The Azure subscription FortiGate Autoscale for Azure will be deployed in.

The resource group FortiGate Autoscale for Azure will be deployed in. Referred to as the Autoscale resource group.

The region in which the FortiGate Autoscale for Azure resources will be deployed in. Not every resource is available in every region.

IP address ranges (single IPv4 address or Classless Inter-Domain Routing (CIDR) range) to allow access from the Internet or from your on-premises network to the CosmosDB and Function App. For security purposes, at least one entry must be specified. For multiple entries, each entry must be separated by a comma and no trailing comma is allowed.

0.0.0.0/0 accepts connections from any IP address. We recommend that you use a constrained CIDR range to reduce the potential of inbound attacks from unknown IP addresses.

FortiGate administrator password on all VMs as well as the FortiAnalyzer if FortiAnalyzer integration is enabled. FortiGate and Azure VM password policy must be followed and the password must be11 - 26 characters in length with at least one uppercase letter, one lowercase letter, one digit, and one special character such as @ # $ % ^ & * - _ ! + =.

FortiGate administrator username on all VMs as well as the FortiAnalyzer if FortiAnalyzer integration is enabled.

Number of FortiGate instances the BYOL VMSS should have at any time. For High Availability in BYOL-only and Hybrid use cases, ensure at least 2 FortiGates are in the group. For specific use cases, set to 0 for PAYG-only, and >= 2 for BYOL-only or hybrid licensing.

Users can set the size to less than or equal to the number of valid licenses they own and the number should not exceed the Max BYOL Instance Count. Licenses can be purchased from FortiCare.

Password for the FortiAnalyzer Autoscale Admin Username. The password must conform to the FortiAnalyzer password policy and have a minimum length of 8 and a maximum length of 128. If you need to enable KMS encryption, refer to the documentation.

Name of the secondary administrator-level account in the FortiAnalyzer. FortiGate Autoscale uses this account to connect to the FortiAnalyzer to authorize any FortiGate device in the Auto Scaling group. To conform to the FortiAnalyzer naming policy, the user name can only contain numbers, lowercase letters, uppercase letters, and hyphens. It cannot start or end with a hyphen (-).

Custom private IP address to be used by the FortiAnalyzer. Must be within the Public subnet 1 CIDR range. Required if FortiAnalyzer Integration Options is set to 'yes'. If FortiAnalyzer Integration Options is set to 'no', any input will be ignored.

Size of the FortiAnalyzer-VM. For details on selecting the size, refer to the section Selecting the instance type

Not all instance types are supported. Review FortiAnalyzer instance type support prior to selecting an instance.

Choose 'yes' to incorporate FortiAnalyzer into FortiGate Autoscale for Azure to use extended features that include storing logs into FortiAnalyzer.

ID of the public IP address to associate with the FortiAnalyzer. If left empty, a new public IP address will be allocated in the resource group that contains the FortiAnalyzer.

FortiAnalyzer version supported by FortiGate Autoscale for Azure.

Secret key used by FortiGate instances to securely communicate with each other. Must contain numbers and letters and may contain special characters. Maximum length is 128.

Changes to the PSK secret after FortiGate Autoscale for Azure has been deployed are not reflected here. For new instances to be spawned with the changed PSK secret, this environment variable will need to be manually updated.

FortiOS version supported by FortiGate Autoscale for Azure.

When the ID of a Public IP Address is provided, the Public IP Address will be used as the Frontend IP address associated with the external load balancer. If left empty, a new Public IP Address will be allocated in the resource group that contains the virtual network components.

Maximum amount of time (in seconds) allowed for network latency of the FortiGate heartbeat arriving at the Autoscale handler function. Minimum is 30.

Length of time (in seconds) that the FortiGate waits between sending heartbeat requests to the Autoscale handler function. Minimum is 30. Maximum is 120.

Number of consecutively lost heartbeats. When the Heart Beat Loss Count has been reached, the VM is deemed unhealthy and failover activities will commence.

Size of the VMs in the VMSS. The default is Standard_F4. For more options, refer to the Microsoft article Sizes for virtual machines in Azure. For details on selecting the size, refer to the section Selecting the instance type

Maximum number of FortiGate instances in the BYOL VMSS. For specific use cases, set to 0 for PAYG-only, and >= 2 for BYOL-only or hybrid licensing. This number must be greater than or equal to the Min BYOL Instance Count.

Users can set the size to match the number of valid licenses they own. Licenses can be purchased from FortiCare.

Maximum number of FortiGate instances in the PAYG VMSS. For specific use cases, set to 0 for BYOL-only, >= 2 for PAYG-only, and >= 0 for hybrid licensing. This number must be greater than or equal to the Min PAYG Instance Count.

