Technical Tip: Deploying and configuring active-passive HA within one zone

It is possible to configure FortiGate's native active-passive HA feature (without using an Azure supplementary mechanism such as Azure LB) with two FortiGate-VM instances: one acting as the primary node and the other as secondary node, both located in the same region.
This is called unicast HA and is specific to Cloud environments including Azure.

Unicast HA complies with Cloud environments' network restrictions as compared to equivalent features provided by physical FortiGates.
The FortiGate-VMs run heartbeats between dedicated ports and synchronize OS configurations.
When the primary node (FortiGate Node-A in the diagram), the secondary node (FortiGate Node-B) takes over as the primary node so endpoints on a protected server continue to communicate with external resources over the FortiGate.
The public IP addresses shown in the diagram will differ from the used IP, configured during deployment.

 

• Mapping public IP addresses from a failing node to a healthy node interface.
• Redefining user-defined routes (UDRs) from a failing node to a healthy node IP addresses.

• Configuring the FortiGate using the CLI
  
• Azure Portal. With an Azure account to perform a deployment.
  
• Azure ARM templates.
  
• Knowledge of software-defined network (SDN) connectors.

Deploying Fortigate HA A-P setup with Azure LB