Users of Microsoft Azure might have received a several notifications regarding the retirement of the basic SKU public IP addresses.
Effective September 30th, 2025, Microsoft will retire Basic SKU Public IP addresses in Microsoft Azure. From 31st March 2025, it will no longer be possible to create a new Basic SKU Public IP. It is important to plan for this transition to Standard SKU Public IPs. Many of the Fortinet solutions act as a front-end protection for customer's workloads and might have provisioned Basic SKU Public IPs or are utilizing the default outbound connectivity.
Advantages of removing Basic SKU Public IPs:
Potential issues with the removal of Basic SKU Public IPs:
The Basic SKU Public IP was once the only option and has been the default option for a long time within Microsoft Azure.
At this moment, by default a resource without an assigned public IP can still communicate outbound within Microsoft Azure. Microsoft Azure assigned a dynamic Basic SKU Public IP for this outbound communication.
The impact within Fortinet solutions is that some high availability solutions use this default outbound connectivity. This outbound connectivity is particularly used to connect to the Microsoft Azure REST API to move or change public IPs, private IPs or routing tables. To ensure continued service it is important to upgrade your Basic SKU Public IP addresses as well as ensure that outbound connectivity is guaranteed by adding a Standard SKU Public IP address to the standby units in a high availability setup.
A Basic SKU Public IP can be upgraded to a Standard SKU Public IP. This is documented by Microsoft.
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-basic-upgrade-guidance
Before deployment make sure to deploy and verify the below:
There are 2 FortiGate deployments which are affected by these changes.
https://docs.fortinet.com/document/fortigate-public-cloud/7.6.0/azure-administration-guide/983245
The Single VM and the Active/Passive with SDN connector deployments have the options to deploy successfully using a Basic SKU public IP. If you have internal users, customer and/or partners relying on this public IP, e.g. IPSEC tunnel, remote ACL, … the easiest is to perform an upgrade.
If additional zone redundancy is required, the deployment needs to be reviewed as by default zones are not used during deployment. A redeployment of the cluster would be advisable as the deployment with a Basic SKU public IP is not compatible with Availability Zones.
The Active/Active and Active/Passive deployments using the Azure Standard Load Balancer are using by default standard SKU public IP addresses and are not affected by this change.
For new deployments it is important to select the Standard SKU when configuring the public IP during deployment. The routing preference, when deploying via the Azure Marketplace, is always using the Microsoft Network option. This is the most optimal and gets you into the Microsoft backbone via a POP closest to your location. More information can be found here: https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/routing-preference-overview
For existing deployments, the public IP address needs to be verified. If it is a Basic SKU Public IP, an upgrade is required. An Network Security Group (NSG) is required to guarantee the inbound and outbound communication using the upgraded public IP address. If zone redundancy is not required, the current public IP can be upgraded by following this Microsoft guidance:
If zone redundancy is required a new Standard SKU Public IP needs to be provisioned and attached to the FortiGate.
For new deployments it is important to select the Standard SKU when configuring the public IP during deployment. The routing preference, when deploying via the Azure Marketplace, is always using the Microsoft Network option. This is the most optimal and gets you into the Microsoft backbone via a POP closest to your location. More information can be found here: https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/routing-preference-overview
For existing deployments, the public IP address on the external side requires an upgrade and an NSG is required to guarantee the inbound and outbound communication using the upgraded public IP address.
The public IP addresses on the HA management network are required for the FortiGate to communicate with the Microsoft Azure REST API. Using the Basic SKU Public IP addresses, these could be removed using the dynamic and default open nature of these addresses. Moving to the Standard SKU Public IPs, this will no longer an option. To prevent inbound communication an NSG can be created. Alternatively, an NAT gateway can be attached to the HA management subnet for outbound connectivity.
A single VM or HA deployment of FortiManager can use a Basic SKU Public IP address for each unit. They can be upgraded after validation of the NSG and outbound access requirements.
For HA deployment, either manual or VRRP, it is important to have a public IP assigned to the default outbound interface of both units. This will ensure that the VIP can be moved from the active to the passive unit on failover.
https://github.com/fortinet/azure-templates/tree/main/FortiManager/ha
A single VM or HA deployment of FortiAnalyzer can use a Basic SKU Public IP address for each unit. They can be upgrade after validation of the NSG and outbound access requirements.
For HA deployment, either manual or VRRP, it is important to have a public IP assigned to the default outbound interface of both units. This will ensure that the VIP can be moved from the active to the passive unit on failover.
https://github.com/fortinet/azure-templates/tree/main/FortiAnalyzer/ha
FortiWeb can be deployed using Basic SKU Public IP addresses in single VM and Active/Active solutions. The Active/Active deployment can even use the Basic SKU Load Balancer.
To validate and ensure correct operation after the changes Microsoft will be performing in 2025 the following needs to be verified and updated:
Any new deployments of the above products from the Azure Marketplace have been updated to reflect the changes announced by Microsoft and will deploy using the Standard SKU public IP addresses where needed in the architecture.
The removal of Basic SKU Public IPs presents both opportunities and challenges. By understanding the advantages and potential issues, you can plan and execute a smooth migration to Standard SKU Public IPs. This transition ultimately results in a more secure, scalable, and feature-rich network infrastructure. It is crucial to start planning and testing well before the September 2025 deadline to ensure a successful and seamless transition.
Additional Considerations:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.