The prefix for all applicable resource names.

Can only contain uppercase letters, lowercase letters, and numbers.

Maximum length is 10.

Options for Virtual Network (VNet) deployment:

• create a new VNet in the Autoscale resource group (specified in the Resource group parameter)
• create a new VNet in the specified VNet resource group (specified in the VNet Resource Group Name parameter)
• use an existing VNet in the specified VNet resource group (specified in the VNet Resource Group Name parameter)

If using an existing VNet, refer to the section Requirements when using an existing VNet.

The VNet resource group must be in the same region as the Autoscale resource group.

Name of the resource group that contains the VNet and related network components.

Required if the VNet is not in the Autoscale resource group. For details refer to the description for the parameter VNet Deployment Method.

This resource group must be in the same region as the Autoscale resource group.

Name of the Azure VNet to connect to FortiGate Autoscale.

Required if the VNet Deployment Method parameter is set to use an existing VNet.

When the VNet Deployment Method parameter is set to create a new VNet, this parameter can be left empty and a name will be generated.

IP address space of the VNet in (Classless Inter-Domain Routing) CIDR notation. E.g. 10.0.0.0/16.

Required if the VNet Deployment Method parameter is set to use an existing VNet. The value should match the address space of the target VNet.

Subnet 1 name. The subnet in which to deploy the FortiGate VMSS.

Required if the VNet Deployment Method parameter is set to use an existing VNet. The value should match the subnet of the target VNet.

When the VNet Deployment Method parameter is set to create a new VNet, any input value will be ignored.

When deploying to a new VNet, this defines the address range for subnet 1 in CIDR notation (e.g. 10.0.0.0/24). It must be contained by the address space of the virtual network. The address range of a subnet which is in use can't be edited.

When the VNet Deployment Method parameter is set to use an existing VNet, the value should match the subnet of the target VNet.

Subnet 2 name. One of the subnets to be protected by the FortiGate.

Required if the VNet Deployment Method parameter is set to use an existing VNet. The value should match the subnet of the target VNet.

When the VNet Deployment Method parameter is set to create a new VNet, any input value will be ignored.

When deploying to a new VNet, this defines the address range for subnet 2 in CIDR notation (e.g. 10.0.1.0/24). It must be contained by the address space of the virtual network. The address range of a subnet which is in use can't be edited.

When the VNet Deployment Method parameter is set to use an existing VNet, the value should match the subnet of the target VNet.

Subnet 3 name. One of the subnets to be protected by the FortiGate.

Required if the VNet Deployment Method parameter is set to use an existing VNet. The value should match the subnet of the target VNet.

When the VNet Deployment Method parameter is set to create a new VNet, any input value will be ignored.

When deploying to a new VNet, this defines the address range for subnet 3 in CIDR notation (e.g. 10.0.2.0/24). It must be contained by the address space of the virtual network. The address range of a subnet which is in use can't be edited.

When the VNet Deployment Method parameter is set to use an existing VNet, the value should match the subnet of the target VNet.

Subnet 4 name. One of the subnets to be protected by the FortiGate.

Required if the VNet Deployment Method parameter is set to use an existing VNet. The value should match the subnet of the target VNet.

When the VNet Deployment Method parameter is set to create a new VNet, any input value will be ignored.

When deploying to a new VNet, this defines the address range for subnet 4 in CIDR notation (e.g. 10.0.3.0/24). It must be contained by the address space of the virtual network. The address range of a subnet which is in use can't be edited.

When the VNet Deployment Method parameter is set to use an existing VNet, the value should match the subnet of the target VNet.

The name of the Network Security Group associated with the subnets in the VNet.

Required if the VNet Deployment Method parameter is set to use an existing VNet. The value should match the name of the existing Network Security Group associated with the subnets in the VNet.

When the VNet Deployment Method parameter is set to create a new VNet, you may specify a name for the Network Security Group. If left empty a name will be generated.

Deployment method for the Frontend Public IP address for the external load balancer.

If using an existing IP address, refer to the optional requirement in the section Requirements when using an existing VNet.

If set to 'create new public IP address', the IP address will be deployed to the resource group where the VNet is located.

