Multiple concurrent SDN connectors
This guide shows how to configure SDN connectors and resolve dynamic firewall addresses through the configured SDN connector in FortiOS.
FortiOS supports multiple SDN connectors including public connectors (AWS, Azure, GCP, OCI, AliCloud) and private connectors (Kubernetes, VMware ESXi, VMware NSX, OpenStack, Cisco ACI, Nuage). FortiOS also supports multiple instances for each type of SDN connector.
This guide uses an Azure SDN connector as an example. The configuration procedure for all supported SDN connectors is the same. In the following topology, the FortiGate accesses the Azure public cloud through the Internet:
This process consists of the following:
- Configure the interface.
- Configure a static route to connect to the Internet.
- Configure two Azure SDN connectors with different client IDs.
- Check the configured SDN connectors.
- Create two firewall addresses.
- Check the resolved firewall addresses after the update interval.
- Run diagnose commands.
To configure the interface:
- In FortiOS, go to Network > Interfaces.
- Edit port1:
- From the Role dropdown list, select WAN.
- In the IP/Network Mask field, enter 10.6.30.4/255.255.255.0 for the interface connected to the Internet.
To configure a static route to connect to the Internet:
- Go to Network > Static Routes. Click Create New.
- In the Destination field, enter 0.0.0.0/0.0.0.0.
- From the Interface dropdown list, select port1.
- In the Gateway Address field, enter 10.60.30.254.
To configure two Azure SDN connectors with different client IDs:
- Go to Security Fabric > External Connectors.
- Click Create New. Configure the first SDN connector:
- Select Microsoft Azure.
- In the Name field, enter azure1.
- In the Status field, select Enabled.
- From the Server region dropdown list, select Global.
- In the Directory ID field, enter the directory ID. In this example, it is 942b80cd-1b14-42a1-8dcf-4b21dece61ba.
- In the Application ID field, enter the application ID. In this example, it is 14dbd5c5-307e-4ea4-8133-68738141feb1.
- In the Client secret field, enter the client secret.
- Leave the Resource path disabled.
- Click OK.
- Click Create New. Configure the second SDN connector:
- Select Microsoft Azure.
- In the Name field, enter azure2.
- In the Status field, select Enabled.
- From the Server region dropdown list, select Global.
- In the Directory ID field, enter the directory ID. In this example, it is 942b80cd-1b14-42a1-8dcf-4b21dece61ba.
- In the Application ID field, enter the application ID. In this example, it is 3baf0a6c-44ff-4f94-b292-07f7a2c36be6.
- In the Client secret field, enter the client secret.
- Leave the Resource path disabled.
- Click OK.
To check the configured SDN connectors:
- Go to Security Fabric > External Connectors.
- Click the Refresh icon in the upper right corner of each configured SDN connector. A green up arrow appears in the lower right corner, meaning that both SDN connectors are connected to the Azure cloud using different client IDs.
To create two firewall addresses:
This process creates two SDN connector firewall addresses to associate with the configured SDN connectors.
- Go to Policy & Objects > Addresses.
- Click Create New > Address. Configure the first SDN connector firewall address:
- In the Name field, enter azure-address-1.
- From the Type dropdown list, select Dynamic.
- From the Sub Type dropdown list, select Fabric Connector address.
- From the SDN Connector dropdown list, select azure1.
- For SDN address type, select Private.
- From the Filter dropdown list, select the desired filter.
- For Interface, select any.
- Click OK.
- Click Create New > Address. Configure the second SDN connector firewall address:
- In the Name field, enter azure-address-1.
- From the Type dropdown list, select Dynamic.
- From the Sub Type dropdown list, select Fabric Connector address.
- From the SDN Connector dropdown list, select azure2.
- For SDN address type, select Private.
- From the Filter dropdown list, select the desired filter.
- For Interface, select any.
- Click OK.
To check the resolved firewall addresses after the update interval:
By default, the update interval is 60 seconds.
- Go to Policy & Objects > Addresses.
- Hover over the created addresses. The firewall address that the configured SDN connectors resolved display.
To run diagnose commands:
Run the show sdn connector status
command. Both SDN connectors should appear with a status of connected
.
Run the diagnose debug application azd -1
command. The output should look like the following:
Level2-downstream-D # diagnose debug application azd -1
...
azd sdn connector azure1 start updating IP addresses
azd checking firewall address object azure-address-1, vd 0
IP address change, new list:
10.18.0.4
...
To restart the Azure SDN connector daemon, run the diagnose test application azd 99
command.