The prefix for all applicable resource names.

Can only contain uppercase letters, lowercase letters, and numbers.

Maximum length is 10.

Options for Virtual Network (VNet) deployment:

• create a new VNet in the Autoscale resource group
• create a new VNet in the specified VNet resource group
• use an existing VNet in the specified VNet resource group

The VNet resource group (specified in the VNet Resource Group Name parameter) must be in the same region as the Autoscale resource group (specified in the Resource group parameter). If using an existing VNet, refer to the section Requirements when using an existing VNet.

Name of the resource group that contains the VNet and related network components.

Required if the VNet and related network components will be deployed to a different resource group than the Autoscale resource group (specified in the Resource group parameter). For details refer to the description for the parameter VNet Deployment Method. Both resource groups must be in the same region.

Name of the Azure VNet to associate with FortiGate Autoscale.

Required when using an existing VNet.

When creating a new VNet, this parameter may be left empty and a name will be generated.

IP address space of the VNet in (Classless Inter-Domain Routing) CIDR notation. E.g. 10.0.0.0/16.

Required when using an existing VNet. The value should match the address space of the target VNet.

The Subnet # Name parameters specify the name of the subnet.

• Subnet 1 is the subnet in which to deploy the FortiGate VMSS.
• Subnets 2-4 are the subnets to be protected by the FortiGate.

Required only when using an existing VNet. The values should match the subnet of the target VNet. When creating a new VNet, any input value will be ignored.

The Subnet # Address Range parameters define the address range in CIDR notation for the subnet. The address range must be contained by the address space of the virtual network as defined in VNet Address Space. After deployment, the address range of a subnet which is in use can't be edited.

Required when using an existing VNet. The values should match the address range of the target VNet. When creating a new VNet, any input value will be ignored.

Name of the Network Security Group associated with the subnets in the VNet.

Required when using existing VNet. The value should match the name of the existing Network Security Group associated with the subnets in the VNet.

When creating a new VNet, you may specify a name for the Network Security Group. If left empty, a name will be generated.

Deployment method for the Frontend Public IP address for the external load balancer.

There are limitations when using an existing IP address. Please refer to the optional requirement in the section Requirements when using an existing VNet.

When creating a new IP address, the IP address will be deployed to the resource group where the VNet is located.

Name of the Frontend Public IP address.

When creating a new IP address, this parameter can be left empty and a name will be generated.

The last octet of the Frontend Private IP address to be used by the Load Balancer. For example, if set to 10, the Private IP address for the Load Balancer in the subnet with prefix 10.0.1.0/24 would be 10.0.1.10.

Size of the VMs in the VMSS.

For assistance in choosing the size, refer to the Microsoft article Compute optimized virtual machine sizes.

FortiOS version supported by FortiGate Autoscale for Azure.

A secret key used by FortiGate-VM instances to securely communicate with each other.

Must contain numbers and letters; may contain special characters. Maximum length is 128.

Changes to the PSK secret after FortiGate Autoscale for Azure has been deployed are not reflected here. For new instances to be spawned with the changed PSK secret, this environment variable will need to be manually updated.

FortiGate-VM administrator username on all VMs.

FortiGate-VM administrator password on all VMs.

Must be between 11 and 26 characters and must include at least one uppercase letter, one lowercase letter, one digit, and one special character such as (! @ # $ %).

Storage account type.

Application ID for the Registered app.

This is under Azure Active Directory > App registrations > {your app}.

Make note of this when creating a service principal in the section Prerequisites.

Password (Authentication key) for the Registered app.

Make note of this when creating a service principal in the section Prerequisites.

The number of FortiGate-VM instances the BYOL VMSS should have at any time.

For High Availability in BYOL-only and Hybrid use cases, ensure at least 2 FortiGate-VMs are in the group.

For specific use cases, set to 0 for PAYG-only, and >= 2 for BYOL-only or hybrid licensing.

Users can set the size to less than or equal to the number of valid licenses they own and the number should not exceed the Max BYOL Instance Count. Licenses can be purchased from FortiCare.

Minimum number of FortiGate-VM instances in the BYOL VMSS.

For specific use cases, set to 0 for PAYG-only, and >= 2 for BYOL-only or hybrid licensing.

For BYOL-only and hybrid licensing deployments, this parameter must be at least 2. If set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

Maximum number of FortiGate-VM instances in the BYOL VMSS.

For specific use cases, set to 0 for PAYG-only, and >= 2 for BYOL-only or hybrid licensing. This number must be greater than or equal to the Min BYOL Instance Count.

Users can set the size to match the number of valid licenses they own. Licenses can be purchased from FortiCare.

The number of FortiGate-VM instances the PAYG VMSS should have at any time.

For High Availability in a PAYG-only use case, ensure at least 2 FortiGate-VMs are in the group.

For specific use cases, set to 0 for BYOL-only, >= 2 for PAYG-only, and >= 0 for hybrid licensing.

Minimum number of FortiGate-VM instances in the PAYG VMSS.

For specific use cases, set to 0 for BYOL-only, >= 2 for PAYG-only, and >= 0 for hybrid licensing.

For PAYG-only deployments, this parameter must be at least 2. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

Maximum number of FortiGate-VM instances in the PAYG VMSS.

For specific use cases, set to 0 for BYOL-only, >= 2 for PAYG-only, and >= 0 for hybrid licensing. This number must be greater than or equal to the Min PAYG Instance Count.

Percentage of CPU utilization at which scale-out should occur.

Percentage of CPU utilization at which scale-in should occur.

The maximum time (in seconds) to wait for a master election to complete.

The minimum time (in seconds) permitted before a distributed license can be revoked from a non-responsive FortiGate-VM and re-distributed.

Minimum is 300.

The length of time (in seconds) that the FortiGate-VM waits between sending heartbeat requests to the Autoscale handler function.

Minimum is 30. Maximum is 120.

Number of consecutively lost heartbeats. When the Heart Beat Loss Count has been reached, the VM is deemed unhealthy and failover activities will commence.

The maximum amount of time (in seconds) allowed for network latency of the FortiGate-VM heartbeat arriving at the Autoscale handler function.

Minimum is 30.

Timeout value (in seconds) for the Azure function script.

Minimum is 30. Maximum is 230.