Version:

Version:


Table of Contents

Azure Administration Guide

Download PDF
Copy Link

Prerequisites

Installing and configuring FortiGate Autoscale for Azure requires knowledge of the following:

  • Configuring a FortiGate using the CLI
  • Azure deployment templates
  • Azure Functions

It is expected that FortiGate Autoscale for Azure will be deployed by DevOps engineers or advanced system administrators who are familiar with the above.

Before you begin

Before starting the deployment, the following steps must be carried out:

  1. Log into your Azure account. If you do not already have one, create one by following the on-screen instructions.
  2. Create a service principal for Autoscale to interact with the different Azure services. The creation of the service principal may be done by a different Azure account.
    Caution

    The service principal requires read and write permissions which can be granted by adding the Contributor role to the service principal. In order to grant the service principal such permissions, the Azure account used to create the service principal requires the following permissions:

    • Microsoft.Authorization/roleAssignments/write (to add role assignments)
    • Microsoft.Authorization/roleAssignments/delete (to remove role assignments)

    These permissions are included in the roles User Access Administrator and Owner. For details, refer to the Microsoft article Add or remove role assignments using Azure RBAC and the Azure portal.


    Note the following items as you need them to deploy the Function App:

    Item

    Where to find it

    Relevant FortiOS parameter

    Application ID

    You can find this item in Azure Active Directory > App registrations > (your app).

    Service Principal App ID

    Application secret

    Only appears once. You cannot retrieve the application secret.

    Service Principal App Secret

    Object ID

    Open the Azure CLI and enter the command az ad sp show --id <the service principal client id>. The object ID displayed may differ from the object ID displayed in Azure Active Directory > App registrations > (your-app). Use the value from the AzureCLI.

    Service Principal Object ID

  3. Confirm that you have a valid subscription to the PAYG and/or BYOL marketplace listings for FortiGate, as required for your deployment.
    Note

    Without the valid subscriptions, the deployment will fail with errors.

Requirements when using an existing VNet

When using an existing VNet, ensure that the following FortiGate Autoscale for Azure requirements have been satisfied:

  • IP address ranges in the VNets satisfy the Microsoft requirements listed in the article What address ranges can I use in my VNets?
  • The VNet can contain 1 or more subnets but only up to 4 subnets can be used by the template deployment.
    • The FortiGate VMSS will be deployed in the subnet specified in Subnet 1 Name. This subnet will be referred as ‘Subnet 1’. This subnet must:
      • be a clean subnet (i.e. is not used by any other resource.)
      • have two service endpoints that have been manually enabled, one for Microsoft.AzureCosmosDB, and one for Microsoft.Web. If this requirement is not met, the template will automatically add the two service endpoints to the subnet (I.e. Subnet 1).
    • Up to 3 other subnets will be protected by the FortiGate VMSS.
  • One Network Security Group is associated with Subnet 1.
  • (Optional) One available (i.e. not associated with any resource) public IP address to be used for the external load balancer that will be created during template deployment.
    • This IP address must be of the 'standard' SKU in order to match the VMSS.
    • This requirement is optional as a new IP address can be created during template deployment, if the template parameter Frontend IP Address ID is intentionally left empty.
  • All the above components reside in the same resource group.
    • The location of the resource group should match the location of the deployment resource group.

Requirements when creating a new VNet

Subnet 1 is always required because the Autoscale VMSS is deployed into subnet 1. Subnets 2, 3, and 4 are optional. If created, they will be protected by the FortiGate VMSS. If you specify input for subnet 2, a subnet will be created and used as ‘subnet 2’. Similarly, ‘subnet 3’ and ‘subnet 4’ will be created if input is specified.

The following parameters are used to specify input:

  • Subnet 1 Address Range is always required.
  • Subnet 1 Name is used to enter a name of your choice. Leave it empty and a name will be generated.
  • Subnet 2/3/4 Address Range, if provided, will assume the creation of subnet 2/3/4.
  • Subnet 2/3/4 Name is used to enter a name of your choice. If the subnet is being created and this parameter is left empty, a name will be generated.

The parameters for subnet 2 to subnet 4 can be used in any combination. That is to say, the following combinations are valid:

  • For a 2-subnet deployment:
    • Subnet 1 + subnet 2
    • Subnet 1 + subnet 3
    • Subnet 1 + subnet 4
  • For a 3-subnet deployment:
    • Subnet 1 + subnet 2 + subnet 3
    • Subnet 1 + subnet 2 + subnet 4
    • Subnet 1 + subnet 3 + subnet 4
  • For a 4-subnet deployment, subnet 1 + subnet 2 + subnet 3 + subnet 4 are used.

