Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Azure Administration Guide

    Home FortiGate Public Cloud 7.0.0 Azure Administration Guide
    7.0.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Prerequisites

    Prerequisites

    Installing and configuring FortiGate Autoscale for Azure requires knowledge of the following:

    • Configuring a FortiGate using the CLI
    • Azure deployment templates
    • Azure Functions

    That DevOps engineers or advanced system administrators who are familiar with the aforementioned items will deploy FortiGate Autoscale for Azure is expected.

    Before you begin

    Before starting the deployment, you must do the following:

    1. Log into your Azure account. If you do not have one, create one by following the onscreen instructions.
    2. Create a service principal for Autoscale to interact with the different Azure services. A different Azure account may create the service principal.
      Caution

      The service principal requires read and write permissions which you can grant by adding the Contributor role to the service principal. To grant the service principal such permissions, the Azure account used to create the service principal requires the following permissions:

      • Microsoft.Authorization/roleAssignments/write (to add role assignments)
      • Microsoft.Authorization/roleAssignments/delete (to remove role assignments)

      The User Access Administrator and Owner roles include these permissions. See Add or remove role assignments using Azure RBAC and the Azure portal.


      Note the following items as you need them to deploy the Function App:

      Item

      Where to find it

      Relevant FortiOS parameter

      Application ID

      Microsoft Entra ID > App registrations > (your app).

      Service Principal App ID

      Application secret

      Only appears once. You cannot retrieve the application secret.

      Service Principal App Secret

      Object ID

      Open the Azure CLI and enter the command az ad sp show --id <the service principal client id>. The object ID displayed may differ from the object ID displayed in Microsoft Entra ID > App registrations > (your-app). Use the value from the Azure CLI.

      Service Principal Object ID

    3. Confirm that you have a valid subscription to the PAYG and/or BYOL marketplace listings for FortiGate as your deployment requires.
      Note

      Without the valid subscriptions, the deployment fails with errors.

    Requirements when using an existing VNet

    When using an existing VNet, ensure that the following FortiGate Autoscale for Azure requirements are satisfied:

    • IP address ranges in the VNets satisfy the Microsoft requirements in What address ranges can I use in my VNets?
    • The VNet can contain one or more subnets but the template deployment can use only up to four subnets.
      • The FortiGate VMSS is deployed in the subnet specified in Subnet 1 Name. This subnet is referred to as "Subnet 1". This subnet must:
        • Be a clean subnet (i.e. is no other resource uses it.)
        • Have two service endpoints that have been manually enabled, one for Microsoft.AzureCosmosDB, and one for Microsoft.Web. If this requirement is not met, the template automatically adds the two service endpoints to the subnet (I.e. Subnet 1).
      • The FortiGate VMSS protects up to three other subnets.
    • One network security group is associated with Subnet 1.
    • (Optional) One available (i.e. not associated with any resource) public IP address to be used for the external load balancer that is created during template deployment.
      • This IP address must be of the "standard" SKU to match the VMSS.
      • This requirement is optional as a new IP address can be created during template deployment, if the template parameter Frontend IP Address ID is intentionally left empty.
    • All the aforementioned components reside in the same resource group. The location of the resource group matches the location of the deployment resource group.

    Requirements when creating a new VNet

    Subnet 1 is always required because the Autoscale VMSS is deployed into subnet 1. Subnets 2, 3, and 4 are optional. If created, they will be protected by the FortiGate VMSS. If you specify input for subnet 2, a subnet will be created and used as ‘subnet 2’. Similarly, ‘subnet 3’ and ‘subnet 4’ will be created if input is specified.

    The following parameters are used to specify input:

    • Subnet 1 Address Range is always required.
    • Subnet 1 Name is used to enter a name of your choice. Leave it empty and a name will be generated.
    • Subnet 2/3/4 Address Range, if provided, will assume the creation of subnet 2/3/4.
    • Subnet 2/3/4 Name is used to enter a name of your choice. If the subnet is being created and this parameter is left empty, a name will be generated.

    The parameters for subnet 2 to subnet 4 can be used in any combination. That is to say, the following combinations are valid:

    • For a 2-subnet deployment:
      • Subnet 1 + subnet 2
      • Subnet 1 + subnet 3
      • Subnet 1 + subnet 4
    • For a 3-subnet deployment:
      • Subnet 1 + subnet 2 + subnet 3
      • Subnet 1 + subnet 2 + subnet 4
      • Subnet 1 + subnet 3 + subnet 4
    • For a 4-subnet deployment, subnet 1 + subnet 2 + subnet 3 + subnet 4 are used.
    Previous
    Next

    Prerequisites

    Prerequisites

    Installing and configuring FortiGate Autoscale for Azure requires knowledge of the following:

    • Configuring a FortiGate using the CLI
    • Azure deployment templates
    • Azure Functions

    That DevOps engineers or advanced system administrators who are familiar with the aforementioned items will deploy FortiGate Autoscale for Azure is expected.

