Version:

Version:


Table of Contents

Azure Administration Guide

Download PDF
Copy Link

Configurable variables

Following is a list of variables used during deployment and referenced throughout this guide.

Parameter name

Default value

Description

Subscription

Requires input

The Azure subscription FortiGate Autoscale for Azure will be deployed in.

Resource Group

Requires input

The resource group FortiGate Autoscale for Azure will be deployed in. Referred to as the Autoscale resource group.

Region

Requires input

The region in which the FortiGate Autoscale for Azure resources will be deployed in. Not every resource is available in every region.

Access Restriction IP Range

Requires input

IP address ranges (single IPv4 address or Classless Inter-Domain Routing (CIDR) range) to allow access from the Internet or from your on-premises network to the CosmosDB and Function App. For security purposes, at least one entry must be specified. For multiple entries, each entry must be separated by a comma and no trailing comma is allowed.

Warning

0.0.0.0/0 accepts connections from any IP address. We recommend that you use a constrained CIDR range to reduce the potential of inbound attacks from unknown IP addresses.

Admin Password

Requires input

FortiGate administrator password on all VMs as well as the FortiAnalyzer if FortiAnalyzer integration is enabled. FortiGate and Azure VM password policy must be followed and the password must be11 - 26 characters in length with at least one uppercase letter, one lowercase letter, one digit, and one special character such as @ # $ % ^ & * - _ ! + =.

Admin Username

azureadmin

FortiGate administrator username on all VMs as well as the FortiAnalyzer if FortiAnalyzer integration is enabled.

BYOL Instance Count

2

Number of FortiGate instances the BYOL VMSS should have at any time. For High Availability in BYOL-only and Hybrid use cases, ensure at least 2 FortiGates are in the group. For specific use cases, set to 0 for PAYG-only, and >= 2 for BYOL-only or hybrid licensing.

Note

Users can set the size to less than or equal to the number of valid licenses they own and the number should not exceed the Max BYOL Instance Count. Licenses can be purchased from FortiCare.

FortiAnalyzer Autoscale Admin Password

Requires input

Password for the FortiAnalyzer Autoscale Admin Username. The password must conform to the FortiAnalyzer password policy and have a minimum length of 8 and a maximum length of 128. If you need to enable KMS encryption, refer to the documentation.

FortiAnalyzer Autoscale Admin Username

Requires input

Name of the secondary administrator-level account in the FortiAnalyzer. FortiGate Autoscale uses this account to connect to the FortiAnalyzer to authorize any FortiGate device in the Auto Scaling group. To conform to the FortiAnalyzer naming policy, the user name can only contain numbers, lowercase letters, uppercase letters, and hyphens. It cannot start or end with a hyphen (-).

FortiAnalyzer Custom Private IP Address

Requires input

Custom private IP address to be used by the FortiAnalyzer. Must be within the Public subnet 1 CIDR range. Required if FortiAnalyzer Integration Options is set to 'yes'. If FortiAnalyzer Integration Options is set to 'no', any input will be ignored.

FortiAnalyzer Instance Type

Requires input

Size of the FortiAnalyzer-VM. For details on selecting the size, refer to the section Selecting the instance type

Note

Not all instance types are supported. Review FortiAnalyzer instance type support prior to selecting an instance.

FortiAnalyzer Integration Options

yes

Choose 'yes' to incorporate FortiAnalyzer into FortiGate Autoscale for Azure to use extended features that include storing logs into FortiAnalyzer.

FortiAnalyzer Public IP Address ID

Requires input

ID of the public IP address to associate with the FortiAnalyzer. If left empty, a new public IP address will be allocated in the resource group that contains the FortiAnalyzer.

FortiAnalyzer Version

6.4.5

FortiAnalyzer version supported by FortiGate Autoscale for Azure.

FortiGate PSK Secret

Requires input

Secret key used by FortiGate instances to securely communicate with each other. Must contain numbers and letters and may contain special characters. Maximum length is 128.

Note

Changes to the PSK secret after FortiGate Autoscale for Azure has been deployed are not reflected here. For new instances to be spawned with the changed PSK secret, this environment variable will need to be manually updated.

