface.
BGP routes start Peering.
What's not working
IPsec VPN connected to Azure gateway
Loopback Interface is assigned a private IP address, that matches local BGP peer IP address configured in Azure.
Firewall rule allows BGP traffic from tunnel to loopback
Static route created for Azure BGP peer IP address, telling it to go via Azure tunnel
I can see BGP traffic hitting the loopback Interface, but the neighbors are stuck on idle.
What am I missing?