    Before you begin

    Before starting the deployment, you must do the following:

    1. Log into your Azure account. If you do not have one, create one by following the onscreen instructions.
    2. Create a service principal for Autoscale to interact with the different Azure services. A different Azure account may create the service principal.
      Caution

      The service principal requires read and write permissions which you can grant by adding the Contributor role to the service principal. To grant the service principal such permissions, the Azure account used to create the service principal requires the following permissions:

      • Microsoft.Authorization/roleAssignments/write (to add role assignments)
      • Microsoft.Authorization/roleAssignments/delete (to remove role assignments)

      The User Access Administrator and Owner roles include these permissions. See Add or remove role assignments using Azure RBAC and the Azure portal.


      Note the following items as you need them to deploy the Function App:

      Item

      Where to find it

      Relevant FortiOS parameter

      Application ID

      Microsoft Entra ID > App registrations > (your app).

      Service Principal App ID

      Application secret

      Only appears once. You cannot retrieve the application secret.

      Service Principal App Secret

      Object ID

      Open the Azure CLI and enter the command az ad sp show --id <the service principal client id>. The object ID displayed may differ from the object ID displayed in Microsoft Entra ID > App registrations > (your-app). Use the value from the Azure CLI.

      Service Principal Object ID

    3. Confirm that you have a valid subscription to the PAYG and/or BYOL marketplace listings for FortiGate as your deployment requires.
      Note

      Without the valid subscriptions, the deployment fails with errors.

    Requirements when using an existing VNet

    When using an existing VNet, ensure that the following FortiGate Autoscale for Azure requirements are satisfied:

    • IP address ranges in the VNets satisfy the Microsoft requirements in What address ranges can I use in my VNets?
    • The VNet can contain one or more subnets but the template deployment can use only up to four subnets.
      • The FortiGate VMSS is deployed in the subnet specified in Subnet 1 Name. This subnet is referred to as "Subnet 1". This subnet must:
        • Be a clean subnet (i.e. is no other resource uses it.)
        • Have two service endpoints that have been manually enabled, one for Microsoft.AzureCosmosDB, and one for Microsoft.Web. If this requirement is not met, the template automatically adds the two service endpoints to the subnet (I.e. Subnet 1).
      • The FortiGate VMSS protects up to three other subnets.
    • One network security group is associated with Subnet 1.
    • (Optional) One available (i.e. not associated with any resource) public IP address to be used for the external load balancer that is created during template deployment.
      • This IP address must be of the "standard" SKU to match the VMSS.
      • This requirement is optional as a new IP address can be created during template deployment, if the template parameter Frontend IP Address ID is intentionally left empty.
    • All the aforementioned components reside in the same resource group. The location of the resource group matches the location of the deployment resource group.

    Requirements when creating a new VNet

    Subnet 1 is always required because the Autoscale VMSS is deployed into subnet 1. Subnets 2, 3, and 4 are optional. If created, they will be protected by the FortiGate VMSS. If you specify input for subnet 2, a subnet will be created and used as ‘subnet 2’. Similarly, ‘subnet 3’ and ‘subnet 4’ will be created if input is specified.

    The following parameters are used to specify input:

    • Subnet 1 Address Range is always required.
    • Subnet 1 Name is used to enter a name of your choice. Leave it empty and a name will be generated.
    • Subnet 2/3/4 Address Range, if provided, will assume the creation of subnet 2/3/4.
    • Subnet 2/3/4 Name is used to enter a name of your choice. If the subnet is being created and this parameter is left empty, a name will be generated.

    The parameters for subnet 2 to subnet 4 can be used in any combination. That is to say, the following combinations are valid:

    • For a 2-subnet deployment:
      • Subnet 1 + subnet 2
      • Subnet 1 + subnet 3
      • Subnet 1 + subnet 4
    • For a 3-subnet deployment:
      • Subnet 1 + subnet 2 + subnet 3
      • Subnet 1 + subnet 2 + subnet 4
      • Subnet 1 + subnet 3 + subnet 4
    • For a 4-subnet deployment, subnet 1 + subnet 2 + subnet 3 + subnet 4 are used.
    Previous
    Next