Architecture A high level overview of what resources are deployed Deployment In addition, this deployment will provide us high availability, so in the event we lose a VM, network traffic will automatically failover to another appliance. In this case, I would recommend deploying the HA FortiGate in Active/Active mode listed above.Īs part of this tutorial, we will look at FortiGate's Autoscaling deployment as this will allow us to dynamically scale up or down depending on load. You would need to manually modify the templates and work with Fortinet to ensure the images work for Azure's sovereign clouds. The image for the FortiGate appliance is only up to v6.1.0 in Azure Government Cloud and I don't see a way to specify within the FortiGate that it needs to use the Government Cloud APIs.
Note: As of - I don't believe this deployment works for Azure's sovereign clouds.
If using this deployment strategy, I would recommend pairing it with Azure's VPN Gateway to handle VPN connectivity.
Note: As of - the only downside to this deployment method is BYOL isn't officially supported yet (you must use Pay as you go (PAYG) licensing) and this mode will not let you easily establish VPN connections to the appliance vs Azure VPN Gateway.
Auto-scaling FortiGate (most complex architecture, cannot be deployed from Azure Marketplace, but most scalable).
HA FortiGate in Active/Active mode (Two VMs load balanced by Azure Load Balancer for high availability a little more complex to manage sometimes called the "load balancer sandwhich").
This deployment typically contains 4 IPs on each appliance, one used for external traffic, another for internal traffic, a third for heartbeat traffic, and a fourth for management traffic. Please note, any manipulation of UDRs or public IPs for Active/Passive solutions can take about 30 seconds to be applied after the failover is initiated.
Notes: Fortinet in active/passive deployment requires the modification of UDRs and Public IPs.
HA FortiGate in Active/Passive mode (Two VMs with a public IP that gets manually attached to a given instance and updates to route tables).
Single FortiGate (One VM, easiest to deploy, but is not highly available).
At the time of writing this, v6.2 was the latest version however I recommend using at least version 6.0 or greater as it provides support for auto-scaling, which is what we will be looking at for this guide.įirst, just want to provide a quick overview of the different options you can take and a rough overview of each architecture: While Fortinet does have some documentation on deploying their appliance, I found it very confusing, so I hope this helps walk through deployment. At a high level, you will need to deploy the device on Azure and then configure the internal “guts” of the device to allow it to route traffic properly on your Virtual Network (VNet) in Azure. This is more of a reflection of the steps I took rather than a guide, but you can use the information below as you see fit. Here is a recap of some of the reflections I have with deploying Fortinet's FortiGate appliance on Azure.