Fortinet white logo
Fortinet white logo

Azure Administration Guide

Azure services and components

Azure services and components

FortiGate-VM for Azure is a Linux VM instance. The following table lists Azure services and components required to be understood when deploying FortiGate-VM. All services and components listed relate to ordinary FortiGate-VM single instance deployment or FortiGate-native active-passive HA deployment.

Service/component Description

Azure Virtual Network (VNet)

This is where the FortiGate-VM and protected VMs are situated and users control the network. When you deploy FortiGate-VM, you can configure relevant network settings.

VM

FortiGate-VM for Azure is a customized Linux VM instance.

Subnets, route tables

You must appropriately configure the FortiGate-VM with subnets and route tables to handle traffic.

When deploying from the marketplace launcher, there are two subnets for the FortiGate-VM labeled PublicFacingSubnet and InsideSubnet by default.

Resource group

A group of resources where the FortiGate-VM is deployed

Availability Set

An availability set is a logical grouping capability that you can use in Azure to ensure that the VM resources you place within it are isolated from each other when they are deployed within an Azure datacenter. Usually a set intends to accommodate multiple VMs.

Public DNS IP address

You must allocate at least one public IP address to the FortiGate-VM to access and manage it over the Internet.

Security groups

Unlike AWS, you cannot configure Azure security groups at the time of FortiGate-VM deployment. All traffic is allowed inbound to, or outbound from, the subnet, or network interface by default. See Default security rules.

VHD

A special type of deployable image used for Azure. As long as you deploy FortiGate-VM from the marketplace launcher, you do not need VHD files. However, you can launch FortiGate-VM (BYOL) directly from the FortiGate-VM VHD image file instead of using the marketplace. Ask azuresales@fortinet.com to find out where you can obtain the VHD images if needed.

ARM Templates

You can deploy FortiGate-VM instances in two ways:

  1. Find the FortiGate-VM product listing on the marketplace and launch from it. You do not necessarily see Azure Resource Manager (ARM) templates onscreen but they are used on the backend. You can also download the templates once the deployment process proceeds.
  2. Launch custom deployment in the Azure portal. Upload ARM templates of your choice that deploy FortiGate with your desirable topology and configuration.

ARM templates are available on GitHub.

Fortinet-provided ARM templates are not supported within the regular Fortinet technical support scope. Contact azuresales@fortinet.com with questions.

Load Balancer

A network LB automatically distributes traffic across multiple FortiGate-VM instances when configured properly. Topologies differ depending on how you distribute incoming and outgoing traffic.

Fortinet provides a FortiGate marketplace product listing that automatically comes along with 2 FortiGate-VM nodes and LB. Check out FortiGate Next-Generation Firewall for Azure LB HA.

Azure services and components

Azure services and components

FortiGate-VM for Azure is a Linux VM instance. The following table lists Azure services and components required to be understood when deploying FortiGate-VM. All services and components listed relate to ordinary FortiGate-VM single instance deployment or FortiGate-native active-passive HA deployment.

Service/component Description

Azure Virtual Network (VNet)

This is where the FortiGate-VM and protected VMs are situated and users control the network. When you deploy FortiGate-VM, you can configure relevant network settings.

VM

FortiGate-VM for Azure is a customized Linux VM instance.

Subnets, route tables

You must appropriately configure the FortiGate-VM with subnets and route tables to handle traffic.

When deploying from the marketplace launcher, there are two subnets for the FortiGate-VM labeled PublicFacingSubnet and InsideSubnet by default.

Resource group

A group of resources where the FortiGate-VM is deployed

Availability Set

An availability set is a logical grouping capability that you can use in Azure to ensure that the VM resources you place within it are isolated from each other when they are deployed within an Azure datacenter. Usually a set intends to accommodate multiple VMs.

Public DNS IP address

You must allocate at least one public IP address to the FortiGate-VM to access and manage it over the Internet.

Security groups

Unlike AWS, you cannot configure Azure security groups at the time of FortiGate-VM deployment. All traffic is allowed inbound to, or outbound from, the subnet, or network interface by default. See Default security rules.

VHD

A special type of deployable image used for Azure. As long as you deploy FortiGate-VM from the marketplace launcher, you do not need VHD files. However, you can launch FortiGate-VM (BYOL) directly from the FortiGate-VM VHD image file instead of using the marketplace. Ask azuresales@fortinet.com to find out where you can obtain the VHD images if needed.

ARM Templates

You can deploy FortiGate-VM instances in two ways:

  1. Find the FortiGate-VM product listing on the marketplace and launch from it. You do not necessarily see Azure Resource Manager (ARM) templates onscreen but they are used on the backend. You can also download the templates once the deployment process proceeds.
  2. Launch custom deployment in the Azure portal. Upload ARM templates of your choice that deploy FortiGate with your desirable topology and configuration.

ARM templates are available on GitHub.

Fortinet-provided ARM templates are not supported within the regular Fortinet technical support scope. Contact azuresales@fortinet.com with questions.

Load Balancer

A network LB automatically distributes traffic across multiple FortiGate-VM instances when configured properly. Topologies differ depending on how you distribute incoming and outgoing traffic.

Fortinet provides a FortiGate marketplace product listing that automatically comes along with 2 FortiGate-VM nodes and LB. Check out FortiGate Next-Generation Firewall for Azure LB HA.