Prerequisites

Installing and configuring FortiGate Autoscale for Azure requires knowledge of the following:

  • Configuring a FortiGate using the CLI
  • Azure deployment templates
  • Azure Functions

It is expected that FortiGate Autoscale for Azure will be deployed by DevOps engineers or advanced system administrators who are familiar with the above.

Before you begin

Before starting the deployment, the following steps must be carried out:

  1. Log into your Azure account. If you do not already have one, create one by following the on-screen instructions.
  2. Create a service principal for Autoscale to interact with the different Azure services. The creation of the service principal may be done by a different Azure account.
    Caution

    The service principal requires read and write permissions which can be granted by adding the Contributor role to the service principal. In order to grant the service principal such permissions, the Azure account used to create the service principal requires the following permissions:

    • Microsoft.Authorization/roleAssignments/write (to add role assignments)
    • Microsoft.Authorization/roleAssignments/delete (to remove role assignments)

    These permissions are included in the roles User Access Administrator and Owner. For details, refer to the Microsoft article Add or remove role assignments using Azure RBAC and the Azure portal.


    Note the following items as you need them to deploy the Function App:

    Item

    Where to find it

    Relevant FortiOS parameter

    Application ID

    You can find this item in Azure Active Directory > App registrations > (your app).

    Service Principal App ID

    Application secret

    Only appears once. You cannot retrieve the application secret.

    Service Principal App Secret

    Object ID

    Open the Azure CLI and enter the command az ad sp show --id <the service principal client id>. The object ID displayed may differ from the object ID displayed in Azure Active Directory > App registrations > (your-app). Use the value from the AzureCLI.

    Service Principal Object ID

  3. Confirm that you have a valid subscription to the PAYG and/or BYOL marketplace listings for FortiGate, as required for your deployment.
    Note

    Without the valid subscriptions, the deployment will fail with errors.

Requirements when using an existing VNet

When using an existing VNet, ensure that the following FortiGate Autoscale for Azure requirements have been satisfied:

  • IP address ranges in the VNets satisfy the Microsoft requirements listed in the article What address ranges can I use in my VNets?
  • The VNet can contain 1 or more subnets but only up to 4 subnets can be used by the template deployment.
    • The FortiGate VMSS will be deployed in the subnet specified in Subnet 1 Name. This subnet will be referred as ‘Subnet 1’. This subnet must:
      • be a clean subnet (i.e. is not used by any other resource.)
      • have two service endpoints that have been manually enabled, one for Microsoft.AzureCosmosDB, and one for Microsoft.Web. If this requirement is not met, the template will automatically add the two service endpoints to the subnet (I.e. Subnet 1).
    • Up to 3 other subnets will be protected by the FortiGate VMSS.
  • One Network Security Group is associated with Subnet 1.
  • (Optional) One available (i.e. not associated with any resource) public IP address to be used for the external load balancer that will be created during template deployment.
    • This IP address must be of the 'standard' SKU in order to match the VMSS.
    • This requirement is optional as a new IP address can be created during template deployment, if the template parameter Frontend IP Address ID is intentionally left empty.
  • All the above components reside in the same resource group.
    • The location of the resource group should match the location of the deployment resource group.

Requirements when creating a new VNet

Subnet 1 is always required because the Autoscale VMSS is deployed into subnet 1. Subnets 2, 3, and 4 are optional. If created, they will be protected by the FortiGate VMSS. If you specify input for subnet 2, a subnet will be created and used as ‘subnet 2’. Similarly, ‘subnet 3’ and ‘subnet 4’ will be created if input is specified.

The following parameters are used to specify input:

  • Subnet 1 Address Range is always required.
  • Subnet 1 Name is used to enter a name of your choice. Leave it empty and a name will be generated.
  • Subnet 2/3/4 Address Range, if provided, will assume the creation of subnet 2/3/4.
  • Subnet 2/3/4 Name is used to enter a name of your choice. If the subnet is being created and this parameter is left empty, a name will be generated.

The parameters for subnet 2 to subnet 4 can be used in any combination. That is to say, the following combinations are valid:

  • For a 2-subnet deployment:
    • Subnet 1 + subnet 2
    • Subnet 1 + subnet 3
    • Subnet 1 + subnet 4
  • For a 3-subnet deployment:
    • Subnet 1 + subnet 2 + subnet 3
    • Subnet 1 + subnet 2 + subnet 4
    • Subnet 1 + subnet 3 + subnet 4
  • For a 4-subnet deployment, subnet 1 + subnet 2 + subnet 3 + subnet 4 are used.