Fortinet Document Library

Version:


Table of Contents

Azure Cookbook

Resources

Upgrade Path Tool

Azure Cookbook

6.2.0
Download PDF
Copy Link

Public IP addresses with Azure public LB

The default deployment of FortiGate-VM HA from the Azure marketplace includes a standard public LB with two public IP addresses, each associated to a unique frontend on the Azure LB. These are configured with NAT rules to allow administration via HTTPS on port 8443 and SSH on port 22. There are also a few LB rules: one sample rule on TCP port 80 associated with each frontend and another rule associated with the primary frontend on an arbitrary UDP port. The standard public LB is associated with traffic inbound and outbound through the FortiGate-VMs. There is no explicit outbound configuration option. However, TCP outbound is not allowed unless there is at least one TCP inbound LB rule configured. Similarly, UDP outbound is not allowed unless there is at least one UDP LB rule configured inbound.

Creating a virtual IP address to forward public traffic to an internal server in Azure is similar to Using public IP addresses. However, the Azure LB rules have a feature called floating IP or direct server return. It is recommended to enable this on all LB rules. When enabled, this feature forwards load balanced sessions without modifying the packets, preserving the original destination public IP address. It is then possible on the FortiGate-VM to create a virtual IP address which matches the Azure LB frontend public IP address. The big advantage to using this is that the configuration on both FortiGate-VMs can then be identical, even sychronized.

You can repeat this for both existing frontends. If you need additional public IP addresses, you must add them to a new frontend on the public LB. From there, you can create a new LB rule or rules and create virtual IP addresses and policies on the FortiGate-VMs to match. When creating the LB set, ensure to match the correct frontend.

Resources

Public IP addresses with Azure public LB

The default deployment of FortiGate-VM HA from the Azure marketplace includes a standard public LB with two public IP addresses, each associated to a unique frontend on the Azure LB. These are configured with NAT rules to allow administration via HTTPS on port 8443 and SSH on port 22. There are also a few LB rules: one sample rule on TCP port 80 associated with each frontend and another rule associated with the primary frontend on an arbitrary UDP port. The standard public LB is associated with traffic inbound and outbound through the FortiGate-VMs. There is no explicit outbound configuration option. However, TCP outbound is not allowed unless there is at least one TCP inbound LB rule configured. Similarly, UDP outbound is not allowed unless there is at least one UDP LB rule configured inbound.

Creating a virtual IP address to forward public traffic to an internal server in Azure is similar to Using public IP addresses. However, the Azure LB rules have a feature called floating IP or direct server return. It is recommended to enable this on all LB rules. When enabled, this feature forwards load balanced sessions without modifying the packets, preserving the original destination public IP address. It is then possible on the FortiGate-VM to create a virtual IP address which matches the Azure LB frontend public IP address. The big advantage to using this is that the configuration on both FortiGate-VMs can then be identical, even sychronized.

You can repeat this for both existing frontends. If you need additional public IP addresses, you must add them to a new frontend on the public LB. From there, you can create a new LB rule or rules and create virtual IP addresses and policies on the FortiGate-VMs to match. When creating the LB set, ensure to match the correct frontend.