Fortinet white logo
Fortinet white logo

Azure Administration Guide

FortiGate Autoscale for Azure features

FortiGate Autoscale for Azure features

Major components

  • The Function App. The Function App handles all the autoscaling features including: primary/secondary role assignment, license distribution, and failover management.
  • The BYOL Scale Set. This scale set contains 0 to many FortiGate-VMs of the BYOL licensing model and is a VMSS with a fixed size. Users can set the size to match the number of valid licenses they own. Licenses can be purchased from FortiCare.
    Note

    For BYOL-only and hybrid licensing deployments, the BYOL instance Count must be at least 2. These FortiGate-VMs are the main instances and are fixed and running 7x24. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

  • The PAYG Scale Set. The Scale Set contains 0 to many FortiGate-VMs of the PAYG licensing model and will dynamically scale-out or scale-in based on the scaling metrics specified by the parameters Scale Out Threshold and Scale in Threshold.
    Note

    For PAYG-only deployments, the PAYG instance Count must be at least 2. These FortiGate-VMs are the main instances and are fixed and running 7x24. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

  • The Blob Containers.
    • The configset container contains files that are loaded as the initial configuration of a new FortiGate-VM instance.
      • baseconfig is the base configuration. This file can be modified as needed to meet your network requirements. Placeholders such as {SYNC_INTERFACE} are explained in the Configset placeholders table below.
      • httproutingpolicy and httpsroutingpolicy are provided as part of the base configset - for a common use case - and specify the FortiGate firewall policy for VIPs for http routing and https routing respectively. This common use case includes a VIP on port 80 and a VIP on port 443 with a policy that points to an internal load balancer.
      • extrastaticroute is empty by default. Configurations for static routes can be added if they are needed in a network. An example of manually adding a static route:

        # config router static

        edit 1

        set dst 168.63.129.16 255.255.255.255

        set gateway <subnet gateway>

        set priority <any number>

        set device "<port name>"

        next

        end

    • The fgt-asg-license container contains the BYOL license files.
  • Database tables. These tables are required to store information such as health check monitoring, primary election, state transitions, etc. These records should not be modified unless required for troubleshooting purposes.
  • Networking Components.
    • One virtual network
    • Two Load Balancers (with names ending with -external-load-balancer and -internal-load-balancer)
    • One network security group (with a name ending with -network-security-group)
    • One public IP address
    • Four route tables

Configset placeholders

When the FortiGate-VM requests the configuration from the Autoscaling handler function, the placeholders in the table below will be replaced with actual values for the Autoscaling group.

Placeholder

Type

Description

{SYNC_INTERFACE}

Text

The interface for FortiGate-VMs to synchronize information.

Specify as port1, port2, port3, etc.

All characters must be lowercase.

{CALLBACK_URL}

URL

The full URL of the Autoscaling handler function.

{PSK_SECRET}

Text

The Pre-Shared Key used in FortiOS.

{ADMIN_PORT}

Number

The admin port will be replaced with 443.

{HEART_BEAT_INTERVAL}

Number

The time interval (in seconds) that the FortiGate-VM waits between sending heartbeat requests to the Autoscale handler function.

This placeholder is only in the hybrid licensing deployment.

Function App environment variables

Azure infrastructure related environment variables

The variables in the table below hold information that enables the function to use the required Azure services. Changing their values may cause services to be unreachable by the function. Modify them at your own risk.

Variable name

Description

RESOURCE_GROUP

Name of the resource group where the template is deployed in.

CLIENT_ID

Descriptions of these variables are identical to those of the related parameters which are described in the section Configurable variables.

CLIENT_SECRET

WEBSITE_RUN_FROM_ZIP

AUTOSCALE_DB_PRIMARY_KEY

This is the CosmosDB account access key automatically created with the CosmosDB account.

TENANT_ID

The Azure Directory ID for the Active Directory of your current subscription.

SUBSCRIPTION_ID

Your Azure Subscription ID.

AUTOSCALE_DB_ACCOUNT

The CosmosDB account created for the current FortiGate Autoscale deployment.

AZURE_STORAGE_ACCOUNT

This is the Blob Storage account name automatically created during the deployment.

AZURE_STORAGE_ACCESS_KEY

This is the Blob Storage account access key automatically created with the Blob Storage account.

FortiGate Autoscale required environment variables

Changing the values of the following variables can cause unexpected function behavior. Modify them at your own risk.

Variable name

Description

UNIQUE_ID

Reserved, empty string.

CUSTOM_ID

Reserved, empty string.

RESOURCE_TAG_PREFIX

An Autoscaling feature variable that is automatically created. Reserved for future use.

AUTOSCALE_KEY_VAULT_NAME

Name of the Key Vault service.

Troubleshooting environment variables

The following variables assist in troubleshooting the current FortiGate Autoscale deployment.

Variable name

Description

DEBUG_SAVE_CUSTOM_LOG

Set to true to save script logs to the DB table CUSTOM_LOG. This is the default behavior.

Set to false to disable this feature.

DEBUG_LOGGER_OUTPUT_QUEUE_ENABLED

Set to true to concatenate all log output into one (1) log item in the Azure logging system.

Set to false for every log output to have its own log item in the Azure logging system. This is the default behavior.

DEBUG_LOGGER_TIMEZONE_OFFSET

Set to the UTC offset of the current deployment location for a better logging display time.

For details on how to modify the troubleshooting environment variables, refer to the section Troubleshooting using environment variables.

