Fortinet Document Library

Version:


Table of Contents

Azure Cookbook

Resources

Upgrade Path Tool

Azure Cookbook

6.4.0
Download PDF
Copy Link

FortiGate Autoscale for Azure features

Major components

  • The Function App. The Function App handles all the autoscaling features including: master/slave role assignment, license distribution, and failover management.
  • The BYOL Scale Set. This scale set contains 0 to many FortiGate-VMs of the BYOL licensing model and is a VMSS with a fixed size. Users can set the size to match the number of valid licenses they own. Licenses can be purchased from FortiCare.
    Note

    For BYOL-only and hybrid licensing deployments, the BYOL instance Count must be at least 2. These FortiGate-VMs are the main instances and are fixed and running 7x24. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

  • The PAYG Scale Set. The Scale Set contains 0 to many FortiGate-VMs of the PAYG licensing model and will dynamically scale-out or scale-in based on the scaling metrics specified by the parameters Scale Out Threshold and Scale in Threshold.
    Note

    For PAYG-only deployments, the PAYG instance Count must be at least 2. These FortiGate-VMs are the main instances and are fixed and running 7x24. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

  • The Blob Containers.
    • The configset container contains files that are loaded as the initial configuration of a new FortiGate-VM instance.
      • baseconfig is the base configuration. This file can be modified as needed to meet your network requirements. Placeholders such as {SYNC_INTERFACE} are explained in the Configset placeholders table below.
      • httproutingpolicy and httpsroutingpolicy are provided as part of the base configset - for a common use case - and specify the FortiGate firewall policy for VIPs for http routing and https routing respectively. This common use case includes a VIP on port 80 and a VIP on port 443 with a policy that points to an internal load balancer.
      Note

      In FortiOS 6.2.3, any VIPs created on the master will not sync to the slave units. Any VIP you wish to add must be added as part of the base configuration.

      If you set the Frontend IP Deployment Method parameter to use existing public IP address, then you must include your VIP configuration in the base configuration.

    • The fgt-asg-license container contains the BYOL license files.
  • Database tables. These tables are required to store information such as health check monitoring, master election, state transitions, etc. These records should not be modified unless required for troubleshooting purposes.
  • Networking Components.
    • One virtual network
    • Two Load Balancers (with names ending with -external-load-balancer and -internal-load-balancer)
    • One network security group (with a name ending with -network-security-group)
    • One public IP address
    • Four route tables

Configset placeholders

When the FortiGate-VM requests the configuration from the Autoscaling handler function, the placeholders in the table below will be replaced with actual values for the Autoscaling group.

Placeholder

Type

Description

{SYNC_INTERFACE}

Text

The interface for FortiGate-VMs to synchronize information.

Specify as port1, port2, port3, etc.

All characters must be lowercase.

{CALLBACK_URL}

URL

The full URL of the Autoscaling handler function.

{PSK_SECRET}

Text

The Pre-Shared Key used in FortiOS.

{ADMIN_PORT}

Number

The admin port will be replaced with 443.

{HEART_BEAT_INTERVAL}

Number

The time interval (in seconds) that the FortiGate-VM waits between sending heartbeat requests to the Autoscale handler function.

This placeholder is only in the hybrid licensing deployment.

Function App environment variables

Azure infrastructure related environment variables

The variables in the table below hold information that enables the function to use the required Azure services. Changing their values may cause services to be unreachable by the function. Modify them at your own risk.

Variable name

Description

RESOURCE_GROUP

Name of the resource group where the template is deployed in.

REST_APP_ID

Descriptions of these variables are identical to those of the related parameters which are described in the section Configurable variables.

REST_APP_SECRET

WEBSITE_RUN_FROM_ZIP

REST_API_MASTER_KEY

This is the CosmosDB account access key automatically created with the CosmosDB account.

TENANT_ID

The Azure Directory ID for the Active Directory of your current subscription.

SUBSCRIPTION_ID

Your Azure Subscription ID.

AUTOSCALE_DB_ACCOUNT

The CosmosDB account created for the current FortiGate Autoscale deployment.

AZURE_STORAGE_ACCOUNT

This is the Blob Storage account name automatically created during the deployment.

AZURE_STORAGE_ACCESS_KEY

This is the Blob Storage account access key automatically created with the Blob Storage account.

FortiGate Autoscale required environment variables

Changing the values of the following variables can cause unexpected function behavior. Modify them at your own risk.

Variable name

Description

UNIQUE_ID

Reserved, empty string.

CUSTOM_ID

Reserved, empty string.

RESOURCE_TAG_PREFIX

An Autoscaling feature variable that is automatically created. Reserved for future use.

Troubleshooting environment variables

The following variables assist in troubleshooting the current FortiGate Autoscale deployment.

Variable name

Description

DEBUG_SAVE_CUSTOM_LOG

Set to true to save script logs to the DB table CUSTOM_LOG. This is the default behavior.

Set to false to disable this feature.

DEBUG_LOGGER_OUTPUT_QUEUE_ENABLED

Set to true to concatenate all log output into one (1) log item in the Azure logging system.

Set to false for every log output to have its own log item in the Azure logging system. This is the default behavior.

DEBUG_LOGGER_TIMEZONE_OFFSET

Set to the UTC offset of the current deployment location for a better logging display time.

