Fortinet black logo

Azure Administration Guide

SDN connector in Azure Stack

Copy Link
Copy Doc ID f296b45a-a61f-11ec-9fd1-fa163e15d75b:419755
Download PDF

SDN connector in Azure Stack

FortiOS automatically updates dynamic addresses for Azure Stack on-premise environments using an Azure Stack SDN connector, including mapping the following attributes from Azure Stack instances to dynamic address groups in FortiOS:

  • vm
  • tag
  • size
  • securitygroup
  • vnet
  • subnet
  • resourcegroup
  • vmss
To configure Azure Stack SDN connector using the GUI:
  1. Configure the Azure Stack SDN connector:
    1. Go to Security Fabric > External Connectors.
    2. Click Create New, and select Microsoft Azure.
    3. Configure as shown, substituting the Azure Stack settings for your deployment. The update interval is in seconds.

  2. Create a dynamic firewall address for the configured Azure Stack SDN connector:
    1. Go to Policy & Objects > Addresses.
    2. Click Create New, then select Address.
    3. Configure the address:
      1. From the Type dropdown list, select Dynamic.
      2. From the Sub Type dropdown list, select Fabric Connector Address.
      3. From the SDN Connector dropdown list, select the configured Azure Stack connector.
      4. In the Filter field, configure the desired filter. For example, you can configure vm=tfgta to automatically populate and update IP addresses only for instances that are named tfgta.
  3. Ensure that the Azure Stack SDN connector resolves dynamic firewall IP addresses:
    1. Go to Policy & Objects > Addresses.
    2. Hover over the address created in step 2 to see a list of IP addresses for instances that are named tftgta as configured in step 2:

To configure Azure Stack SDN connector using CLI commands:
  1. Configure the Azure Stack SDN connector:

    config system sdn-connector

    edit "azurestack1"

    set type azure

    set azure-region local

    set server "azurestack.external"

    set username "username@azurestoreexamplecompany.onmicrosoft.com"

    set password xxxxx

    set log-in endpoint "https://login.microsoftonline.com/942b80cd-1b14-42a1-8dcf-4b21dece61ba"

    set resource-url "https://management.azurestoreexamplecompany.onmicrosoft.com/12b6fedd-9364-4cf0-822b-080d70298323"

    set update-interval 30

    next

    end

  2. Create a dynamic firewall address for the configured Azure Stack SDN connector with the supported Azure Stack filter. In this example, the Azure Stack SDN Connector will automatically populate and update IP addresses only for instances that are named tfgta:

    config firewall address

    edit "azurestack-address-name1"

    set type dynamic

    set sdn "azurestack1"

    set filter "vm=tfgta"

    next

    end

  3. Confirm that the Azure Stack SDN connector resolves dynamic firewall IP addresses using the configured filter:

    config firewall address

    edit "azurestack-address-name1"

    set type dynamic

    set sdn "azurestack1"

    set filter "vm=tfgta"

    config list

    edit "10.0.1.4"

    next

    edit "10.0.2.4"

    next

    edit "10.0.3.4"

    next

    edit "10.0.4.4"

    next

    edit "192.168.102.32"

    next

    edit "192.168.102.35"

    next

    end

    next

    end

Related Videos

sidebar video

SDN Connector Support of Azure Stack

  • 703 views
  • 5 years ago

SDN connector in Azure Stack

FortiOS automatically updates dynamic addresses for Azure Stack on-premise environments using an Azure Stack SDN connector, including mapping the following attributes from Azure Stack instances to dynamic address groups in FortiOS:

  • vm
  • tag
  • size
  • securitygroup
  • vnet
  • subnet
  • resourcegroup
  • vmss
To configure Azure Stack SDN connector using the GUI:
  1. Configure the Azure Stack SDN connector:
    1. Go to Security Fabric > External Connectors.
    2. Click Create New, and select Microsoft Azure.
    3. Configure as shown, substituting the Azure Stack settings for your deployment. The update interval is in seconds.

  2. Create a dynamic firewall address for the configured Azure Stack SDN connector:
    1. Go to Policy & Objects > Addresses.
    2. Click Create New, then select Address.
    3. Configure the address:
      1. From the Type dropdown list, select Dynamic.
      2. From the Sub Type dropdown list, select Fabric Connector Address.
      3. From the SDN Connector dropdown list, select the configured Azure Stack connector.
      4. In the Filter field, configure the desired filter. For example, you can configure vm=tfgta to automatically populate and update IP addresses only for instances that are named tfgta.
  3. Ensure that the Azure Stack SDN connector resolves dynamic firewall IP addresses:
    1. Go to Policy & Objects > Addresses.
    2. Hover over the address created in step 2 to see a list of IP addresses for instances that are named tftgta as configured in step 2:

To configure Azure Stack SDN connector using CLI commands:
  1. Configure the Azure Stack SDN connector:

    config system sdn-connector

    edit "azurestack1"

    set type azure

    set azure-region local

    set server "azurestack.external"

    set username "username@azurestoreexamplecompany.onmicrosoft.com"

    set password xxxxx

    set log-in endpoint "https://login.microsoftonline.com/942b80cd-1b14-42a1-8dcf-4b21dece61ba"

    set resource-url "https://management.azurestoreexamplecompany.onmicrosoft.com/12b6fedd-9364-4cf0-822b-080d70298323"

    set update-interval 30

    next

    end

  2. Create a dynamic firewall address for the configured Azure Stack SDN connector with the supported Azure Stack filter. In this example, the Azure Stack SDN Connector will automatically populate and update IP addresses only for instances that are named tfgta:

    config firewall address

    edit "azurestack-address-name1"

    set type dynamic

    set sdn "azurestack1"

    set filter "vm=tfgta"

    next

    end

  3. Confirm that the Azure Stack SDN connector resolves dynamic firewall IP addresses using the configured filter:

    config firewall address

    edit "azurestack-address-name1"

    set type dynamic

    set sdn "azurestack1"

    set filter "vm=tfgta"

    config list

    edit "10.0.1.4"

    next

    edit "10.0.2.4"

    next

    edit "10.0.3.4"

    next

    edit "10.0.4.4"

    next

    edit "192.168.102.32"

    next

    edit "192.168.102.35"

    next

    end

    next

    end