Fortinet black logo

Cookbook

Azure SDN connector for non-VM resources

Copy Link
Copy Doc ID 664e9f16-22ad-11eb-96b9-00505692583a:489236
Download PDF

Azure SDN connector for non-VM resources

IP address resolving functionality is available for the following Azure resources:

  • VM network interfaces (including VMSS)
  • Internet-facing load balancers
  • Internal load balancers
  • Application gateways
Note

VPN gateways are currently not supported.

The following example demonstrates configuring an internet-facing load balancer.

To configure an internet-facing load balancer address in the GUI:
  1. Configure the Azure SDN connector:
    1. Go to Security Fabric > Fabric Connectors.
    2. Click Create New, and select Microsoft Azure.
    3. Enter the settings based on your deployment, and click OK. The update interval is in seconds.
  2. Create the dynamic firewall address:
    1. Go to Policy & Objects > Addresses.
    2. Click Create New > Address and enter a name.
    3. Configure the following settings:
      1. For Type, select Dynamic.
      2. For Sub Type, select Fabric Connector Address.
      3. For SDN Connector, select azure-dev.
      4. For SDN address type, select All.
      5. For Filter, enter Tag.devlb=lbkeyvalue.
    4. Click OK.

      The corresponding IP addresses are dynamically updated and resolved after applying the tag filter.

  3. Ensure that the connector resolves the dynamic firewall IP address:
    1. Go to Policy & Objects > Addresses.
    2. In the address table, hover over the address created in step 2 to view what IP it resolves to:

    3. In Azure, verify to confirm the IP address matches:

To configure an internet-facing load balancer in the CLI:
  1. Configure the Azure SDN connector:
    config system sdn-connector
        edit "azure-dev"
            set status enable
            set type azure
            set azure-region global
            set tenant-id "942b80cd-1b14-42a1-8dcf-4b21dece61ba"
            set client-id "44e79db7-621d-46f3-8625-58e209654e58"
            set client-secret xxxxxxxxxx
            set update-interval 60
        next
    end
  2. Create the dynamic firewall address:
    config firewall address
        edit "taginternetfacinglb"
            set type dynamic
            set sdn "azure-dev"
            set filter "Tag.devlb=lbkeyvalue"
            set sdn-addr-type all	
        next
    end

    The corresponding IP addresses are dynamically updated and resolved after applying the tag filter.

  3. Confirm that the connector resolves the dynamic firewall IP address:
    config firewall address
        edit "taginternetfacinglb"
            show
                config firewall address
                    edit "taginternetfacinglb"
                        set uuid df391760-3bb6-51ea-f775-421df18f368d
                        set type dynamic
                        set sdn "azure-dev"
                        set filter "Tag.devlb=lbkeyvalue"
                        set sdn-addr-type all
                        config list
                            edit "52.230.230.83"
                            next
                        end
                    next
                end
    	next
    end

Azure SDN connector for non-VM resources

IP address resolving functionality is available for the following Azure resources:

  • VM network interfaces (including VMSS)
  • Internet-facing load balancers
  • Internal load balancers
  • Application gateways
Note

VPN gateways are currently not supported.

The following example demonstrates configuring an internet-facing load balancer.

To configure an internet-facing load balancer address in the GUI:
  1. Configure the Azure SDN connector:
    1. Go to Security Fabric > Fabric Connectors.
    2. Click Create New, and select Microsoft Azure.
    3. Enter the settings based on your deployment, and click OK. The update interval is in seconds.
  2. Create the dynamic firewall address:
    1. Go to Policy & Objects > Addresses.
    2. Click Create New > Address and enter a name.
    3. Configure the following settings:
      1. For Type, select Dynamic.
      2. For Sub Type, select Fabric Connector Address.
      3. For SDN Connector, select azure-dev.
      4. For SDN address type, select All.
      5. For Filter, enter Tag.devlb=lbkeyvalue.
    4. Click OK.

      The corresponding IP addresses are dynamically updated and resolved after applying the tag filter.

  3. Ensure that the connector resolves the dynamic firewall IP address:
    1. Go to Policy & Objects > Addresses.
    2. In the address table, hover over the address created in step 2 to view what IP it resolves to:

    3. In Azure, verify to confirm the IP address matches:

To configure an internet-facing load balancer in the CLI:
  1. Configure the Azure SDN connector:
    config system sdn-connector
        edit "azure-dev"
            set status enable
            set type azure
            set azure-region global
            set tenant-id "942b80cd-1b14-42a1-8dcf-4b21dece61ba"
            set client-id "44e79db7-621d-46f3-8625-58e209654e58"
            set client-secret xxxxxxxxxx
            set update-interval 60
        next
    end
  2. Create the dynamic firewall address:
    config firewall address
        edit "taginternetfacinglb"
            set type dynamic
            set sdn "azure-dev"
            set filter "Tag.devlb=lbkeyvalue"
            set sdn-addr-type all	
        next
    end

    The corresponding IP addresses are dynamically updated and resolved after applying the tag filter.

  3. Confirm that the connector resolves the dynamic firewall IP address:
    config firewall address
        edit "taginternetfacinglb"
            show
                config firewall address
                    edit "taginternetfacinglb"
                        set uuid df391760-3bb6-51ea-f775-421df18f368d
                        set type dynamic
                        set sdn "azure-dev"
                        set filter "Tag.devlb=lbkeyvalue"
                        set sdn-addr-type all
                        config list
                            edit "52.230.230.83"
                            next
                        end
                    next
                end
    	next
    end