Configuring an Azure SDN connector for Azure resources
IP address resolving functionality is available for the following Azure resources:
- VM network interfaces (including VM scale sets)
- Internet-facing load balancers
- Internal load balancers
- Application gateways
VPN gateways are currently not supported. |
The following example demonstrates configuring an Internet-facing load balancer.
To configure an Internet-facing load balancer address in the GUI:
- Configure the Azure SDN connector:
- Go to Security Fabric > External Connectors.
- Click Create New, and select Microsoft Azure.
- Enter the settings based on your deployment, and click OK. The update interval is in seconds.
- Create the dynamic firewall address:
- Go to Policy & Objects > Addresses.
- Click Create New > Address and enter a name.
- Configure the following settings:
- For Type, select Dynamic.
- For Sub Type, select Fabric Connector Address.
- For SDN Connector, select azure-dev.
- For SDN address type, select All.
- For Filter, enter
Tag.devlb=lbkeyvalue
.
- Click OK.
FortiOS dynamically updates and resolves the corresponding IP addresses after applying the tag filter.
- Ensure that the connector resolves the dynamic firewall IP address:
- Go to Policy & Objects > Addresses.
- In the address table, hover over the address created in step 2 to view what IP address it resolves to:
- In Azure, verify to confirm the IP address matches:
To configure an Internet-facing load balancer in the CLI:
- Configure the Azure SDN connector:
config system sdn-connector edit "azure-dev" set status enable set type azure set azure-region global set tenant-id "942b80cd-1b14-42a1-8dcf-4b21dece61ba" set client-id "44e79db7-621d-46f3-8625-58e209654e58" set client-secret xxxxxxxxxx set update-interval 60 next end
- Create the dynamic firewall address:
config firewall address edit "tagInternetfacinglb" set type dynamic set sdn "azure-dev" set filter "Tag.devlb=lbkeyvalue" set sdn-addr-type all next end
The corresponding IP addresses are dynamically updated and resolved after applying the tag filter.
- Confirm that the connector resolves the dynamic firewall IP address:
config firewall address edit "tagInternetfacinglb" show config firewall address edit "tagInternetfacinglb" set uuid df391760-3bb6-51ea-f775-421df18f368d set type dynamic set sdn "azure-dev" set filter "Tag.devlb=lbkeyvalue" set sdn-addr-type all config list edit "52.230.230.83" next end next end next end