FortiGate Autoscale for Azure features

FortiGate Autoscale for Azure features

Major components

  • The Function App. The Function App handles all the autoscaling features including: primary/secondary role assignment, license distribution, and failover management.
  • The BYOL Scale Set. This scale set contains 0 to many FortiGate-VMs of the BYOL licensing model and is a VMSS with a fixed size. Users can set the size to match the number of valid licenses they own. Licenses can be purchased from FortiCare.
    Note

    For BYOL-only and hybrid licensing deployments, the BYOL instance Count must be at least 2. These FortiGate-VMs are the main instances and are fixed and running 7x24. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

  • The PAYG Scale Set. The Scale Set contains 0 to many FortiGate-VMs of the PAYG licensing model and will dynamically scale-out or scale-in based on the scaling metrics specified by the parameters Scale Out Threshold and Scale in Threshold.
    Note

    For PAYG-only deployments, the PAYG instance Count must be at least 2. These FortiGate-VMs are the main instances and are fixed and running 7x24. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

  • The Blob Containers.
    • The configset container contains files that are loaded as the initial configuration of a new FortiGate-VM instance.
      • baseconfig is the base configuration. This file can be modified as needed to meet your network requirements. Placeholders such as {SYNC_INTERFACE} are explained in the Configset placeholders table below.
      • httproutingpolicy and httpsroutingpolicy are provided as part of the base configset - for a common use case - and specify the FortiGate firewall policy for VIPs for http routing and https routing respectively. This common use case includes a VIP on port 80 and a VIP on port 443 with a policy that points to an internal load balancer.
      • extrastaticroute is empty by default. Configurations for static routes can be added if they are needed in a network. An example of manually adding a static route:

        # config router static

        edit 1

        set dst 168.63.129.16 255.255.255.255

        set gateway <subnet gateway>

        set priority <any number>

        set device "<port name>"

        next

        end

    • The fgt-asg-license container contains the BYOL license files.
  • Database tables. These tables are required to store information such as health check monitoring, primary election, state transitions, etc. These records should not be modified unless required for troubleshooting purposes.
  • Networking Components.
    • One virtual network
    • Two Load Balancers (with names ending with -external-load-balancer and -internal-load-balancer)
    • One network security group (with a name ending with -network-security-group)
    • One public IP address
    • Four route tables

Configset placeholders

When the FortiGate-VM requests the configuration from the Autoscaling handler function, the placeholders in the table below will be replaced with actual values for the Autoscaling group.

Placeholder

Type

Description

{SYNC_INTERFACE}

Text

The interface for FortiGate-VMs to synchronize information.

Specify as port1, port2, port3, etc.

All characters must be lowercase.

{CALLBACK_URL}

URL

The full URL of the Autoscaling handler function.

{PSK_SECRET}

Text

The Pre-Shared Key used in FortiOS.

{ADMIN_PORT}

Number

The admin port will be replaced with 443.

{HEART_BEAT_INTERVAL}

Number

The time interval (in seconds) that the FortiGate-VM waits between sending heartbeat requests to the Autoscale handler function.

This placeholder is only in the hybrid licensing deployment.

Function App environment variables

Azure infrastructure related environment variables

The variables in the table below hold information that enables the function to use the required Azure services. Changing their values may cause services to be unreachable by the function. Modify them at your own risk.

Variable name

Description

RESOURCE_GROUP

Name of the resource group where the template is deployed in.

CLIENT_ID

Descriptions of these variables are identical to those of the related parameters which are described in the section Configurable variables.

CLIENT_SECRET

WEBSITE_RUN_FROM_ZIP

AUTOSCALE_DB_PRIMARY_KEY

This is the CosmosDB account access key automatically created with the CosmosDB account.

TENANT_ID

The Azure Directory ID for the Active Directory of your current subscription.

SUBSCRIPTION_ID

Your Azure Subscription ID.

AUTOSCALE_DB_ACCOUNT

The CosmosDB account created for the current FortiGate Autoscale deployment.

AZURE_STORAGE_ACCOUNT

This is the Blob Storage account name automatically created during the deployment.

AZURE_STORAGE_ACCESS_KEY

This is the Blob Storage account access key automatically created with the Blob Storage account.

FortiGate Autoscale required environment variables

Changing the values of the following variables can cause unexpected function behavior. Modify them at your own risk.

Variable name

Description

UNIQUE_ID

Reserved, empty string.

CUSTOM_ID

Reserved, empty string.

RESOURCE_TAG_PREFIX

An Autoscaling feature variable that is automatically created. Reserved for future use.

AUTOSCALE_KEY_VAULT_NAME

Name of the Key Vault service.

Troubleshooting environment variables

The following variables assist in troubleshooting the current FortiGate Autoscale deployment.

Variable name

Description

DEBUG_SAVE_CUSTOM_LOG

Set to true to save script logs to the DB table CUSTOM_LOG. This is the default behavior.

Set to false to disable this feature.

DEBUG_LOGGER_OUTPUT_QUEUE_ENABLED

Set to true to concatenate all log output into one (1) log item in the Azure logging system.

Set to false for every log output to have its own log item in the Azure logging system. This is the default behavior.

DEBUG_LOGGER_TIMEZONE_OFFSET

Set to the UTC offset of the current deployment location for a better logging display time.

For details on how to modify the troubleshooting environment variables, refer to the section Troubleshooting using environment variables.