The described design is a multi-region SD-WAN architecture, where:
Each region has its own dual-hub ADVPN domain
Most traffic is intra-region
Inter-region traffic is limited and controlled
Spokes can be single-hub or dual-hub, depending on size and redundancy requirements
According to Fortinet’s SD-WAN Architecture for Enterprise guidance, when deploying multiple ADVPN regions, eBGP is the recommended routing protocol between regions. Each region operates as an independent routing domain (typically iBGP within the region), while eBGP is used to exchange routes between regional hubs. This approach:
Prevents excessive route reflection and scaling issues
Provides clear administrative boundaries between regions
Improves stability and scalability in large global deployments
Matches the exact traffic pattern described (high intra-region, low inter-region traffic)
This is explicitly documented in Fortinet guidance for “Using eBGP between regions with intra-region ADVPN”, which confirms that the architecture described in the question is valid and recommended when eBGP is used between regions.
Why the other options are incorrect:
Option B is incorrect because FortiOS does not impose a hard “four-hub” architectural limit in the described regional model. Each region has its own hubs, not a single flat multihub domain.
Option C is incomplete. While FortiManager Overlay Orchestrator can help operationally, it is not the key architectural requirement that makes this design valid. The question asks what makes the plan correct from a design standpoint, not a tooling standpoint.
Option D is incorrect because FortiOS fully supports mixed spoke connectivity within the same region (some spokes single-hub, others dual-hub), which is a common enterprise SD-WAN design.
Therefore, the correct and documented conclusion is that the plan is possible and eBGP should be used as the routing protocol between regions, which corresponds to Answer A.
