Help
FortiGate Azure Discussions & Onboarding Information
mbo
New Contributor

Created on ‎09-30-2024 08:18 AM

Question about HA-Failover using SDN-Connectors

Hello, I am looking for some clarification on the SDN Connector behavior.

We are running the HA-Failover option using SDN-Connectors to change the azure route tables next hop entries to the then primary fortigate node on failover.

By now we reached about 30 connectors for different subscriptions and started getting API throttled by Azure.
Since we do not use any sdn-connector functionality besides the failover I have two questions:

1. From testing it looks like the connectors are not trying to update the next hop entry on the azure route tables when the update-interval cycles but are only retrieving the service tags and doing an inventory of the resource groups.
There are entries like this:
azd sdn connector AZURE_SDN_001 start updating IP addresses
azd sdn connector AZURE_SDN_001 finish updating IP addresses

but they do not actually change the next hop entry so i figure it's also just a inventory for the dynamic object functionality of the sdn connectors, is that correct?

2. Is a failover the only point where the sdn-connectors are actually changing the next hop entries according to the fortigate configuration?
If this is correct, can I just disable the update-interval:

 2024-09-30 17_06_30.png

and get rid of the API throttles since we don't need the API calls at all, while keeping the failover functionality?

BR

360
0 Kudos
1 Solution
JohnMcdo
Staff
Staff

Created on ‎09-30-2024 01:26 PM

Hi mbo,

 

You can turn off update interval, that will stop the SDN connector from attempting to gather Azure information.

 

HA failover will still work.

 

IP Addresses and Route Tables are only updated when there is a failover event.

 

The SDN Connector updates dynamic objects, if you are sure that none of you policies are utilizing any dynamic information from Azure, then there is no issue disabling the Update interval.

 

Hope this help.

View solution in original post

335
2 REPLIES 2
JohnMcdo
Staff
Staff

Created on ‎09-30-2024 01:26 PM

Hi mbo,

 

You can turn off update interval, that will stop the SDN connector from attempting to gather Azure information.

 

HA failover will still work.

 

IP Addresses and Route Tables are only updated when there is a failover event.

 

The SDN Connector updates dynamic objects, if you are sure that none of you policies are utilizing any dynamic information from Azure, then there is no issue disabling the Update interval.

 

Hope this help.

336
mbo
New Contributor
In response to JohnMcdo

Created on ‎10-01-2024 12:30 AM

Thank you very much for the quick and clear solution, this is exactly what I needed!

321
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.