Fortinet black logo

Azure Administration Guide

Access control

Copy Link
Copy Doc ID 0489513b-b3c1-11e9-a989-00505692583a:430141
Download PDF

Access control

After deployment, you must give the FortiGate-VM access to Azure resources. The Fabric connector has two functions:

Function

Description

Dynamic address

The Fabric connector can search for private and/or public IP addresses based on different properties, such as tag, VM name, network security group, resource group, and location in the current Azure subscription. You must assign the reader role to the resources that the Fabric connector needs access to.

HA

One HA setup includes moving public IP addresses from the active to the passive FortiGate-VM. You must update the user-defined routes to point to the passive FortiGate-VM private IP address. These actions require elevated access to some resources.

If you want to resolve dynamic addresses in multiple subscriptions in a Cloud Security Services HUB (VNet peering), you must assign the Reader role to each subscription.

Dynamic address

You must assign the Reader role to the whole subscription, as the Fabric connector needs access to all resources in the subscription.

To assign access control in the Azure portal:
  1. In the Azure portal, go to Access control (IAM).
  2. Click Add a role assignment.
  3. From the Role dropdown list, select Reader.
  4. From the Assign access to dropdown list, select Virtual Machine.
  5. From the Select dropdown list, select the desired FortiGate-VM.

To assign access control in the Azure CLI:

You must assign the role to both FortiGate-VMs in an active-active or active-passive setup. You must apply the Reader role since the VM principal ID must be retrieved. This action assigns required access rights for the service principal that Azure AD is managing specific for the FortiGate-VM to access Azure resources in the Azure subscription.

$ spID=$(az resource list -n {<FortiGate-VM name>} --query [*].identity.principalId --out tsv)

$ az role assignment create --assignee $spID --role 'Reader' --scope /subscriptions/{Azure subscription ID}

HA

Azure portal

In case of active-passive failover using the Fabric connector, the FortiGate-VMs should have write access with the Network Contributor role to the following resources:

  • FortiGate-VM network interfaces
  • Routing tables that point to the FortiGate-VM internal interface
  • Network security group attached to the FortiGate-VM network interface NIC1
  • Public IP address attached to the FortiGate-VM network interface NIC1
  • VNet or subnet that has the public IP address attached

The Network Contributor access rights are used to update the routing tables and public IP address in case of failover.

To assign access control in the Azure CLI:

For HA, the Fabric connector requires additional rights on different Azure resources. You can use the Network Contributor role or a more precise custom role.

You must assign the Fortinet FortiGate SDN Fabric Connector RW role to both FortiGate-VMs when in an active-active or active-passive setup. You must apply this role since the VM principal ID must be retrieved. This action assigns required access rights for the service principal that Azure AD is managing specific for the FortiGate-VM to access Azure resources in the Azure subscription.

Create a JSON file that contains the following:

{

"Name": "Fortinet FortiGate SDN Fabric Connector RW",

"IsCustom": true,

"Description": "Role to update the public ip addres and user defined routes",

"Actions": [

"*/read",

"Microsoft.Network/routeTables/write",

"Microsoft.Network/routeTables/routes/write",

"Microsoft.Network/routeTables/routes/delete",

"Microsoft.Network/publicIPAddresses/write",

"Microsoft.Network/publicIPAddresses/join/action",

"Microsoft.Network/networkInterfaces/write",

"Microsoft.Network/networkSecurityGroups/join/action",

"Microsoft.Network/virtualNetworks/subnets/join/action"

],

"DataActions": [],

"NotActions": [],

"NotDataActions": [],

"AssignableScopes": [

"/subscriptions/{<Azure subscription ID>}"

]

}

This action assigns required access rights for the service principal that Azure AD is managing specific for the FortiGate-VM to access Azure resources in the Azure subscription.