FOS Version

7.0.1

FortiOS version supported by FortiGate Autoscale for Azure.

Frontend IP Address ID

Requires input

When the ID of a Public IP Address is provided, the Public IP Address will be used as the Frontend IP address associated with the external load balancer. If left empty, a new Public IP Address will be allocated in the resource group that contains the virtual network components.

Heart Beat Delay Allowance

30

Maximum amount of time (in seconds) allowed for network latency of the FortiGate heartbeat arriving at the Autoscale handler function. Minimum is 30.

Heart Beat Interval

60

Length of time (in seconds) that the FortiGate waits between sending heartbeat requests to the Autoscale handler function. Minimum is 30. Maximum is 120.

Heart Beat Loss Count

3

Number of consecutively lost heartbeats. When the Heart Beat Loss Count has been reached, the VM is deemed unhealthy and failover activities will commence.

Instance Type

Standard_F4

Size of the VMs in the VMSS. The default is Standard_F4. For more options, refer to the Microsoft article Sizes for virtual machines in Azure. For details on selecting the size, refer to the section Selecting the instance type

Max BYOL Instance Count

2

Maximum number of FortiGate instances in the BYOL VMSS. For specific use cases, set to 0 for PAYG-only, and >= 2 for BYOL-only or hybrid licensing. This number must be greater than or equal to the Min BYOL Instance Count.

Note

Users can set the size to match the number of valid licenses they own. Licenses can be purchased from FortiCare.

Max PAYG Instance Count

6

Maximum number of FortiGate instances in the PAYG VMSS. For specific use cases, set to 0 for BYOL-only, >= 2 for PAYG-only, and >= 0 for hybrid licensing. This number must be greater than or equal to the Min PAYG Instance Count.

Min BYOL Instance Count

2

Minimum number of FortiGate instances in the BYOL VMSS. For specific use cases, set to 0 for PAYG-only, and >= 2 for BYOL-only or hybrid licensing.

Note

For BYOL-only and hybrid licensing deployments, this parameter must be at least 2. If set to 1 and the instance fails to work, the current FortiGate configuration will be lost.

Min PAYG Instance Count

0

Minimum number of FortiGate instances in the PAYG VMSS. For specific use cases, set to 0 for BYOL-only, >= 2 for PAYG-only, and >= 0 for hybrid licensing.

Note

For PAYG-only deployments, this parameter must be at least 2. If it is set to 1 and the instance fails to work, the current FortiGate configuration will be lost.

PAYG Instance Count

0

Number of FortiGate instances the PAYG VMSS should have at any time. For High Availability in a PAYG-only use case, ensure at least 2 FortiGates are in the group. For specific use cases, set to 0 for BYOL-only, >= 2 for PAYG-only, and >= 0 for hybrid licensing.

Package Res URL

Requires input

Public URL of the function source file fortigate-autoscale-azure-funcapp.zip. The default value points to the source file available in the release assets of the GitHub repo fortinet/fortigate-autoscale-azure.

Note

This URL must be accessible by Azure.

Primary Election Timeout

90

Maximum time (in seconds) to wait for the election of the primary instance to complete.

Resource Name Prefix

Requires input

Prefix for all applicable resource names. Can only contain lowercase letters and numbers. Maximum length is 10.

Scale In Threshold

20

Percentage of CPU utilization at which scale-in should occur.

Scale Out Threshold

80

Percentage of CPU utilization at which scale-out should occur.

Service Plan Tier

Premium (P1V2)

Pricing tier for the function service plan.

Note

The Free plan is for trial and demo only. Do not use it in a production environment.

Service Principal App ID

Requires input

Application ID for the Registered app used as the Autoscale Function App API request service principal.

This is the value that was noted when creating a service principal in the section Prerequisites.

Service Principal App Secret

Requires input

Password (Authentication key) for the Registered app used as the Autoscale Function App API request service principal.

This is the value that was noted when creating a service principal in the section Prerequisites.

Service Principal Object ID

Requires input

Object ID for the Registered app used as the Autoscale Function App API request service principal.

