Fortinet Document Library

Version:


Table of Contents

About FortiGate for Azure

Deploying FortiGate on Azure

Deploying auto scaling on Azure

Single FortiGate-VM Deployment

Use case: High availability for FortiGate on Azure

Use case: Automatically updating dynamic addresses using Fabric connector

Resources

Upgrade Path Tool
6.0.0
Copy Link

Prerequisites

Installing and configuring FortiGate Autoscale for Azure requires knowledge of the following:

  • Configuring a FortiGate using the CLI
  • Azure deployment templates
  • Azure Functions

It is expected that FortiGate Autoscale for Azure will be deployed by DevOps engineers or advanced system administrators who are familiar with the above.

Before starting the deployment, the following steps must be carried out:

  1. Log into your Azure account. If you do not already have one, create one by following the on-screen instructions.
  2. Create a service principal, making note of the following items as they are required to deploy the Function App:
    • Application ID (used for the parameter Rest App ID).
      This is under Azure Active Directory > App registrations > {your-app}.
    • Application secret (used for the parameter Rest App Secret).
      The application secret only appears once and cannot be retrieved.

Requirements when using an existing VNet

When using an existing VNet:

  • The VNet must contain 4 subnets.
    • The FortiGate VMSS will be deployed in one of the subnets. This subnet:
      • must be a clean subnet (i.e. is not used by any other resource.)
      • have two service endpoints have been manually enabled, one for Microsoft.AzureCosmosDB, and one for Microsoft.Web.
      • should have its name specified in the Subnet 1 Name parameter.
    • The 3 other subnets will be protected by the FortiGate VMSS.
  • Route tables have been created to route traffic between the FortiGate VMSS subnet and the other subnets.
  • One network security group is associated with the 4 subnets in the VNet.
  • (Optional) One available (i.e. not associated with any resource) public IP address to be used for the external load balancer that will be created during template deployment.
    • This IP address must be of the 'standard' SKU in order to match the VMSS.
    • This requirement is optional as a new IP address can be created during template deployment, as specified by the Frontend IP Deployment Method parameter.
  • All of the components above must reside in the same resource group.

Resources

Prerequisites

Installing and configuring FortiGate Autoscale for Azure requires knowledge of the following:

  • Configuring a FortiGate using the CLI
  • Azure deployment templates
  • Azure Functions

It is expected that FortiGate Autoscale for Azure will be deployed by DevOps engineers or advanced system administrators who are familiar with the above.

Before starting the deployment, the following steps must be carried out:

  1. Log into your Azure account. If you do not already have one, create one by following the on-screen instructions.
  2. Create a service principal, making note of the following items as they are required to deploy the Function App:
    • Application ID (used for the parameter Rest App ID).
      This is under Azure Active Directory > App registrations > {your-app}.
    • Application secret (used for the parameter Rest App Secret).
      The application secret only appears once and cannot be retrieved.

Requirements when using an existing VNet

When using an existing VNet:

  • The VNet must contain 4 subnets.
    • The FortiGate VMSS will be deployed in one of the subnets. This subnet:
      • must be a clean subnet (i.e. is not used by any other resource.)
      • have two service endpoints have been manually enabled, one for Microsoft.AzureCosmosDB, and one for Microsoft.Web.
      • should have its name specified in the Subnet 1 Name parameter.
    • The 3 other subnets will be protected by the FortiGate VMSS.
  • Route tables have been created to route traffic between the FortiGate VMSS subnet and the other subnets.
  • One network security group is associated with the 4 subnets in the VNet.
  • (Optional) One available (i.e. not associated with any resource) public IP address to be used for the external load balancer that will be created during template deployment.
    • This IP address must be of the 'standard' SKU in order to match the VMSS.
    • This requirement is optional as a new IP address can be created during template deployment, as specified by the Frontend IP Deployment Method parameter.
  • All of the components above must reside in the same resource group.