Created on ‎10-11-2023 06:07 AM Edited on ‎04-02-2024 02:06 AM By Anthony_E
Description |
This article describes how to configure failover handling in an Azure cluster using FortiGate. It covers essential aspects such as public IP associations, routing table adjustments, and device-specific configurations, offering a comprehensive scope for establishing a robust and reliable system.
FortiGate's Azure cluster failover setup, covers public IP associations, routing table adjustments, and device-specific configurations for a robust and reliable system. |
||||
Scope | FortiGate. | ||||
Solution |
This article outlines the process of configuring the SDN Connector within an AZURE-deployed cluster to ensure proper failover handling. The document focuses on an A-P cluster utilizing the Fabric Connector for failover, as detailed in the documentation on HA for FortiGate-VM on Azure.
Additionally, see the corresponding GitHub repository.
Once the subscription configuration is complete, the next step involves deploying an HA A-P cluster, wherein the handover is effectively managed by the SDN connector.
Main Configuration: Represents the primary settings for the Azure SDN connector, defining the type, high-availability status, subscription ID, and resource group.
Network Interface Configuration ('config nic'): Details the network interface settings, including the association of public IP addresses. In this case, it sets the public IP 'piz-FGT-PIP' for 'piz-FGT-A-Nic1'. or in case of failover sets the public IP 'piz-FGT-PIP' for 'piz-FGT-B-Nic1'.
Route Table Configuration ('config route-table'): Outlines the route table adjustments necessary for failover scenarios. It includes modifications to the 'piz-RouteTable-ProtectedSubnet', adjusting the next-hop IP address in the 'toDefault' route entry.
The cluster's public IP address is identified as piz-FGT-PIP, it is defined in Azure and is associated with the primary device's port1. The configuration within the route-table section encompasses all Azure-defined route tables that undergo modification in the event of failover.
In this scenario, the piz-RouteTable-ProtectedSubnet in Azure sees its default entry's next hop adjusted to the specified IP in the configuration.
It is important to note that Host 2's routing table configuration differs between the primary and secondary devices due to their distinct IP addresses. Consequently, the route must be directed to the IP of the currently active device.
Additionally, the names of FortiGate's interfaces for public IP addresses differ because the Network Interface objects assigned to each device have distinct names in Azure. The update of the public IP address and gateway IP addresses of the routes takes a few seconds for Azure to complete.
To sum it up with the provided configuration: When Host 1 acts as the active FortiGate, the Azure Public IP address object, 'piz-FGT-PIP', is linked to its corresponding Azure Network Interface object, 'piz-FGT-A-Nic1'. This signifies that internet traffic directed to this public IP will be routed to the first network interface of Host 1.
The management interface (by default port4) plays a crucial role in communicating with Azure infrastructure. Management port is responsible for directing all API requests to Azure, to resolve the Microsoft specific URLs for API requests and managing the switch of the cluster's public IP facilitating failover, this need the management port to be able accessing internet.
During failover, the previously passive FortiGate takes control, becomes active, and triggers API calls to Azure. These calls modify the association of the public IP address; now, 'piz-FGT-PIP' is linked to 'piz-FGT-B-Nic1' and the internal user-defined routing declared in Azure is updated to direct traffic to itself. This effectively redirects both internal and external traffic to Host 2. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.