This is the value that was noted when creating a service principal in the section Prerequisites.

Storage Account Type

Standard_LRS

Storage account type.

Subnet 1 Address Range

Requires input

Defines the Subnet 1 Address Range in CIDR notation. When creating a new VNet, the address range must be contained by the address space of the virtual network as defined in VNet Address Space. When using an existing VNet, the value must match the address range of the subnet specified in Subnet 1 Name. After deployment, the address range of a subnet which is in use can't be edited.

Subnet 1 Name

 

Name of subnet 1. The FortiGate Autoscale VMSS is deployed in this subnet. When creating a new VNet, the input value is used as the Subnet 1 name; if left empty, a name will be generated. When using an existing VNet, a valid non-empty input will assume the association of the target subnet with FortiGate Autoscale, and the target subnet will be associated as Subnet 1.

Subnet 1 Network Security Group Name

Requires input

Name of the Network Security Group (NSG) associated with the subnet 1. The FortiGate Autoscale VMSS is deployed in this subnet. Required when using an existing VNet. When creating a new VNet, any input will be ignored.

Subnet1 Network Security Group Rule Priority 1000 Starting number for the rule priority of the Network Security Group (NSG) associated with subnet 1 where the Autoscale related rules will be deployed. When using an existing VNet, assign a number that does not conflict with the priority of any existing rule in the NSG specified in the Subnet 1 Network Security Group Name.

 

 

 

The Subnet # Address Range parameters define the address range for the subnet, in CIDR notation. The address range must be contained by the address space of the virtual network as defined in VNet Address Space.

  • When creating a new VNet, a valid non-empty input will assume the creation of subnet #.

  • When using an existing VNet, the value should match the address range of the target subnet.

After deployment, the address range of a subnet which is in use can't be edited.

Subnet 2 Address Range

Conditionally requires input

Subnet 3 Address Range

Conditionally requires input

Subnet 4 Address Range

Conditionally requires input

 

 

 

Subnet 2 Name

Conditionally requires input

(Optional) The Subnet # Name parameters specify the name of the subnet.

If subnet # is created, the FortiGate will have a network interface in this subnet. When creating a new VNet that contains the subnet, the input value is used as the Subnet # name. If left empty, a name will be generated.

When using an existing VNet, a valid non-empty input will assume the association of the target subnet with FortiGate Autoscale, and the target subnet will be associated as 'Subnet #'.

Subnet 3 Name

Conditionally requires input

Subnet 4 Name

Conditionally requires input

 

VMSS Availability Zones

 

Availability zones to use "strict zone balancing", in array format. For example: [1], [1, 3], [1, 2, 3]. To use "best effort zone balancing", leave empty. If zone balancing is not applicable, set to a single zone - for example [2].

Note

The template does not validate the input availability zone(s) against the region. To ensure the correct number of availability zones for your region, refer to the Microsoft articles Azure regions with availability zones and Zone Balancing.

VMSS Placement Groups

single

VMSS placement group options. For more information, please refer to the Microsoft article Create a virtual machine scale set that uses Availability Zones.

VNet Address Space

 

IP address space of the VNet in CIDR notation. E.g. 10.0.0.0/16. Required when using an existing VNet; the value should match the address space of the target VNet.

VNet Deployment Method

create new

Options for Virtual Network (VNet) deployment:

  • create new
  • use existing
Note

The VNet resource group (specified in the VNet Resource Group Name parameter) must be in the same region as the Autoscale resource group (specified in the Configurable variablesparameter).

If using an existing VNet, refer to the section Requirements when using an existing VNet.

VNet Name

Conditionally requires input

Name of the Azure VNet to connect to FortiGate Autoscale. Required when using an existing VNet. When creating a new VNet, this parameter can be left empty and a name will be generated.

VNet Resource Group Name

Conditionally requires input

Name of the resource group that contains the VNet and related network components.

Note

Required if the VNet is not in the Autoscale resource group (specified in the parameter Resource Group). If not specified, the Autoscale resource group will be used. For details, refer to the description for the parameter VNet Deployment Method. This resource group must be in the same region as the Autoscale resource group.