$ az role definition create --role-definition azure_SDN_iamrole_rw.json

$ spID=$(az resource list -n {<FortiGate-VM name>} --query [*].identity.principalId --out tsv)

$ az role assignment create --assignee $spID --role 'Reader' --scope /subscriptions/{Azure subscription ID}

Access control

After deployment, you must give the FortiGate-VM access to Azure resources. The Fabric connector has two functions:

Function

Description

Dynamic address

The Fabric connector can search for private and/or public IP addresses based on different properties, such as tag, VM name, network security group, resource group, and location in the current Azure subscription. You must assign the reader role to the resources that the Fabric connector needs access to.

HA

One HA setup includes moving public IP addresses from the active to the passive FortiGate-VM. You must update the user-defined routes to point to the passive FortiGate-VM private IP address. These actions require elevated access to some resources.

If you want to resolve dynamic addresses in multiple subscriptions in a Cloud Security Services HUB (VNet peering), you must assign the Reader role to each subscription.

Dynamic address

You must assign the Reader role to the whole subscription, as the Fabric connector needs access to all resources in the subscription.

To assign access control in the Azure portal:
  1. In the Azure portal, go to Access control (IAM).
  2. Click Add a role assignment.
  3. From the Role dropdown list, select Reader.
  4. From the Assign access to dropdown list, select Virtual Machine.
  5. From the Select dropdown list, select the desired FortiGate-VM.

To assign access control in the Azure CLI:

You must assign the role to both FortiGate-VMs in an active-active or active-passive setup. You must apply the Reader role since the VM principal ID must be retrieved. This action assigns required access rights for the service principal that Azure AD is managing specific for the FortiGate-VM to access Azure resources in the Azure subscription.

$ spID=$(az resource list -n {<FortiGate-VM name>} --query [*].identity.principalId --out tsv)

$ az role assignment create --assignee $spID --role 'Reader' --scope /subscriptions/{Azure subscription ID}

HA

Azure portal

In case of active-passive failover using the Fabric connector, the FortiGate-VMs should have write access with the Network Contributor role to the following resources:

  • FortiGate-VM network interfaces
  • Routing tables that point to the FortiGate-VM internal interface
  • Network security group attached to the FortiGate-VM network interface NIC1
  • Public IP address attached to the FortiGate-VM network interface NIC1
  • VNet or subnet that has the public IP address attached

The Network Contributor access rights are used to update the routing tables and public IP address in case of failover.

To assign access control in the Azure CLI:

For HA, the Fabric connector requires additional rights on different Azure resources. You can use the Network Contributor role or a more precise custom role.

You must assign the Fortinet FortiGate SDN Fabric Connector RW role to both FortiGate-VMs when in an active-active or active-passive setup. You must apply this role since the VM principal ID must be retrieved. This action assigns required access rights for the service principal that Azure AD is managing specific for the FortiGate-VM to access Azure resources in the Azure subscription.

Create a JSON file that contains the following:

{

"Name": "Fortinet FortiGate SDN Fabric Connector RW",

"IsCustom": true,

"Description": "Role to update the public ip addres and user defined routes",

"Actions": [

"*/read",

"Microsoft.Network/routeTables/write",

"Microsoft.Network/routeTables/routes/write",

"Microsoft.Network/routeTables/routes/delete",

"Microsoft.Network/publicIPAddresses/write",

"Microsoft.Network/publicIPAddresses/join/action",

"Microsoft.Network/networkInterfaces/write",

"Microsoft.Network/networkSecurityGroups/join/action",

"Microsoft.Network/virtualNetworks/subnets/join/action"

],

"DataActions": [],

"NotActions": [],

"NotDataActions": [],

"AssignableScopes": [

"/subscriptions/{<Azure subscription ID>}"

]

}

This action assigns required access rights for the service principal that Azure AD is managing specific for the FortiGate-VM to access Azure resources in the Azure subscription.

$ az role definition create --role-definition azure_SDN_iamrole_rw.json

$ spID=$(az resource list -n {<FortiGate-VM name>} --query [*].identity.principalId --out tsv)

$ az role assignment create --assignee $spID --role 'Reader' --scope /subscriptions/{Azure subscription ID}