Minimum number of FortiGate instances in the BYOL VMSS. For specific use cases, set to 0 for PAYG-only, and >= 2 for BYOL-only or hybrid licensing.

For BYOL-only and hybrid licensing deployments, this parameter must be at least 2. If set to 1 and the instance fails to work, the current FortiGate configuration will be lost.

Minimum number of FortiGate instances in the PAYG VMSS. For specific use cases, set to 0 for BYOL-only, >= 2 for PAYG-only, and >= 0 for hybrid licensing.

For PAYG-only deployments, this parameter must be at least 2. If it is set to 1 and the instance fails to work, the current FortiGate configuration will be lost.

Number of FortiGate instances the PAYG VMSS should have at any time. For High Availability in a PAYG-only use case, ensure at least 2 FortiGates are in the group. For specific use cases, set to 0 for BYOL-only, >= 2 for PAYG-only, and >= 0 for hybrid licensing.

Public URL of the function source file fortigate-autoscale-azure-funcapp.zip. The default value points to the source file available in the release assets of the GitHub repo fortinet/fortigate-autoscale-azure.

This URL must be accessible by Azure.

Maximum time (in seconds) to wait for the election of the primary instance to complete.

Prefix for all applicable resource names. Can only contain lowercase letters and numbers. Maximum length is 10.

Percentage of CPU utilization at which scale-in should occur.

Percentage of CPU utilization at which scale-out should occur.

Pricing tier for the function service plan.

The Free plan is for trial and demo only. Do not use it in a production environment.

Application ID for the Registered app used as the Autoscale Function App API request service principal.

This is the value that was noted when creating a service principal in the section Prerequisites.

Password (Authentication key) for the Registered app used as the Autoscale Function App API request service principal.

This is the value that was noted when creating a service principal in the section Prerequisites.

Object ID for the Registered app used as the Autoscale Function App API request service principal.

This is the value that was noted when creating a service principal in the section Prerequisites.

Storage account type.

Defines the Subnet 1 Address Range in CIDR notation. When creating a new VNet, the address range must be contained by the address space of the virtual network as defined in VNet Address Space. When using an existing VNet, the value must match the address range of the subnet specified in Subnet 1 Name. After deployment, the address range of a subnet which is in use can't be edited.

Name of subnet 1. The FortiGate Autoscale VMSS is deployed in this subnet. When creating a new VNet, the input value is used as the Subnet 1 name; if left empty, a name will be generated. When using an existing VNet, a valid non-empty input will assume the association of the target subnet with FortiGate Autoscale, and the target subnet will be associated as Subnet 1.

Name of the Network Security Group (NSG) associated with the subnet 1. The FortiGate Autoscale VMSS is deployed in this subnet. Required when using an existing VNet. When creating a new VNet, any input will be ignored.

The Subnet # Address Range parameters define the address range for the subnet, in CIDR notation. The address range must be contained by the address space of the virtual network as defined in VNet Address Space.

• When creating a new VNet, a valid non-empty input will assume the creation of subnet #.

• When using an existing VNet, the value should match the address range of the target subnet.

After deployment, the address range of a subnet which is in use can't be edited.

(Optional) The Subnet # Name parameters specify the name of the subnet.

If subnet # is created, the FortiGate will have a network interface in this subnet. When creating a new VNet that contains the subnet, the input value is used as the Subnet # name. If left empty, a name will be generated.

When using an existing VNet, a valid non-empty input will assume the association of the target subnet with FortiGate Autoscale, and the target subnet will be associated as 'Subnet #'.

Availability zones to use "strict zone balancing", in array format. For example: [1], [1, 3], [1, 2, 3]. To use "best effort zone balancing", leave empty. If zone balancing is not applicable, set to a single zone - for example [2].

The template does not validate the input availability zone(s) against the region. To ensure the correct number of availability zones for your region, refer to the Microsoft articles Azure regions with availability zones and Zone Balancing.

VMSS placement group options. For more information, please refer to the Microsoft article Create a virtual machine scale set that uses Availability Zones.

IP address space of the VNet in CIDR notation. E.g. 10.0.0.0/16. Required when using an existing VNet; the value should match the address space of the target VNet.

Options for Virtual Network (VNet) deployment:

• create new
• use existing

The VNet resource group (specified in the VNet Resource Group Name parameter) must be in the same region as the Autoscale resource group (specified in the Configurable variablesparameter). If using an existing VNet, refer to the section Requirements when using an existing VNet.

Name of the Azure VNet to connect to FortiGate Autoscale. Required when using an existing VNet. When creating a new VNet, this parameter can be left empty and a name will be generated.