Fortinet Document Library

Version:


Table of Contents

Azure Cookbook

Resources

Upgrade Path Tool

Azure Cookbook

6.2.0
Download PDF
Copy Link

Deploying and configuring active-passive HA within one zone

You can configure FortiGate's native active-passive HA feature (without using an Azure supplementary mechanism such as Azure LB) with two FortiGate-VM instances: one acting as the primary/master node and the other as secondary/slave node, both located in the same region. This is called unicast HA and is specific to cloud environments including Azure. Unicast HA complies with cloud environments' network restrictions as compared to equivalent features provided by physical FortiGates. The FortiGate-VMs run heartbeats between dedicated ports and synchronize OS configurations. When the primary node (FortiGate Node-A in the diagram), the secondary node (FortiGate Node-B) takes over as the primary node so endpoints on a protected server continue to communicate with external resources over the FortiGate. The public IP addresses shown in the diagram will differ from your own, which you configure during deployment.

On Azure, FortiGate active-passive HA triggers two configurations while communicating with the Azure platform through APIs:

  • Mapping public IP addresses from a failing node to a healthy node interfaces
  • Redefining user-defined routes (UDRs) from a failing node to a healthy node IP addresses

HA failover time depends on the amount of public IP addresses and UDRs assigned to the FortiGate-VM and can be upwards of 20 seconds.

note icon

FortiOS 5.6.4+ and 6.0.0+ support FortiGate active-passive HA for Azure. Using the latest version of FortiGate-VM is recommended.

To deploy this HA, you will not launch FortiGate and other related resources from marketplace product listings. Instead, you manually kick off deployment using ARM templates. See About the ARM template. The FortiGate product listings on the Azure marketplace are not used to configure active-passive HA.

Installing and configuring active-passive HA requires knowledge of the following:

  • Configuring the FortiGate using the CLI
  • Azure Portal. You must have an Azure account to perform a deployment.
  • Azure ARM templates
  • Knowledge of software-defined network (SDN) connector

Resources

Deploying and configuring active-passive HA within one zone

You can configure FortiGate's native active-passive HA feature (without using an Azure supplementary mechanism such as Azure LB) with two FortiGate-VM instances: one acting as the primary/master node and the other as secondary/slave node, both located in the same region. This is called unicast HA and is specific to cloud environments including Azure. Unicast HA complies with cloud environments' network restrictions as compared to equivalent features provided by physical FortiGates. The FortiGate-VMs run heartbeats between dedicated ports and synchronize OS configurations. When the primary node (FortiGate Node-A in the diagram), the secondary node (FortiGate Node-B) takes over as the primary node so endpoints on a protected server continue to communicate with external resources over the FortiGate. The public IP addresses shown in the diagram will differ from your own, which you configure during deployment.

On Azure, FortiGate active-passive HA triggers two configurations while communicating with the Azure platform through APIs:

  • Mapping public IP addresses from a failing node to a healthy node interfaces
  • Redefining user-defined routes (UDRs) from a failing node to a healthy node IP addresses

HA failover time depends on the amount of public IP addresses and UDRs assigned to the FortiGate-VM and can be upwards of 20 seconds.

note icon

FortiOS 5.6.4+ and 6.0.0+ support FortiGate active-passive HA for Azure. Using the latest version of FortiGate-VM is recommended.

To deploy this HA, you will not launch FortiGate and other related resources from marketplace product listings. Instead, you manually kick off deployment using ARM templates. See About the ARM template. The FortiGate product listings on the Azure marketplace are not used to configure active-passive HA.

Installing and configuring active-passive HA requires knowledge of the following:

  • Configuring the FortiGate using the CLI
  • Azure Portal. You must have an Azure account to perform a deployment.
  • Azure ARM templates
  • Knowledge of software-defined network (SDN) connector