Verifying the deployment
FortiGate autoscale for Azure deploys the following components:
- 1 public Load balancer. This load balancer is associated with the FortiGate subnet and the frontend public IP address to receive inbound traffic.
- 1 network security group
- 1 virtual machine scale set (VMSS) for bring your own license (BYOL)
- 1 VMSS for pay as you go
- 1 virtual network (VNet) (only if deployed with creating a new VNet)
- 1 public IP address
- 1 Azure Cosmos DB account
- 1 function app
- 1 application insights (automatically enabled if your region supports it)
- 1 app service plan
- 1 key vault
- 1 storage account
If deploying with FortiAnalyzer integration, FortiGate autoscale for Azure also deploys the following:
- 1 VM for FortiAnalyzer
- 1 network interface for the FortiAnalyzer
- 1 public IP address for the FortiAnalyzer (only if FortiAnalyzer Public IP Address ID is left empty)
- 2 disk components for use by FortiAnalyzer
For deployments that have two resource groups, FortiGate autoscale for Azure deploys the network related components to the VNet resource group and the DB, Storage account, and Function App related components are deployed to the Autoscale resource group.
FortiGate Autoscale for Azure is fully deployed once you verify the following components:
To load a resource group:
- In the Azure console, from the left navigation column, select Resource groups.
- Locate the resource group you wish to load by scrolling through the list or by using one or more of the name, subscription, and location filters. In the example below, this is fgtasg-rg.
- Click the name to load the resource group Overview page. In the example deployment, the VNet resource group is the same as the Autoscale resource group.
To verify the Function App:
- From the Autoscale resource group Overview page, load the Function App by clicking the name of the item of type Function App.
- From the navigation column, select Functions.
You should see four functions on the right:
- byol-license: The function to distribute BYOL licenses.
- faz-auth-handler: The function to handle authorization of FortiGate in the FortiAnalyzer.
- faz-auth-scheduler: The function to handle authorization of FortiGate in the FortiAnalyzer on a timely basis.
- fgt-as-handler: The main autoscaling function.
To verify the database:
- From the Autoscale resource group Overview page, click the Azure Cosmos DB account name.
- From the navigation column, click Data Explorer.
- Expand the database FortiGateAutoscale.
You will see the following database and tables:
- Database: FortiGateAutoscale
- Tables:
- ApiRequestCache
- Autoscale
- CustomLog
- FortiAnalyzer
- LicenseStock
- LicenseUsage
- PrimaryElection
- Settings
The database Data Explorer page will look as shown below:
To verify the primary election:
The elected primary FortiGate-VM will be logged in the CosmosDB FortiGateAutoscale in the table FortiGatePrimaryElection.
- Expand the FortiGatePrimaryElection table and click on Items.
- There will be one item in the table, select it.
- id is the unique identifier of a database record.
- scalingGroupName is the name of the Scale Set in which the primary FortiGate-VM is located.
- ip is the primary private IP address of the current primary FortiGate-VM.
- vmId is the index of the FortiGate-VM in the Scale Set.
- virtualNetworkID is the ID of the VNet in which the primary FortiGate-VM instance is located.
- subnetId is the ID of the subnet in which the primary FortiGate-VM is located.
- voteEndTime is the Unix time stamp for when this primary election should expire if the vote state cannot change to done by this time.
- voteState is the state of the voting process.
- pending: election of the primary instance is still in progress. You should wait for its completion. At this point in time, the final primary instance is not yet known.
- done: the primary election process has completed.