FortiGate Autoscale for Azure features
Major components
- The Function App. The Function App handles all the autoscaling features including: primary/secondary role assignment, license distribution, and failover management.
- The BYOL Scale Set. This scale set contains 0 to many FortiGate-VMs of the BYOL licensing model and is a VMSS with a fixed size. Users can set the size to match the number of valid licenses they own. Licenses can be purchased from FortiCare.
For BYOL-only and hybrid licensing deployments, the BYOL instance Count must be at least 2. These FortiGate-VMs are the main instances and are fixed and running 7x24. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.
- The PAYG Scale Set. The Scale Set contains 0 to many FortiGate-VMs of the PAYG licensing model and will dynamically scale-out or scale-in based on the scaling metrics specified by the parameters Scale Out Threshold and Scale in Threshold.
For PAYG-only deployments, the PAYG instance Count must be at least 2. These FortiGate-VMs are the main instances and are fixed and running 7x24. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.
- The Blob Containers.
- The configset container contains files that are loaded as the initial configuration of a new FortiGate-VM instance.
- baseconfig is the base configuration. This file can be modified as needed to meet your network requirements. Placeholders such as {SYNC_INTERFACE} are explained in the Configset placeholders table below.
- httproutingpolicy and httpsroutingpolicy are provided as part of the base configset - for a common use case - and specify the FortiGate firewall policy for VIPs for http routing and https routing respectively. This common use case includes a VIP on port 80 and a VIP on port 443 with a policy that points to an internal load balancer.
- extrastaticroute is empty by default. Configurations for static routes can be added if they are needed in a network. An example of manually adding a static route:
# config router static
edit 1
set dst 168.63.129.16 255.255.255.255
set gateway <subnet gateway>
set priority <any number>
set device "<port name>"
next
end
- The fgt-asg-license container contains the BYOL license files.
- The configset container contains files that are loaded as the initial configuration of a new FortiGate-VM instance.
- Database tables. These tables are required to store information such as health check monitoring, primary election, state transitions, etc. These records should not be modified unless required for troubleshooting purposes.
- Networking Components.
- One virtual network
- Two Load Balancers (with names ending with -external-load-balancer and -internal-load-balancer)
- One network security group (with a name ending with -network-security-group)
- One public IP address
- Four route tables
Configset placeholders
When the FortiGate-VM requests the configuration from the Autoscaling handler function, the placeholders in the table below will be replaced with actual values for the Autoscaling group.
Placeholder |
Type |
Description |
---|---|---|
{SYNC_INTERFACE} |
Text |
The interface for FortiGate-VMs to synchronize information. Specify as port1, port2, port3, etc. All characters must be lowercase. |
{CALLBACK_URL} |
URL |
The full URL of the Autoscaling handler function. |
{PSK_SECRET} |
Text |
The Pre-Shared Key used in FortiOS. |
{ADMIN_PORT} |
Number |
The admin port will be replaced with 443. |
{HEART_BEAT_INTERVAL} |
Number |
The time interval (in seconds) that the FortiGate-VM waits between sending heartbeat requests to the Autoscale handler function. This placeholder is only in the hybrid licensing deployment. |
Function App environment variables
Azure infrastructure related environment variables
The variables in the table below hold information that enables the function to use the required Azure services. Changing their values may cause services to be unreachable by the function. Modify them at your own risk.
Variable name |
Description |
---|---|
RESOURCE_GROUP |
Name of the resource group where the template is deployed in. |
CLIENT_ID |
Descriptions of these variables are identical to those of the related parameters which are described in the section Configurable variables.
|
CLIENT_SECRET |
|
WEBSITE_RUN_FROM_ZIP |
|
AUTOSCALE_DB_PRIMARY_KEY |
This is the CosmosDB account access key automatically created with the CosmosDB account. |
TENANT_ID |
The Azure Directory ID for the Active Directory of your current subscription. |
SUBSCRIPTION_ID |
Your Azure Subscription ID. |
AUTOSCALE_DB_ACCOUNT |
The CosmosDB account created for the current FortiGate Autoscale deployment. |
AZURE_STORAGE_ACCOUNT |
This is the Blob Storage account name automatically created during the deployment. |
AZURE_STORAGE_ACCESS_KEY |
This is the Blob Storage account access key automatically created with the Blob Storage account. |
FortiGate Autoscale required environment variables
Changing the values of the following variables can cause unexpected function behavior. Modify them at your own risk.
Variable name |
Description |
---|---|
UNIQUE_ID |
Reserved, empty string. |
CUSTOM_ID |
Reserved, empty string. |
RESOURCE_TAG_PREFIX |
An Autoscaling feature variable that is automatically created. Reserved for future use. |
AUTOSCALE_KEY_VAULT_NAME |
Name of the Key Vault service. |
Troubleshooting environment variables
The following variables assist in troubleshooting the current FortiGate Autoscale deployment.
Variable name |
Description |
---|---|
DEBUG_SAVE_CUSTOM_LOG |
Set to true to save script logs to the DB table CUSTOM_LOG. This is the default behavior. Set to false to disable this feature. |
DEBUG_LOGGER_OUTPUT_QUEUE_ENABLED |
Set to true to concatenate all log output into one (1) log item in the Azure logging system. Set to false for every log output to have its own log item in the Azure logging system. This is the default behavior. |
DEBUG_LOGGER_TIMEZONE_OFFSET |
Set to the UTC offset of the current deployment location for a better logging display time. |
For details on how to modify the troubleshooting environment variables, refer to the section Troubleshooting using environment variables.