SDN connector in Azure Stack
FortiOS automatically updates dynamic addresses for Azure Stack on-premise environments using an Azure Stack SDN connector, including mapping the following attributes from Azure Stack instances to dynamic address groups in FortiOS:
- vm
- tag
- size
- securitygroup
- vnet
- subnet
- resourcegroup
- vmss
To configure Azure Stack SDN connector using the GUI:
- Configure the Azure Stack SDN connector:
- Go to Security Fabric > External Connectors.
- Click Create New, and select Microsoft Azure.
- Configure as shown, substituting the Azure Stack settings for your deployment. The update interval is in seconds.
- Create a dynamic firewall address for the configured Azure Stack SDN connector:
- Go to Policy & Objects > Addresses.
- Click Create New, then select Address.
- Configure the address as shown, selecting the desired filter in the Filter dropdown list. In this example, the Azure Stack SDN connector will automatically populate and update IP addresses only for instances that are named tfgta:
- Ensure that the Azure Stack SDN connector resolves dynamic firewall IP addresses:
- Go to Policy & Objects > Addresses.
- Hover over the address created in step 2 to see a list of IP addresses for instances that are named tftgta as configured in step 2:
To configure Azure Stack SDN connector using CLI commands:
- Configure the Azure Stack SDN connector:
config system sdn-connector
edit "azurestack1"
set type azure
set azure-region local
set server "azurestack.external"
set username "username@azurestoreexamplecompany.onmicrosoft.com"
set password xxxxx
set log-in endpoint "https://login.microsoftonline.com/942b80cd-1b14-42a1-8dcf-4b21dece61ba"
set resource-url "https://management.azurestoreexamplecompany.onmicrosoft.com/12b6fedd-9364-4cf0-822b-080d70298323"
set update-interval 30
next
end
- Create a dynamic firewall address for the configured Azure Stack SDN connector with the supported Azure Stack filter. In this example, the Azure Stack SDN Connector will automatically populate and update IP addresses only for instances that are named tfgta:
config firewall address
edit "azurestack-address-name1"
set type dynamic
set sdn "azurestack1"
set filter "vm=tfgta"
next
end
- Confirm that the Azure Stack SDN connector resolves dynamic firewall IP addresses using the configured filter:
config firewall address
edit "azurestack-address-name1"
set type dynamic
set sdn "azurestack1"
set filter "vm=tfgta"
config list
edit "10.0.1.4"
next
edit "10.0.2.4"
next
edit "10.0.3.4"
next
edit "10.0.4.4"
next
edit "192.168.102.32"
next
edit "192.168.102.35"
next
end
next
end