Fortinet Document Library

Version:


Table of Contents

Azure Cookbook

Resources

Upgrade Path Tool

Azure Cookbook

6.2.0
Download PDF
Copy Link

FortiGate Autoscale for Azure HA topology (PAYG instances)

In this sample HA setup, each FortiGate-VM has two interfaces.

  • Port1 (external): 10.0.1.x/24 subnet1
  • Port2 (internal): 10.0.2.x/24 subnet2

Instance 1:

  • Port1: 10.0.1.5
  • Port2: 10.0.2.5

Instance 2:

  • Port1: 10.0.1.4
  • Port2: 10.0.2.4

Each subnet has its own load balancer to allocate the traffic to each instance pool.

By default, the Autoscaling group is set to one instance.

To increase the number of instances:
  1. Load the resource group in which you deployed the Scale Set template.
  2. From the overview page, click the Virtual machine scale set name (asgvmsspayg in our example).
  3. From the navigation column, under Settings, click Scaling.

The configuration page will look as shown below:

Adjusting the number of instances

In this example, the Minimum and default instances has been increased to two. Once Autoscaling finishes spawning new instances, you can see the new instances by going to the navigation column. Under Settings, click Instances. In our example, we now additionally see instance 48.

Added instance

The Load Balancers will also have been updated.

To view the load balancers:
  1. Load the resource group in which you deployed the Scale Set template.
  2. From the overview page, click the link for the Internal or External load balancer.
  3. From the navigation column, under Settings, click Backend pools.

Following is an example of internal load balancer instances:

Internal Load Balancer instances

Following is an example of external load balancer instances:

External Load Balancer instances

To configure the type of traffic to load balance on:
  1. Load the resource group in which you deployed the Scale Set template.
  2. From the overview page, click the link for the Internal or External load balancer.
  3. From the navigation column, under Settings, click Load balancing rules.

An example of a rule list:

Example of a rule list

Click into the rule to see more details. This sample rule below allocates HTTPS traffic (443) to the backend pool from the front end public IP address using the SSH port for health probe traffic.

HTTPS rule

To view health probes:
  1. Load the resource group in which you deployed the Scale Set template.
  2. From the overview page, click the link for the Internal or External load balancer.
  3. From the navigation column, under Settings, click Health probes.
  4. The lbprobe is listed. Click the name to view the probe.

An example of a health probe:

Example of a health probe

This example shows the use of port 22 for the probe. Ensure allowaccess has SSH enabled on the FortiGate-VM interface.

config system interface

edit "port1"

set vdom "root"

set mode dhcp

set allowaccess ping https ssh fgfm

set type physical

set src-check disable

set description "ext"

set snmp-index 1

next

end

Azure also sends probing traffic from IP address 168.63.129.16. Ensure this route also exists on the internal interface(s). Port 2 is the internal interface in the below example.

config router static

edit 1

set dst 168.63.129.16 255.255.255.255

set gateway 10.0.2.1

set device "port2"

next

end

Otherwise, Azure may consider the instances non-operational and may not forward traffic to them.

Resources

FortiGate Autoscale for Azure HA topology (PAYG instances)

In this sample HA setup, each FortiGate-VM has two interfaces.

  • Port1 (external): 10.0.1.x/24 subnet1
  • Port2 (internal): 10.0.2.x/24 subnet2

Instance 1:

  • Port1: 10.0.1.5
  • Port2: 10.0.2.5

Instance 2:

  • Port1: 10.0.1.4
  • Port2: 10.0.2.4

Each subnet has its own load balancer to allocate the traffic to each instance pool.

By default, the Autoscaling group is set to one instance.

To increase the number of instances:
  1. Load the resource group in which you deployed the Scale Set template.
  2. From the overview page, click the Virtual machine scale set name (asgvmsspayg in our example).
  3. From the navigation column, under Settings, click Scaling.

The configuration page will look as shown below:

Adjusting the number of instances

In this example, the Minimum and default instances has been increased to two. Once Autoscaling finishes spawning new instances, you can see the new instances by going to the navigation column. Under Settings, click Instances. In our example, we now additionally see instance 48.

Added instance

The Load Balancers will also have been updated.

To view the load balancers:
  1. Load the resource group in which you deployed the Scale Set template.
  2. From the overview page, click the link for the Internal or External load balancer.
  3. From the navigation column, under Settings, click Backend pools.

Following is an example of internal load balancer instances:

Internal Load Balancer instances

Following is an example of external load balancer instances:

External Load Balancer instances

To configure the type of traffic to load balance on:
  1. Load the resource group in which you deployed the Scale Set template.
  2. From the overview page, click the link for the Internal or External load balancer.
  3. From the navigation column, under Settings, click Load balancing rules.

An example of a rule list:

Example of a rule list

Click into the rule to see more details. This sample rule below allocates HTTPS traffic (443) to the backend pool from the front end public IP address using the SSH port for health probe traffic.

HTTPS rule

To view health probes:
  1. Load the resource group in which you deployed the Scale Set template.
  2. From the overview page, click the link for the Internal or External load balancer.
  3. From the navigation column, under Settings, click Health probes.
  4. The lbprobe is listed. Click the name to view the probe.

An example of a health probe:

Example of a health probe

This example shows the use of port 22 for the probe. Ensure allowaccess has SSH enabled on the FortiGate-VM interface.

config system interface

edit "port1"

set vdom "root"

set mode dhcp

set allowaccess ping https ssh fgfm

set type physical

set src-check disable

set description "ext"

set snmp-index 1

next

end

Azure also sends probing traffic from IP address 168.63.129.16. Ensure this route also exists on the internal interface(s). Port 2 is the internal interface in the below example.

config router static

edit 1

set dst 168.63.129.16 255.255.255.255

set gateway 10.0.2.1

set device "port2"

next

end

Otherwise, Azure may consider the instances non-operational and may not forward traffic to them.