Fortinet Document Library

Version:


Table of Contents

Azure Cookbook

Resources

Upgrade Path Tool

Azure Cookbook

6.2.0
Download PDF
Copy Link

FortiGate Autoscale for Azure features

Major components

  • The Function App. The Function App handles all the autoscaling features including: master/slave role assignment, license distribution, and failover management.
  • The BYOL Scale Set. This scale set contains 0 to many FortiGate-VMs of the BYOL licensing model and is a VMSS with a fixed size. Users can set the size to match the number of valid licenses they own. Licenses can be purchased from FortiCare.
    Note

    For BYOL-only and hybrid licensing deployments, the BYOL instance Count must be at least 2. These FortiGate-VMs are the main instances and are fixed and running 7x24. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

  • The PAYG Scale Set. The Scale Set contains 0 to many FortiGate-VMs of the PAYG licensing model and will dynamically scale-out or scale-in based on the scaling metrics specified by the parameters Scale Out Threshold and Scale in Threshold.
    Note

    For PAYG-only deployments, the PAYG instance Count must be at least 2. These FortiGate-VMs are the main instances and are fixed and running 7x24. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

  • The Blob Containers.
    • The configset container contains files that are loaded as the initial configuration of a new FortiGate-VM instance.
      • baseconfig is the base configuration. This file can be modified as needed to meet your network requirements. Placeholders such as {SYNC_INTERFACE} are explained in the Configset placeholders table below.
    • The fgt-asg-license container contains the BYOL license files.
  • Database tables. These tables are required to store information such as health check monitoring, master election, state transitions, etc. These records should not be modified unless required for troubleshooting purposes.
  • Networking Components. These are the load-balancing rules, autoscaling settings, virtual network, and routing-related components. You are expected to create your own client and server instances that you want protected by the FortiGate-VM.

Configset placeholders

When the FortiGate-VM requests the configuration from the Autoscaling handler function, the placeholders in the table below will be replaced with actual values for the Autoscaling group.

Placeholder

Type

Description

{SYNC_INTERFACE}

Text

The interface for FortiGate-VMs to synchronize information.

Specify as port1, port2, port3, etc.

All characters must be lowercase.

{CALLBACK_URL}

URL

The full URL of the Autoscaling handler function.

{PSK_SECRET}

Text

The Pre-Shared Key used in FortiOS.

{ADMIN_PORT}

Number

The admin port will be replaced with 443.

{HEART_BEAT_INTERVAL}

Number

The time interval (in seconds) that the FortiGate-VM waits between sending heartbeat requests to the Autoscale handler function.

This placeholder is only in the hybrid licensing deployment.

Function App environment variables

Azure infrastructure related environment variables

The variables in the table below hold information that enables the function to use the required Azure services. Changing their values may cause services to be unreachable by the function. Modify them at your own risk.

Variable name

Description

RESOURCE_GROUP

Name of the resource group where the template is deployed in.

REST_APP_ID

Descriptions of these variables are identical to those of the related parameters which are described in the section Configurable variables.

REST_APP_SECRET

WEBSITE_RUN_FROM_ZIP

REST_API_MASTER_KEY

This is the CosmosDB account access key automatically created with the CosmosDB account.

TENANT_ID

The Azure Directory ID for the Active Directory of your current subscription.

SUBSCRIPTION_ID

Your Azure Subscription ID.

AUTOSCALE_DB_ACCOUNT

The CosmosDB account created for the current FortiGate Autoscale deployment.

AZURE_STORAGE_ACCOUNT

This is the Blob Storage account name automatically created during the deployment.

AZURE_STORAGE_ACCESS_KEY

This is the Blob Storage account access key automatically created with the Blob Storage account.

FortiGate Autoscale required environment variables

Changing the values of the following variables can cause unexpected function behavior. Modify them at your own risk.

Variable name

Description

UNIQUE_ID

Reserved, empty string.

CUSTOM_ID

Reserved, empty string.

RESOURCE_TAG_PREFIX

An Autoscaling feature variable that is automatically created. Reserved for future use.

Troubleshooting environment variables

The following variables assist in troubleshooting the current FortiGate Autoscale deployment.

Variable name

Description

DEBUG_SAVE_CUSTOM_LOG

Set to true to save script logs to the DB table CUSTOM_LOG. This is the default behavior.

Set to false to disable this feature.

DEBUG_LOGGER_OUTPUT_QUEUE_ENABLED

Set to true to concatenate all log output into one (1) log item in the Azure logging system.

Set to false for every log output to have its own log item in the Azure logging system. This is the default behavior.

DEBUG_LOGGER_TIMEZONE_OFFSET

Set to the UTC offset of the current deployment location for a better logging display time.