Configurable variables

Following is a list of variables used during deployment and referenced throughout this guide.

Parameter name

Default value

Description

Subscription

Requires input

The Azure subscription FortiGate Autoscale for Azure will be deployed in.

Resource Group

Requires input

The resource group FortiGate Autoscale for Azure will be deployed in. Referred to as the Autoscale resource group.

Region

Requires input

The region in which the FortiGate Autoscale for Azure resources will be deployed in. Not every resource is available in every region.

Access Restriction IP Range

Requires input

IP address ranges (single IPv4 address or Classless Inter-Domain Routing (CIDR) range) to allow access from the Internet or from your on-premises network to the CosmosDB and Function App. For security purposes, at least one entry must be specified. For multiple entries, each entry must be separated by a comma and no trailing comma is allowed.

Warning

0.0.0.0/0 accepts connections from any IP address. We recommend that you use a constrained CIDR range to reduce the potential of inbound attacks from unknown IP addresses.

Admin Password

Requires input

FortiGate administrator password on all VMs as well as the FortiAnalyzer if FortiAnalyzer integration is enabled. FortiGate and Azure VM password policy must be followed and the password must be11 - 26 characters in length with at least one uppercase letter, one lowercase letter, one digit, and one special character such as @ # $ % ^ & * - _ ! + =.

Admin Username

azureadmin

FortiGate administrator username on all VMs as well as the FortiAnalyzer if FortiAnalyzer integration is enabled.

BYOL Instance Count

2

Number of FortiGate instances the BYOL VMSS should have at any time. For High Availability in BYOL-only and Hybrid use cases, ensure at least 2 FortiGates are in the group. For specific use cases, set to 0 for PAYG-only, and >= 2 for BYOL-only or hybrid licensing.

Note

Users can set the size to less than or equal to the number of valid licenses they own and the number should not exceed the Max BYOL Instance Count. Licenses can be purchased from FortiCare.

FortiAnalyzer Autoscale Admin Password

Requires input

Password for the FortiAnalyzer Autoscale Admin Username. The password must conform to the FortiAnalyzer password policy and have a minimum length of 8 and a maximum length of 128. If you need to enable KMS encryption, refer to the documentation.

FortiAnalyzer Autoscale Admin Username

Requires input

Name of the secondary administrator-level account in the FortiAnalyzer. FortiGate Autoscale uses this account to connect to the FortiAnalyzer to authorize any FortiGate device in the Auto Scaling group. To conform to the FortiAnalyzer naming policy, the user name can only contain numbers, lowercase letters, uppercase letters, and hyphens. It cannot start or end with a hyphen (-).

FortiAnalyzer Custom Private IP Address

Requires input

Custom private IP address to be used by the FortiAnalyzer. Must be within the Public subnet 1 CIDR range. Required if FortiAnalyzer Integration Options is set to 'yes'. If FortiAnalyzer Integration Options is set to 'no', any input will be ignored.

FortiAnalyzer Instance Type

Requires input

Size of the FortiAnalyzer-VM. For details on selecting the size, refer to the section Selecting the instance type

Note

Not all instance types are supported. Review FortiAnalyzer instance type support prior to selecting an instance.

FortiAnalyzer Integration Options

yes

Choose 'yes' to incorporate FortiAnalyzer into FortiGate Autoscale for Azure to use extended features that include storing logs into FortiAnalyzer.

FortiAnalyzer Public IP Address ID

Requires input

ID of the public IP address to associate with the FortiAnalyzer. If left empty, a new public IP address will be allocated in the resource group that contains the FortiAnalyzer.

FortiAnalyzer Version

6.4.5

FortiAnalyzer version supported by FortiGate Autoscale for Azure.

FortiGate PSK Secret

Requires input

Secret key used by FortiGate instances to securely communicate with each other. Must contain numbers and letters and may contain special characters. Maximum length is 128.

Note

Changes to the PSK secret after FortiGate Autoscale for Azure has been deployed are not reflected here. For new instances to be spawned with the changed PSK secret, this environment variable will need to be manually updated.

