FortiGate-VM autoscale HA topology
In this sample HA setup, FortiGate has two interfaces:
- Port1 (external): 10.0.1.x/24 subnet1
- Port2 (internal): 10.0.2x/24 subnet2
- Port1 - 10.0.1.5
- Port2 - 10.0.2.5
- Port1 - 10.0.1.4
- Port2 - 10.0.2.4
Each subnet has its own load balancer to allocate the traffic to each instance(s) pool.
By default, the autoscaling group is set to one instance. To increase the number of instances, go to the resource group, then VMSS > Scaling.
In this example, the default/minimum instances has been increased to two. Once autoscaling finishes spawning new instances, you can see the new instances.
You will notice the load balancer has also been updated. See below for an example of internal load balancer instances:
See below for an example of external load balancer instances:
To configure what type of traffic to load balance on, go to the load balancer, then Load balancing rules.
This example allocates HTTPS traffic (443) to the backend pool from the front end public IP address using the SSH port for health probe traffic.
The example shows the use of port 22 for the probe. Ensure
allowaccess has SSH enabled on the FortiGate interface.
config system interface
set vdom "root"
set mode dhcp
set allowaccess ping https ssh fgfm
set type physical
set src-check disable
set description "ext"
set snmp-index 1
Azure also sends probing traffic from IP address 22.214.171.124. Ensure this route also exists on the internal interface(s). Port2 is the internal interface in the below example.
config router static
set dst 126.96.36.199 255.255.255.255
set gateway 10.0.2.1
set device "port2"
Otherwise, Azure may consider the instances non-operational and may not forward traffic to them.