FortiGate Azure Technical Learning
JoerVan
Staff
Staff

Introduction

 

Users of Microsoft Azure might have received a several notifications regarding the retirement of the basic SKU public IP addresses.

https://azure.microsoft.com/en-gb/updates/upgrade-to-standard-sku-public-ip-addresses-in-azure-by-30...

Effective September 30th, 2025, Microsoft will retire Basic SKU Public IP addresses in Microsoft Azure. From 31st March 2025, it will no longer be possible to create a new Basic SKU Public IP. It is important to plan for this transition to Standard SKU Public IPs. Many of the Fortinet solutions act as a front-end protection for customer's workloads and might have provisioned Basic SKU Public IPs or are utilizing the default outbound connectivity.

 

Advantages of removing Basic SKU Public IPs:

  • Enhanced security: Standard SKU Public IPs require an explicit network security group (NSG). This results in a default closed position instead of a default open connectivity both for ingress and egress.
  • Increased functionality: Standard SKU Public IPs are required by many of the Azure services like Load Balancer, Firewall, and NAT Gateway; enabling advanced network configurations. For example, routing preference can be selected for traffic destined for Microsoft Azure, the traffic can either enter the Microsoft backbone as soon as possible or Internet routing can decide on routing the traffic towards the region.
  • Improved scalability and reliability: Standard SKU Public IPs can be configured: non-zonal, zonal or zone-redundant to offer the best high availability and better resilience to outages for your specific workload.

Potential issues with the removal of Basic SKU Public IPs:

  • Potential downtime: During the migration process, temporary service disruptions might occur if not carefully planned and executed.
  • Cost implications: Standard SKU Public IPs have slightly higher pricing compared to Basic SKU Public IPs, increasing your infrastructure costs.
  • Migration effort: Upgrading existing resources from Basic SKU Public IPs requires manual intervention.
  • Compatibility concerns: Some applications might require specific features offered by Basic SKU public IPs, requiring adjustments or alternative solutions.

Impact on your Fortinet solutions running in Microsoft Azure

 

The Basic SKU Public IP was once the only option and has been the default option for a long time within Microsoft Azure.

 

At this moment, by default a resource without an assigned public IP can still communicate outbound within Microsoft Azure. Microsoft Azure assigned a dynamic Basic SKU Public IP for this outbound communication.

 

The impact within Fortinet solutions is that some high availability solutions use this default outbound connectivity. This outbound connectivity is particularly used to connect to the Microsoft Azure REST API to move or change public IPs, private IPs or routing tables. To ensure continued service it is important to upgrade your Basic SKU Public IP addresses as well as ensure that outbound connectivity is guaranteed by adding a Standard SKU Public IP address to the standby units in a high availability setup.

 

A Basic SKU Public IP can be upgraded to a Standard SKU Public IP. This is documented by Microsoft.

 

https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-basic-upgrade-guidance

 

Before deployment make sure to deploy and verify the below:

  • Network Security Group: Add an NSG to the network interface or preferably to the subnet that allows the correct access. Our deployment templates already provide NSGs but these might have been removed after the deployment.
  • Outbound access: If no public IP is assigned to the Fortinet VM, Microsoft will provide a default internet access using a dynamic IP address. This might be used by your Fortinet solution to access one or more of the below services:
    • FortiGuard update servers
    • FortiGuard license servers
    • Microsoft Azure management API by the SDN connector
    • Microsoft Azure VM reporting

FortiGate

 

There are 2 FortiGate deployments which are affected by these changes.

 

https://docs.fortinet.com/document/fortigate-public-cloud/7.6.0/azure-administration-guide/983245

 

The Single VM and the Active/Passive with SDN connector deployments have the options to deploy successfully using a Basic SKU public IP. If you have internal users, customer and/or partners relying on this public IP, e.g. IPSEC tunnel, remote ACL, … the easiest is to perform an upgrade.

 

If additional zone redundancy is required, the deployment needs to be reviewed as by default zones are not used during deployment. A redeployment of the cluster would be advisable as the deployment with a Basic SKU public IP is not compatible with Availability Zones.

