Fortinet white logo
Fortinet white logo

Cookbook

Azure Stack SDN connector

Azure Stack SDN connector

FortiOS automatically updates dynamic addresses for Azure Stack on-premise environments using an Azure Stack SDN connector, including mapping the following attributes from Azure Stack instances to dynamic address groups in FortiOS:

  • vm
  • tag
  • size
  • securitygroup
  • vnet
  • subnet
  • resourcegroup
  • vmss
To configure Azure Stack SDN connector using the GUI:
  1. Configure the Azure Stack SDN connector:
    1. Go to Security Fabric > Fabric Connectors.
    2. Click Create New, and select Microsoft Azure.
    3. Configure as shown, substituting the Azure Stack settings for your deployment. The update interval is in seconds.

  2. Create a dynamic firewall address for the configured Azure Stack SDN connector:
    1. Go to Policy & Objects > Addresses.
    2. Click Create New, then select Address.
    3. Configure the address as shown, selecting the desired filter in the Filter dropdown list. In this example, the Azure Stack SDN connector will automatically populate and update IP addresses only for instances that are named tfgta:

  3. Ensure that the Azure Stack SDN connector resolves dynamic firewall IP addresses:
    1. Go to Policy & Objects > Addresses.
    2. Hover over the address created in step 2 to see a list of IP addresses for instances that are named tftgta as configured in step 2:

To configure Azure Stack SDN connector using CLI commands:
  1. Configure the Azure Stack SDN connector:

    config system sdn-connector

    edit "azurestack1"

    set type azure

    set azure-region local

    set server "azurestack.external"

    set username "username@azurestoreexamplecompany.onmicrosoft.com"

    set password xxxxx

    set log-in endpoint "https://login.microsoftonline.com/942b80cd-1b14-42a1-8dcf-4b21dece61ba"

    set resource-url "https://management.azurestoreexamplecompany.onmicrosoft.com/12b6fedd-9364-4cf0-822b-080d70298323"

    set update-interval 30

    next

    end

  2. Create a dynamic firewall address for the configured Azure Stack SDN connector with the supported Azure Stack filter. In this example, the Azure Stack SDN Connector will automatically populate and update IP addresses only for instances that are named tfgta:

    config firewall address

    edit "azurestack-address-name1"

    set type dynamic

    set sdn "azurestack1"

    set filter "vm=tfgta"

    next

    end

  3. Confirm that the Azure Stack fabric connector resolves dynamic firewall IP addresses using the configured filter:

    config firewall address

    edit "azurestack-address-name1"

    set type dynamic

    set sdn "azurestack1"

    set filter "vm=tfgta"

    config list

    edit "10.0.1.4"

    next

    edit "10.0.2.4"

    next

    edit "10.0.3.4"

    next

    edit "10.0.4.4"

    next

    edit "192.168.102.32"

    next

    edit "192.168.102.35"

    next

    end

    next

    end

Related Videos

sidebar video

SDN Connector Support of Azure Stack

  • 794 views
  • 5 years ago

Azure Stack SDN connector

Azure Stack SDN connector

FortiOS automatically updates dynamic addresses for Azure Stack on-premise environments using an Azure Stack SDN connector, including mapping the following attributes from Azure Stack instances to dynamic address groups in FortiOS:

  • vm
  • tag
  • size
  • securitygroup
  • vnet
  • subnet
  • resourcegroup
  • vmss
To configure Azure Stack SDN connector using the GUI:
  1. Configure the Azure Stack SDN connector:
    1. Go to Security Fabric > Fabric Connectors.
    2. Click Create New, and select Microsoft Azure.
    3. Configure as shown, substituting the Azure Stack settings for your deployment. The update interval is in seconds.

  2. Create a dynamic firewall address for the configured Azure Stack SDN connector:
    1. Go to Policy & Objects > Addresses.
    2. Click Create New, then select Address.
    3. Configure the address as shown, selecting the desired filter in the Filter dropdown list. In this example, the Azure Stack SDN connector will automatically populate and update IP addresses only for instances that are named tfgta:

  3. Ensure that the Azure Stack SDN connector resolves dynamic firewall IP addresses:
    1. Go to Policy & Objects > Addresses.
    2. Hover over the address created in step 2 to see a list of IP addresses for instances that are named tftgta as configured in step 2:

To configure Azure Stack SDN connector using CLI commands:
  1. Configure the Azure Stack SDN connector:

    config system sdn-connector

    edit "azurestack1"

    set type azure

    set azure-region local

    set server "azurestack.external"

    set username "username@azurestoreexamplecompany.onmicrosoft.com"

    set password xxxxx

    set log-in endpoint "https://login.microsoftonline.com/942b80cd-1b14-42a1-8dcf-4b21dece61ba"

    set resource-url "https://management.azurestoreexamplecompany.onmicrosoft.com/12b6fedd-9364-4cf0-822b-080d70298323"

    set update-interval 30

    next

    end

  2. Create a dynamic firewall address for the configured Azure Stack SDN connector with the supported Azure Stack filter. In this example, the Azure Stack SDN Connector will automatically populate and update IP addresses only for instances that are named tfgta:

    config firewall address

    edit "azurestack-address-name1"

    set type dynamic

    set sdn "azurestack1"

    set filter "vm=tfgta"

    next

    end

  3. Confirm that the Azure Stack fabric connector resolves dynamic firewall IP addresses using the configured filter:

    config firewall address

    edit "azurestack-address-name1"

    set type dynamic

    set sdn "azurestack1"

    set filter "vm=tfgta"

    config list

    edit "10.0.1.4"

    next

    edit "10.0.2.4"

    next

    edit "10.0.3.4"

    next

    edit "10.0.4.4"

    next

    edit "192.168.102.32"

    next

    edit "192.168.102.35"

    next

    end

    next

    end