Fortinet Document Library

Version:


Table of Contents

Azure Cookbook

Resources

Upgrade Path Tool

Azure Cookbook

6.2.0
Download PDF
Copy Link

Prerequisites

Installing and configuring FortiGate Autoscale for Azure requires knowledge of the following:

  • Configuring a FortiGate using the CLI
  • Azure deployment templates
  • Azure Functions

It is expected that FortiGate Autoscale for Azure will be deployed by DevOps engineers or advanced system administrators who are familiar with the above.

Before you begin

Before starting the deployment, the following steps must be carried out:

  1. Log into your Azure account. If you do not already have one, create one by following the on-screen instructions.
  2. Create a service principal for the Autoscale to interact with the different Azure services. The creation of the service principal may be done by a different Azure account. For details on the permissions required by the service principal and by the user creating the service principal, refer to the note below. Make note of the following items as they are required to deploy the Function App:
    • Application ID (used for the parameter Rest App ID).
      This is under Azure Active Directory > App registrations > {your-app}.
    • Application secret (used for the parameter Rest App Secret).
      The application secret only appears once and cannot be retrieved.
    Note

    The service principal requires read and write permissions which can be granted by adding the Contributor role to the service principal.

    In order to grant the service principal such permissions, the Azure account used to create the service principal requires the following permissions:

    • Microsoft.Authorization/roleAssignments/write (to add role assignments)
    • Microsoft.Authorization/roleAssignments/delete (to remove role assignments)

    These permissions are included in the roles User Access Administrator and Owner. For details, refer to the Microsoft article Add or remove role assignments using Azure RBAC and the Azure portal.

  3. Confirm that you have a valid subscription to the PAYG and/or BYOL marketplace listings for FortiGate, as required for your deployment.
    Note

    Without the valid subscriptions, the deployment will fail with errors.

Requirements when using an existing VNet

When using an existing VNet:

  • The VNet must contain 4 subnets.
    • The FortiGate VMSS will be deployed in one of the subnets. This subnet must:
      • be a clean subnet (i.e. is not used by any other resource.)
      • have two service endpoints that have been manually enabled, one for Microsoft.AzureCosmosDB, and one for Microsoft.Web.
      • should have its name specified in the Subnet 1 Name parameter.
    • The 3 other subnets will be protected by the FortiGate VMSS.
  • Route tables have been created to route traffic between the FortiGate VMSS subnet and the other subnets.
  • One network security group is associated with the 4 subnets in the VNet.
  • (Optional) One available (i.e. not associated with any resource) public IP address to be used for the external load balancer that will be created during template deployment.
    • This IP address must be of the 'standard' SKU in order to match the VMSS.
    • This requirement is optional as a new IP address can be created during template deployment, as specified by the Frontend IP Deployment Method parameter.
  • All of the components above must reside in the same resource group.

Resources

Prerequisites

Installing and configuring FortiGate Autoscale for Azure requires knowledge of the following:

  • Configuring a FortiGate using the CLI
  • Azure deployment templates
  • Azure Functions

It is expected that FortiGate Autoscale for Azure will be deployed by DevOps engineers or advanced system administrators who are familiar with the above.

Before you begin

Before starting the deployment, the following steps must be carried out:

  1. Log into your Azure account. If you do not already have one, create one by following the on-screen instructions.
  2. Create a service principal for the Autoscale to interact with the different Azure services. The creation of the service principal may be done by a different Azure account. For details on the permissions required by the service principal and by the user creating the service principal, refer to the note below. Make note of the following items as they are required to deploy the Function App:
    • Application ID (used for the parameter Rest App ID).
      This is under Azure Active Directory > App registrations > {your-app}.
    • Application secret (used for the parameter Rest App Secret).
      The application secret only appears once and cannot be retrieved.
    Note

    The service principal requires read and write permissions which can be granted by adding the Contributor role to the service principal.

    In order to grant the service principal such permissions, the Azure account used to create the service principal requires the following permissions:

    • Microsoft.Authorization/roleAssignments/write (to add role assignments)
    • Microsoft.Authorization/roleAssignments/delete (to remove role assignments)

    These permissions are included in the roles User Access Administrator and Owner. For details, refer to the Microsoft article Add or remove role assignments using Azure RBAC and the Azure portal.

  3. Confirm that you have a valid subscription to the PAYG and/or BYOL marketplace listings for FortiGate, as required for your deployment.
    Note

    Without the valid subscriptions, the deployment will fail with errors.

Requirements when using an existing VNet

When using an existing VNet:

  • The VNet must contain 4 subnets.
    • The FortiGate VMSS will be deployed in one of the subnets. This subnet must:
      • be a clean subnet (i.e. is not used by any other resource.)
      • have two service endpoints that have been manually enabled, one for Microsoft.AzureCosmosDB, and one for Microsoft.Web.
      • should have its name specified in the Subnet 1 Name parameter.
    • The 3 other subnets will be protected by the FortiGate VMSS.
  • Route tables have been created to route traffic between the FortiGate VMSS subnet and the other subnets.
  • One network security group is associated with the 4 subnets in the VNet.
  • (Optional) One available (i.e. not associated with any resource) public IP address to be used for the external load balancer that will be created during template deployment.
    • This IP address must be of the 'standard' SKU in order to match the VMSS.
    • This requirement is optional as a new IP address can be created during template deployment, as specified by the Frontend IP Deployment Method parameter.
  • All of the components above must reside in the same resource group.