Name of the Frontend Public IP address.

When the Frontend IP Deployment Method parameter is set to 'create new public IP address, this parameter can be left empty and a name will be generated.

The last octet of the Frontend Private IP address to be used by the Load Balancer.

For example, if set to 10, the Private IP for the Load Balancer in the subnet with prefix 10.0.1.0/24 would be 10.0.1.10.

Size of the VMs in the VMSS.

For assistance in choosing the size, refer to the Microsoft article Compute optimized virtual machine sizes.

FortiOS version supported by FortiGate Autoscale for Azure.

The secret key for the FortiGate-VMs instances to securely communicate with each other. Must contain numbers and letters and may contain special characters.

Maximum length is 128.

Changes to the PSK secret after FortiGate Autoscale for Azure has been deployed are not reflected here. For new instances to be spawned with the changed PSK secret, this environment variable will need to be manually updated.

FortiGate-VM administrator username on all VMs.

FortiGate-VM administrator password on all VMs.

This field must be between 11 and 26 characters and must include at least one uppercase letter, one lowercase letter, one digit, and one special character such as (! @ # $ %).

Storage account type.

Application ID for the Registered app.

This is under Azure Active Directory > App registrations > {your app}.

Make note of this when creating a service principal during the Prerequisites.

Password (Authentication key) for the Registered app.

Make note of this when creating a service principal during the Prerequisites.

The number of FortiGate-VM instances the BYOL VMSS should have at any time.

For High Availability in BYOL-only and Hybrid use cases, ensure at least 2 FortiGate-VMs are in the group.

For specific use cases, set to 0 for PAYG-only, and >= 2 for BYOL-only or hybrid licensing.

Users can set the size to less than or equal to the number of valid licenses they own and the number should not exceed the Max BYOL Instance Count. Licenses can be purchased from FortiCare.

Minimum number of FortiGate-VM instances in the BYOL VMSS.

For specific use cases, set to 0 for PAYG-only, and >= 2 for BYOL-only or hybrid licensing.

For BYOL-only and hybrid licensing deployments, this parameter must be at least 2. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

Maximum number of FortiGate-VM instances in the BYOL VMSS.

For specific use cases, set to 0 for PAYG-only, and >= 2 for BYOL-only or hybrid licensing. This number must be greater than or equal to the Min BYOL Instance Count.

Users can set the size to match the number of valid licenses they own. Licenses can be purchased from FortiCare.

The number of FortiGate-VM instances the PAYG VMSS should have at any time.

For High Availability in a PAYG-only use case, ensure at least 2 FortiGate-VMs are in the group.

For specific use cases, set to 0 for BYOL-only, >= 2 for PAYG-only, and >= 0 for hybrid licensing.

Minimum number of FortiGate-VM instances in the PAYG VMSS.

For specific use cases, set to 0 for BYOL-only, >= 2 for PAYG-only, and >= 0 for hybrid licensing.

For PAYG-only deployments, this parameter must be at least 2. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

Maximum number of FortiGate-VM instances in the PAYG VMSS.

For specific use cases, set to 0 for BYOL-only, >= 2 for PAYG-only, and >= 0 for hybrid licensing. This number must be greater than or equal to the Min PAYG Instance Count.

Percentage of CPU utilization at which scale-out should occur.

Percentage of CPU utilization at which scale-in should occur.

The maximum time (in seconds) to wait for a master election to complete.

The minimum time (in seconds) permitted before a distributed license can be revoked from a non-responsive FortiGate-VM and re-distributed.

Minimum is 300.

The length of time (in seconds) that the FortiGate-VM waits between sending heartbeat requests to the Autoscale handler function.

Minimum is 30. Maximum is 120.

Number of consecutively lost heartbeats. When the Heart Beat Loss Count has been reached, the VM is deemed unhealthy and failover activities will commence.

The maximum amount of time (in seconds) allowed for network latency of the FortiGate-VM heartbeat arriving at the Autoscale handler function.

Minimum is 30.

Timeout value (in seconds) for the Azure function script.

Minimum is 30. Maximum is 230.