For details on how to modify the troubleshooting environment variables, refer to the section Troubleshoot using environment variables.

Resources

FortiGate Autoscale for Azure features

Major components

  • The Function App. The Function App handles all the autoscaling features including: master/slave role assignment, license distribution, and failover management.
  • The BYOL Scale Set. This scale set contains 0 to many FortiGate-VMs of the BYOL licensing model and is a VMSS with a fixed size. Users can set the size to match the number of valid licenses they own. Licenses can be purchased from FortiCare.
    Note

    For BYOL-only and hybrid licensing deployments, the BYOL instance Count must be at least 2. These FortiGate-VMs are the main instances and are fixed and running 7x24. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

  • The PAYG Scale Set. The Scale Set contains 0 to many FortiGate-VMs of the PAYG licensing model and will dynamically scale-out or scale-in based on the scaling metrics specified by the parameters Scale Out Threshold and Scale in Threshold.
    Note

    For PAYG-only deployments, the PAYG instance Count must be at least 2. These FortiGate-VMs are the main instances and are fixed and running 7x24. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

  • The Blob Containers.
    • The configset container contains files that are loaded as the initial configuration of a new FortiGate-VM instance.
      • baseconfig is the base configuration. This file can be modified as needed to meet your network requirements. Placeholders such as {SYNC_INTERFACE} are explained in the Configset placeholders table below.
      • httproutingpolicy and httpsroutingpolicy are provided as part of the base configset - for a common use case - and specify the FortiGate firewall policy for VIPs for http routing and https routing respectively. This common use case includes a VIP on port 80 and a VIP on port 443 with a policy that points to an internal load balancer.
      Note

      In FortiOS 6.2.3, any VIPs created on the master will not sync to the slave units. Any VIP you wish to add must be added as part of the base configuration.

      If you set the Frontend IP Deployment Method parameter to use existing public IP address, then you must include your VIP configuration in the base configuration.

    • The fgt-asg-license container contains the BYOL license files.
  • Database tables. These tables are required to store information such as health check monitoring, master election, state transitions, etc. These records should not be modified unless required for troubleshooting purposes.
  • Networking Components.
    • One virtual network
    • Two Load Balancers (with names ending with -external-load-balancer and -internal-load-balancer)
    • One network security group (with a name ending with -network-security-group)
    • One public IP address
    • Four route tables

Configset placeholders

When the FortiGate-VM requests the configuration from the Autoscaling handler function, the placeholders in the table below will be replaced with actual values for the Autoscaling group.

Placeholder

Type

Description

{SYNC_INTERFACE}

Text

The interface for FortiGate-VMs to synchronize information.

Specify as port1, port2, port3, etc.

All characters must be lowercase.

{CALLBACK_URL}

URL

The full URL of the Autoscaling handler function.

{PSK_SECRET}

Text

The Pre-Shared Key used in FortiOS.

{ADMIN_PORT}

Number

The admin port will be replaced with 443.

{HEART_BEAT_INTERVAL}

Number

The time interval (in seconds) that the FortiGate-VM waits between sending heartbeat requests to the Autoscale handler function.

This placeholder is only in the hybrid licensing deployment.

Function App environment variables

Azure infrastructure related environment variables

The variables in the table below hold information that enables the function to use the required Azure services. Changing their values may cause services to be unreachable by the function. Modify them at your own risk.

Variable name

Description

RESOURCE_GROUP

Name of the resource group where the template is deployed in.

REST_APP_ID

Descriptions of these variables are identical to those of the related parameters which are described in the section Configurable variables.

REST_APP_SECRET

WEBSITE_RUN_FROM_ZIP

REST_API_MASTER_KEY

This is the CosmosDB account access key automatically created with the CosmosDB account.

TENANT_ID

The Azure Directory ID for the Active Directory of your current subscription.

SUBSCRIPTION_ID

Your Azure Subscription ID.

AUTOSCALE_DB_ACCOUNT

The CosmosDB account created for the current FortiGate Autoscale deployment.

AZURE_STORAGE_ACCOUNT

This is the Blob Storage account name automatically created during the deployment.

AZURE_STORAGE_ACCESS_KEY

This is the Blob Storage account access key automatically created with the Blob Storage account.

FortiGate Autoscale required environment variables

Changing the values of the following variables can cause unexpected function behavior. Modify them at your own risk.

Variable name

Description

UNIQUE_ID

Reserved, empty string.

CUSTOM_ID

Reserved, empty string.

RESOURCE_TAG_PREFIX

An Autoscaling feature variable that is automatically created. Reserved for future use.

Troubleshooting environment variables

The following variables assist in troubleshooting the current FortiGate Autoscale deployment.

Variable name

Description

DEBUG_SAVE_CUSTOM_LOG

Set to true to save script logs to the DB table CUSTOM_LOG. This is the default behavior.

Set to false to disable this feature.

DEBUG_LOGGER_OUTPUT_QUEUE_ENABLED

Set to true to concatenate all log output into one (1) log item in the Azure logging system.

Set to false for every log output to have its own log item in the Azure logging system. This is the default behavior.

DEBUG_LOGGER_TIMEZONE_OFFSET

Set to the UTC offset of the current deployment location for a better logging display time.

For details on how to modify the troubleshooting environment variables, refer to the section Troubleshoot using environment variables.