For details on how to modify the troubleshooting environment variables, refer to the section Troubleshoot using environment variables.

Resources

FortiGate Autoscale for Azure features

Major components

  • The Function App. The Function App handles all the autoscaling features including: master/slave role assignment, license distribution, and failover management.
  • The BYOL Scale Set. This scale set contains 0 to many FortiGate-VMs of the BYOL licensing model and is a VMSS with a fixed size. Users can set the size to match the number of valid licenses they own. Licenses can be purchased from FortiCare.
    Note

    For BYOL-only and hybrid licensing deployments, the BYOL instance Count must be at least 2. These FortiGate-VMs are the main instances and are fixed and running 7x24. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

  • The PAYG Scale Set. The Scale Set contains 0 to many FortiGate-VMs of the PAYG licensing model and will dynamically scale-out or scale-in based on the scaling metrics specified by the parameters Scale Out Threshold and Scale in Threshold.
    Note

    For PAYG-only deployments, the PAYG instance Count must be at least 2. These FortiGate-VMs are the main instances and are fixed and running 7x24. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

  • The Blob Containers.
    • The configset container contains files that are loaded as the initial configuration of a new FortiGate-VM instance.
      • baseconfig is the base configuration. This file can be modified as needed to meet your network requirements. Placeholders such as {SYNC_INTERFACE} are explained in the Configset placeholders table below.
    • The fgt-asg-license container contains the BYOL license files.
  • Database tables. These tables are required to store information such as health check monitoring, master election, state transitions, etc. These records should not be modified unless required for troubleshooting purposes.
  • Networking Components. These are the load-balancing rules, autoscaling settings, virtual network, and routing-related components. You are expected to create your own client and server instances that you want protected by the FortiGate-VM.

Configset placeholders

When the FortiGate-VM requests the configuration from the Autoscaling handler function, the placeholders in the table below will be replaced with actual values for the Autoscaling group.

Placeholder

Type

Description

{SYNC_INTERFACE}

Text

The interface for FortiGate-VMs to synchronize information.

Specify as port1, port2, port3, etc.

All characters must be lowercase.

{CALLBACK_URL}

URL

The full URL of the Autoscaling handler function.

{PSK_SECRET}

Text

The Pre-Shared Key used in FortiOS.

{ADMIN_PORT}

Number

The admin port will be replaced with 443.

{HEART_BEAT_INTERVAL}

Number

The time interval (in seconds) that the FortiGate-VM waits between sending heartbeat requests to the Autoscale handler function.

This placeholder is only in the hybrid licensing deployment.

Function App environment variables

Azure infrastructure related environment variables

The variables in the table below hold information that enables the function to use the required Azure services. Changing their values may cause services to be unreachable by the function. Modify them at your own risk.

Variable name

Description

RESOURCE_GROUP

Name of the resource group where the template is deployed in.

REST_APP_ID

Descriptions of these variables are identical to those of the related parameters which are described in the section Configurable variables.

REST_APP_SECRET

WEBSITE_RUN_FROM_ZIP

REST_API_MASTER_KEY

This is the CosmosDB account access key automatically created with the CosmosDB account.

TENANT_ID

The Azure Directory ID for the Active Directory of your current subscription.

SUBSCRIPTION_ID

Your Azure Subscription ID.

AUTOSCALE_DB_ACCOUNT

The CosmosDB account created for the current FortiGate Autoscale deployment.

AZURE_STORAGE_ACCOUNT

This is the Blob Storage account name automatically created during the deployment.

AZURE_STORAGE_ACCESS_KEY

This is the Blob Storage account access key automatically created with the Blob Storage account.

FortiGate Autoscale required environment variables

Changing the values of the following variables can cause unexpected function behavior. Modify them at your own risk.

Variable name

Description

UNIQUE_ID

Reserved, empty string.

CUSTOM_ID

Reserved, empty string.

RESOURCE_TAG_PREFIX

An Autoscaling feature variable that is automatically created. Reserved for future use.

Troubleshooting environment variables

The following variables assist in troubleshooting the current FortiGate Autoscale deployment.

Variable name

Description

DEBUG_SAVE_CUSTOM_LOG

Set to true to save script logs to the DB table CUSTOM_LOG. This is the default behavior.

Set to false to disable this feature.

DEBUG_LOGGER_OUTPUT_QUEUE_ENABLED

Set to true to concatenate all log output into one (1) log item in the Azure logging system.

Set to false for every log output to have its own log item in the Azure logging system. This is the default behavior.

DEBUG_LOGGER_TIMEZONE_OFFSET

Set to the UTC offset of the current deployment location for a better logging display time.

For details on how to modify the troubleshooting environment variables, refer to the section Troubleshoot using environment variables.