FOS Version

7.0.1

FortiOS version supported by FortiGate Autoscale for Azure.

Frontend IP Address ID

Requires input

When the ID of a Public IP Address is provided, the Public IP Address will be used as the Frontend IP address associated with the external load balancer. If left empty, a new Public IP Address will be allocated in the resource group that contains the virtual network components.

Heart Beat Delay Allowance

30

Maximum amount of time (in seconds) allowed for network latency of the FortiGate heartbeat arriving at the Autoscale handler function. Minimum is 30.

Heart Beat Interval

60

Length of time (in seconds) that the FortiGate waits between sending heartbeat requests to the Autoscale handler function. Minimum is 30. Maximum is 120.

Heart Beat Loss Count

3

Number of consecutively lost heartbeats. When the Heart Beat Loss Count has been reached, the VM is deemed unhealthy and failover activities will commence.

Instance Type

Standard_F4

Size of the VMs in the VMSS. The default is Standard_F4. For more options, refer to the Microsoft article Sizes for virtual machines in Azure. For details on selecting the size, refer to the section Selecting the instance type

Max BYOL Instance Count

2

Maximum number of FortiGate instances in the BYOL VMSS. For specific use cases, set to 0 for PAYG-only, and >= 2 for BYOL-only or hybrid licensing. This number must be greater than or equal to the Min BYOL Instance Count.

Note

Users can set the size to match the number of valid licenses they own. Licenses can be purchased from FortiCare.

Max PAYG Instance Count

6

Maximum number of FortiGate instances in the PAYG VMSS. For specific use cases, set to 0 for BYOL-only, >= 2 for PAYG-only, and >= 0 for hybrid licensing. This number must be greater than or equal to the Min PAYG Instance Count.

Min BYOL Instance Count

2

Minimum number of FortiGate instances in the BYOL VMSS. For specific use cases, set to 0 for PAYG-only, and >= 2 for BYOL-only or hybrid licensing.

Note

For BYOL-only and hybrid licensing deployments, this parameter must be at least 2. If set to 1 and the instance fails to work, the current FortiGate configuration will be lost.

Min PAYG Instance Count

0

Minimum number of FortiGate instances in the PAYG VMSS. For specific use cases, set to 0 for BYOL-only, >= 2 for PAYG-only, and >= 0 for hybrid licensing.

Note

For PAYG-only deployments, this parameter must be at least 2. If it is set to 1 and the instance fails to work, the current FortiGate configuration will be lost.

PAYG Instance Count

0

Number of FortiGate instances the PAYG VMSS should have at any time. For High Availability in a PAYG-only use case, ensure at least 2 FortiGates are in the group. For specific use cases, set to 0 for BYOL-only, >= 2 for PAYG-only, and >= 0 for hybrid licensing.

Package Res URL

Requires input

Public URL of the function source file fortigate-autoscale-azure-funcapp.zip. The default value points to the source file available in the release assets of the GitHub repo fortinet/fortigate-autoscale-azure.

Note

This URL must be accessible by Azure.

Primary Election Timeout

90

Maximum time (in seconds) to wait for the election of the primary instance to complete.

Resource Name Prefix

Requires input

Prefix for all applicable resource names. Can only contain lowercase letters and numbers. Maximum length is 10.

Scale In Threshold

20

Percentage of CPU utilization at which scale-in should occur.

Scale Out Threshold

80

Percentage of CPU utilization at which scale-out should occur.

Service Plan Tier

Premium (P1V2)

Pricing tier for the function service plan.

Note

The Free plan is for trial and demo only. Do not use it in a production environment.

Service Principal App ID

Requires input

Application ID for the Registered app used as the Autoscale Function App API request service principal.

This is the value that was noted when creating a service principal in the section Prerequisites.

Service Principal App Secret

Requires input

Password (Authentication key) for the Registered app used as the Autoscale Function App API request service principal.

This is the value that was noted when creating a service principal in the section Prerequisites.

Service Principal Object ID

Requires input

Object ID for the Registered app used as the Autoscale Function App API request service principal.

