Troubleshooting Tip: FortiGate Azure Active-Passive failover not working due to internal DNS server

Follow these steps:

1. Configure a local DNS entry on FortiGate for management.azure.com to ensure resolution is local during failover. Use the following command: 

config system dns-database

2. Edit the Azure domain and set the domain tomanagement.azure.com.
3. Configure the DNS entry for management.azure.comwith the IP address.
4. Test the configuration by pinging management.azure.com from the FortiGate.

edit "Azure"

    set domain "management.azure.com"

        config dns-entry

            edit 1

                set hostname "management.azure.com"

                set ip 4.150.240.10 <----- Confirm this IP by checking nslookup output.

            next

        end

    next
end

Alternatively, move the internal DNS to a different subnet and route Internet traffic directly (next hop Internet). However, this is not recommended as it exposes the internal DNS to the Internet. 

When the SDN connector is initiating the DNS lookup query during an HA failover, it will always go out via the management interface. Even though the DNS servers under Network -> DNS shows as reachable, the DNS servers must be reachable through the management interface as well. 

For more information, refer to the following articles: 

• Troubleshooting Tip: Internal DNS behind FortiGate on the Azure, prevents the HA failover from Primary to Secondary
• Troubleshooting Tip: SDN connector is not connecting due to DNS lookup failure
• Technical Tip: port4 on Azure HA FortiGate VMs is critical for correct Azure SDN Connector functionality