| Description |
This article describes, how to allocate multiple public IP addresses, to your Fortigate VM deployed in Azure cloud, and use these Public IP addresses to access hosted services behind FortiGate VM. |
| Scope | FortiOS |
| Solution |
Fortigate VM, has one or more network interfaces(NIC), attached to it. Any NIC can have one or more static or dynamic public and private IP addresses assigned to it. To add private and public IP addresses to Fortigate VM interface, you will need to complete the below steps:
-In the Fortigate VM pane, Navigate to Networking Tab. Click Network interface on the page. As shown in the picture below:
-In the Network interface pane, click the IP configurations. Click Add, complete the steps, by giving the Name of the address (e.g. “Test_IP”), make the allocation static, click associate the public IP to create a new one or choose existing IP, The PIP should be Static assignment (Note: Public IP SKU should be the same for all NIC, in case the primary IP was ‘Basic’, Any new Public IP should also be ‘Basic’, The different basic SKU and Standard SKU load balancer or Public IP resources in availability set is not allowed)
-The new public IP should now, be added to Fortigate VM interface as shown in the following picture:
-After, the creation of the New public IP, you can now use this IP for Inbound/Outbound traffic, In our example below, The new Public IP started with 51.x.x.x will be used to access a web-hosted behind Fortigate VM on port 8080.
-For this example, We have created a VIP, with the inputs described in the picture. The external IP address should be the secondary private IP assigned to FGT NIC1, in our example, “Test_IP” 10.2.56.6. Do not use public IP here.
-Then, create a new firewall policy for inbound traffic, and add the above VIP: >Enable SNAT on the policy, in case the backend server 10.2.57.6 inbound traffic(internet) is not routed and inspected via Fortigate port2. If defined (“Custom UDR”) a route with 0.0.0.0/0 as the address prefix and a next hope type of Virtual appliance(Fortigate), then enabling SNAT is not required.
-The Hosted Website is now accessible from outside with new public IP (http://51.x.x.x:8080/)as shown below:
-In case the VM is deployed in the HA cluster, there will be a need to add all created public IP addresses, to SDN connector config. During the failover, these IPs will shift to the new primary VM, below is an example of the SDN connector where the new created public IP is added under SDN NIC config:
FGT-FGT-A # config system sdn-connector edit "AzureHA" set status enable set type azure set use-metadata-iam enable set ha-status enable set azure-region global config nic edit "FGT-FGT-A-Nic1" config ip edit "ipconfig1" set public-ip "FGTPublicIP" set resource-group '' next edit "Test_IP" set public-ip "SecondaryPIP" set resource-group '' next end next end |