This is the value that was noted when creating a service principal in the section Prerequisites.

Storage Account Type

Standard_LRS

Storage account type.

Subnet 1 Address Range

Requires input

Defines the Subnet 1 Address Range in CIDR notation. When creating a new VNet, the address range must be contained by the address space of the virtual network as defined in VNet Address Space. When using an existing VNet, the value must match the address range of the subnet specified in Subnet 1 Name. After deployment, the address range of a subnet which is in use can't be edited.

Subnet 1 Name

 

Name of subnet 1. The FortiGate Autoscale VMSS is deployed in this subnet. When creating a new VNet, the input value is used as the Subnet 1 name; if left empty, a name will be generated. When using an existing VNet, a valid non-empty input will assume the association of the target subnet with FortiGate Autoscale, and the target subnet will be associated as Subnet 1.

Subnet 1 Network Security Group Name

Requires input

Name of the Network Security Group (NSG) associated with the subnet 1. The FortiGate Autoscale VMSS is deployed in this subnet. Required when using an existing VNet. When creating a new VNet, any input will be ignored.

Subnet1 Network Security Group Rule Priority 1000 Starting number for the rule priority of the Network Security Group (NSG) associated with subnet 1 where the Autoscale related rules will be deployed. When using an existing VNet, assign a number that does not conflict with the priority of any existing rule in the NSG specified in the Subnet 1 Network Security Group Name.

 

 

 

The Subnet # Address Range parameters define the address range for the subnet, in CIDR notation. The address range must be contained by the address space of the virtual network as defined in VNet Address Space.

  • When creating a new VNet, a valid non-empty input will assume the creation of subnet #.

  • When using an existing VNet, the value should match the address range of the target subnet.

After deployment, the address range of a subnet which is in use can't be edited.

Subnet 2 Address Range

Conditionally requires input

Subnet 3 Address Range

Conditionally requires input

Subnet 4 Address Range

Conditionally requires input

 

 

 

Subnet 2 Name

Conditionally requires input

(Optional) The Subnet # Name parameters specify the name of the subnet.

If subnet # is created, the FortiGate will have a network interface in this subnet. When creating a new VNet that contains the subnet, the input value is used as the Subnet # name. If left empty, a name will be generated.

When using an existing VNet, a valid non-empty input will assume the association of the target subnet with FortiGate Autoscale, and the target subnet will be associated as 'Subnet #'.

Subnet 3 Name

Conditionally requires input

Subnet 4 Name

Conditionally requires input

 

VMSS Availability Zones

 

Availability zones to use "strict zone balancing", in array format. For example: [1], [1, 3], [1, 2, 3]. To use "best effort zone balancing", leave empty. If zone balancing is not applicable, set to a single zone - for example [2].

Note

The template does not validate the input availability zone(s) against the region. To ensure the correct number of availability zones for your region, refer to the Microsoft articles Azure regions with availability zones and Zone Balancing.

VMSS Placement Groups

single

VMSS placement group options. For more information, please refer to the Microsoft article Create a virtual machine scale set that uses Availability Zones.

VNet Address Space

 

IP address space of the VNet in CIDR notation. E.g. 10.0.0.0/16. Required when using an existing VNet; the value should match the address space of the target VNet.

VNet Deployment Method

create new

Options for Virtual Network (VNet) deployment:

  • create new
  • use existing
Note

The VNet resource group (specified in the VNet Resource Group Name parameter) must be in the same region as the Autoscale resource group (specified in the Configurable variablesparameter).

If using an existing VNet, refer to the section Requirements when using an existing VNet.

VNet Name

Conditionally requires input

Name of the Azure VNet to connect to FortiGate Autoscale. Required when using an existing VNet. When creating a new VNet, this parameter can be left empty and a name will be generated.

VNet Resource Group Name

Conditionally requires input

Name of the resource group that contains the VNet and related network components.

Note

Required if the VNet is not in the Autoscale resource group (specified in the parameter Resource Group). If not specified, the Autoscale resource group will be used. For details, refer to the description for the parameter VNet Deployment Method. This resource group must be in the same region as the Autoscale resource group.