Question about HA-Failover using SDN-Connectors

mbo · ‎09-30-2024

Hello, I am looking for some clarification on the SDN Connector behavior.

We are running the HA-Failover option using SDN-Connectors to change the azure route tables next hop entries to the then primary fortigate node on failover.

By now we reached about 30 connectors for different subscriptions and started getting API throttled by Azure.
Since we do not use any sdn-connector functionality besides the failover I have two questions:

1. From testing it looks like the connectors are not trying to update the next hop entry on the azure route tables when the update-interval cycles but are only retrieving the service tags and doing an inventory of the resource groups.
There are entries like this:
azd sdn connector AZURE_SDN_001 start updating IP addresses
azd sdn connector AZURE_SDN_001 finish updating IP addresses

but they do not actually change the next hop entry so i figure it's also just a inventory for the dynamic object functionality of the sdn connectors, is that correct?

2. Is a failover the only point where the sdn-connectors are actually changing the next hop entries according to the fortigate configuration?
If this is correct, can I just disable the update-interval:

2024-09-30 17_06_30.png

and get rid of the API throttles since we don't need the API calls at all, while keeping the failover functionality?

BR

JohnMcdo · ‎09-30-2024

Hi mbo,

You can turn off update interval, that will stop the SDN connector from attempting to gather Azure information.

HA failover will still work.

IP Addresses and Route Tables are only updated when there is a failover event.

The SDN Connector updates dynamic objects, if you are sure that none of you policies are utilizing any dynamic information from Azure, then there is no issue disabling the Update interval.

Hope this help.

Cloud Solutions Engineer Fortinet

View solution in original post

JohnMcdo · ‎09-30-2024