Fortinet Document Library

Version:


Table of Contents

About FortiGate for Azure

Deploying FortiGate on Azure

Deploying auto scaling on Azure

Single FortiGate-VM Deployment

Use case: High availability for FortiGate on Azure

Use case: Automatically updating dynamic addresses using Fabric connector

Resources

Upgrade Path Tool
6.0.0
Copy Link

FortiGate-VM autoscale HA topology

In this sample HA setup, FortiGate has two interfaces:

  • Port1 (external): 10.0.1.x/24 subnet1
  • Port2 (internal): 10.0.2x/24 subnet2

Instance 1:

  • Port1 - 10.0.1.5
  • Port2 - 10.0.2.5

Instance 2:

  • Port1 - 10.0.1.4
  • Port2 - 10.0.2.4

Each subnet has its own load balancer to allocate the traffic to each instance(s) pool.

By default, the autoscaling group is set to one instance. To increase the number of instances, go to the resource group, then VMSS > Scaling.

In this example, the default/minimum instances has been increased to two. Once autoscaling finishes spawning new instances, you can see the new instances.

You will notice the load balancer has also been updated. See below for an example of internal load balancer instances:

See below for an example of external load balancer instances:

To configure what type of traffic to load balance on, go to the load balancer, then Load balancing rules.

This example allocates HTTPS traffic (443) to the backend pool from the front end public IP address using the SSH port for health probe traffic.

The example shows the use of port 22 for the probe. Ensure allowaccess has SSH enabled on the FortiGate interface.

config system interface

edit "port1"

set vdom "root"

set mode dhcp

set allowaccess ping https ssh fgfm

set type physical

set src-check disable

set description "ext"

set snmp-index 1

next

end

Azure also sends probing traffic from IP address 168.63.129.16. Ensure this route also exists on the internal interface(s). Port2 is the internal interface in the below example.

config router static

edit 1

set dst 168.63.129.16 255.255.255.255

set gateway 10.0.2.1

set device "port2"

next

end

Otherwise, Azure may consider the instances non-operational and may not forward traffic to them.

Resources

FortiGate-VM autoscale HA topology

In this sample HA setup, FortiGate has two interfaces:

  • Port1 (external): 10.0.1.x/24 subnet1
  • Port2 (internal): 10.0.2x/24 subnet2

Instance 1:

  • Port1 - 10.0.1.5
  • Port2 - 10.0.2.5

Instance 2:

  • Port1 - 10.0.1.4
  • Port2 - 10.0.2.4

Each subnet has its own load balancer to allocate the traffic to each instance(s) pool.

By default, the autoscaling group is set to one instance. To increase the number of instances, go to the resource group, then VMSS > Scaling.

In this example, the default/minimum instances has been increased to two. Once autoscaling finishes spawning new instances, you can see the new instances.

You will notice the load balancer has also been updated. See below for an example of internal load balancer instances:

See below for an example of external load balancer instances:

To configure what type of traffic to load balance on, go to the load balancer, then Load balancing rules.

This example allocates HTTPS traffic (443) to the backend pool from the front end public IP address using the SSH port for health probe traffic.

The example shows the use of port 22 for the probe. Ensure allowaccess has SSH enabled on the FortiGate interface.

config system interface

edit "port1"

set vdom "root"

set mode dhcp

set allowaccess ping https ssh fgfm

set type physical

set src-check disable

set description "ext"

set snmp-index 1

next

end

Azure also sends probing traffic from IP address 168.63.129.16. Ensure this route also exists on the internal interface(s). Port2 is the internal interface in the below example.

config router static

edit 1

set dst 168.63.129.16 255.255.255.255

set gateway 10.0.2.1

set device "port2"

next

end

Otherwise, Azure may consider the instances non-operational and may not forward traffic to them.