Fortinet white logo
Fortinet white logo

Azure Administration Guide

Configuring an Azure SDN connector for Azure resources

Configuring an Azure SDN connector for Azure resources

IP address resolving functionality is available for the following Azure resources:

  • VM network interfaces (including VM scale sets)
  • Internet-facing load balancers
  • Internal load balancers
  • Application gateways
Note

VPN gateways are currently not supported.

The following example demonstrates configuring an Internet-facing load balancer.

To configure an Internet-facing load balancer address in the GUI:
  1. Configure the Azure SDN connector:
    1. Go to Security Fabric > External Connectors.
    2. Click Create New, and select Microsoft Azure.
    3. Enter the settings based on your deployment, and click OK. The update interval is in seconds.
  2. Create the dynamic firewall address:
    1. Go to Policy & Objects > Addresses.
    2. Click Create New > Address and enter a name.
    3. Configure the following settings:
      1. For Type, select Dynamic.
      2. For Sub Type, select Fabric Connector Address.
      3. For SDN Connector, select azure-dev.
      4. For SDN address type, select All.
      5. For Filter, enter Tag.devlb=lbkeyvalue.
    4. Click OK.

      FortiOS dynamically updates and resolves the corresponding IP addresses after applying the tag filter.

  3. Ensure that the connector resolves the dynamic firewall IP address:
    1. Go to Policy & Objects > Addresses.
    2. In the address table, hover over the address created in step 2 to view what IP address it resolves to:

    3. In Azure, verify to confirm the IP address matches:

To configure an Internet-facing load balancer in the CLI:
  1. Configure the Azure SDN connector:
    config system sdn-connector
        edit "azure-dev"
            set status enable
            set type azure
            set azure-region global
            set tenant-id "942b80cd-1b14-42a1-8dcf-4b21dece61ba"
            set client-id "44e79db7-621d-46f3-8625-58e209654e58"
            set client-secret xxxxxxxxxx
            set update-interval 60
        next
    end
  2. Create the dynamic firewall address:
    config firewall address
        edit "tagInternetfacinglb"
            set type dynamic
            set sdn "azure-dev"
            set filter "Tag.devlb=lbkeyvalue"
            set sdn-addr-type all	
        next
    end

    The corresponding IP addresses are dynamically updated and resolved after applying the tag filter.

  3. Confirm that the connector resolves the dynamic firewall IP address:
    config firewall address
        edit "tagInternetfacinglb"
            show
                config firewall address
                    edit "tagInternetfacinglb"
                        set uuid df391760-3bb6-51ea-f775-421df18f368d
                        set type dynamic
                        set sdn "azure-dev"
                        set filter "Tag.devlb=lbkeyvalue"
                        set sdn-addr-type all
                        config list
                            edit "52.230.230.83"
                            next
                        end
                    next
                end
    	next
    end

Configuring an Azure SDN connector for Azure resources

Configuring an Azure SDN connector for Azure resources

IP address resolving functionality is available for the following Azure resources:

  • VM network interfaces (including VM scale sets)
  • Internet-facing load balancers
  • Internal load balancers
  • Application gateways
Note

VPN gateways are currently not supported.

The following example demonstrates configuring an Internet-facing load balancer.

To configure an Internet-facing load balancer address in the GUI:
  1. Configure the Azure SDN connector:
    1. Go to Security Fabric > External Connectors.
    2. Click Create New, and select Microsoft Azure.
    3. Enter the settings based on your deployment, and click OK. The update interval is in seconds.
  2. Create the dynamic firewall address:
    1. Go to Policy & Objects > Addresses.
    2. Click Create New > Address and enter a name.
    3. Configure the following settings:
      1. For Type, select Dynamic.
      2. For Sub Type, select Fabric Connector Address.
      3. For SDN Connector, select azure-dev.
      4. For SDN address type, select All.
      5. For Filter, enter Tag.devlb=lbkeyvalue.
    4. Click OK.

      FortiOS dynamically updates and resolves the corresponding IP addresses after applying the tag filter.

  3. Ensure that the connector resolves the dynamic firewall IP address:
    1. Go to Policy & Objects > Addresses.
    2. In the address table, hover over the address created in step 2 to view what IP address it resolves to:

    3. In Azure, verify to confirm the IP address matches:

To configure an Internet-facing load balancer in the CLI:
  1. Configure the Azure SDN connector:
    config system sdn-connector
        edit "azure-dev"
            set status enable
            set type azure
            set azure-region global
            set tenant-id "942b80cd-1b14-42a1-8dcf-4b21dece61ba"
            set client-id "44e79db7-621d-46f3-8625-58e209654e58"
            set client-secret xxxxxxxxxx
            set update-interval 60
        next
    end
  2. Create the dynamic firewall address:
    config firewall address
        edit "tagInternetfacinglb"
            set type dynamic
            set sdn "azure-dev"
            set filter "Tag.devlb=lbkeyvalue"
            set sdn-addr-type all	
        next
    end

    The corresponding IP addresses are dynamically updated and resolved after applying the tag filter.

  3. Confirm that the connector resolves the dynamic firewall IP address:
    config firewall address
        edit "tagInternetfacinglb"
            show
                config firewall address
                    edit "tagInternetfacinglb"
                        set uuid df391760-3bb6-51ea-f775-421df18f368d
                        set type dynamic
                        set sdn "azure-dev"
                        set filter "Tag.devlb=lbkeyvalue"
                        set sdn-addr-type all
                        config list
                            edit "52.230.230.83"
                            next
                        end
                    next
                end
    	next
    end