 

The Active/Active and Active/Passive deployments using the Azure Standard Load Balancer are using by default standard SKU public IP addresses and are not affected by this change.

 

FortiGate Single VM

 

fgt-single-vm-x-small.png

 

For new deployments it is important to select the Standard SKU when configuring the public IP during deployment. The routing preference, when deploying via the Azure Marketplace, is always using the Microsoft Network option. This is the most optimal and gets you into the Microsoft backbone via a POP closest to your location. More information can be found here: https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/routing-preference-overview

 

For existing deployments, the public IP address needs to be verified. If it is a Basic SKU Public IP, an upgrade is  required. An Network Security Group (NSG) is required to guarantee the inbound and outbound communication using the upgraded public IP address. If zone redundancy is not required, the current public IP can be upgraded by following this Microsoft guidance:

https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-basic-upgrade-guidance...

 

If zone redundancy is required a new Standard SKU Public IP needs to be provisioned and attached to the FortiGate.

 

FortiGate Active/Passive with SDN Connector

 

fgt-ap-sdn.png

 

For new deployments it is important to select the Standard SKU when configuring the public IP during deployment. The routing preference, when deploying via the Azure Marketplace, is always using the Microsoft Network option. This is the most optimal and gets you into the Microsoft backbone via a POP closest to your location. More information can be found here: https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/routing-preference-overview

 

For existing deployments, the public IP address on the external side requires an upgrade and an NSG is required to guarantee the inbound and outbound communication using the upgraded public IP address.

 

The public IP addresses on the HA management network are required for the FortiGate to communicate with the Microsoft Azure REST API. Using the Basic SKU Public IP addresses, these could be removed using the dynamic and default open nature of these addresses. Moving to the Standard SKU Public IPs, this will no longer an option. To prevent inbound communication an NSG can be created. Alternatively, an NAT gateway can be attached to the HA management subnet for outbound connectivity.

FortiManager

A single VM or HA deployment of FortiManager can use a Basic SKU Public IP address for each unit. They can be upgraded after validation of the NSG and outbound access requirements.

 

For HA deployment, either manual or VRRP, it is important to have a public IP assigned to the default outbound interface of both units. This will ensure that the VIP can be moved from the active to the passive unit on failover.

 

https://github.com/fortinet/azure-templates/tree/main/FortiManager/ha

 

FortiAnalyzer

A single VM or HA deployment of FortiAnalyzer can use a Basic SKU Public IP address for each unit. They can be upgrade after validation of the NSG and outbound access requirements.

 

For HA deployment, either manual or VRRP, it is important to have a public IP assigned to the default outbound interface of both units. This will ensure that the VIP can be moved from the active to the passive unit on failover.

 

https://github.com/fortinet/azure-templates/tree/main/FortiAnalyzer/ha

 

FortiWeb

FortiWeb can be deployed using Basic SKU Public IP addresses in single VM and Active/Active solutions. The Active/Active deployment can even use the Basic SKU Load Balancer.

 

To validate and ensure correct operation after the changes Microsoft will be performing in 2025 the following needs to be verified and updated:

 

Any new deployments of the above products from the Azure Marketplace have been updated to reflect the changes announced by Microsoft and will deploy using the Standard SKU public IP addresses where needed in the architecture.

 

Conslusion

The removal of Basic SKU Public IPs presents both opportunities and challenges. By understanding the advantages and potential issues, you can plan and execute a smooth migration to Standard SKU Public IPs. This transition ultimately results in a more secure, scalable, and feature-rich network infrastructure. It is crucial to start planning and testing well before the September 2025 deadline to ensure a successful and seamless transition.

 

Additional Considerations:

  • Refer to Microsoft's official documentation for detailed migration guidance and resources: https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-basic-upgrade-guidance
  • Assess your current infrastructure and resource usage to determine the potential cost impact of the upgrade.
  • Evaluate the compatibility of your applications with Standard SKU Public IPs and plan any necessary adjustments.
  • Seek support from Microsoft and Fortinet partners or cloud specialists for assistance with planning and executing the migration.