| Description |
This article describes how to configure the SDN Connector on the Azure FortiGate VM Active-Passive HA Cluster to do the following when failover occurs:
|
| Scope | FortiGate-VM in Azure. |
| Solution |
Before configuring the SDN Connector, make sure both FortiGates have write access to the necessary Azure resources. Review the following Admin Guide for details: Access control.
configure the SDN-Connector on the FortiGates:
On FortiGate A:
config system sdn-connector edit "AzureHA" set status enable set type azure set use-metadata-iam enable set ha-status enable set azure-region global config nic edit "FGT-A-Nic1" config ip edit "ipconfig1" set public-ip "PublicIP1" set resource-group '' next end config ip <- This section is relevant if more Public IPs are in use. edit "ipconfig2" set public-ip "PublicIP2" set resource-group '' next end next end config route-table edit "RouteTable-ProtectedSubnet" config route edit "Default" set next-hop "10.0.2.69" next end next edit "RouteTable2" <- If more Route Tables are in use. set subscription-id "Sub2" <- If RouteTable2 is in another subscription. set resource-group "RG2" <- If RouteTable2 is in another resource group. config route edit "Default" set next-hop "10.0.2.69" next end next end end
On FortiGate B:
Use the same configuration used for FortiGate A for FortiGate B with the following changes:
config nic edit "FGT-B-Nic1" config route edit "Default" set next-hop "10.0.2.70"
Update: A new feature in Azure SDN Connector on v7.4.5 allows for a more efficient failover process. It enables the connector to move the private IP address from the primary to the secondary trusted NIC during a failover event. This eliminates the need to update numerous User Defined Routes (UDRs), as all UDRs can be configured to use the secondary floating IP address as the next hop. When a failover happens, the connector simply switches the secondary floating private IP address to the new primary VM. This streamlined approach is particularly beneficial in environments with a large number of UDRs.
A secondary private IP needs to be added to the FGT-A trusted interface (port2). Then the existing SDN Connector configuration can be updated as follows:
On FortiGate A:
config system sdn-connector edit "AzureHA" config nic edit "FGT-A-Nic2" set peer-nic "FGT-B-Nic2" config ip edit "floating-ip" set private-ip "10.0.2.71" next end ... end
On FortiGate B:
config system sdn-connector edit "AzureHA" config nic edit "FGT-B-Nic2" set peer-nic "FGT-A-Nic2" config ip edit "floating-ip" set private-ip "10.0.2.71" next end ... end
Note:
Example:
config system sdn-connector edit "AzureHA" config nic edit "FGT-A-Nic1" <--- FortiGate-VM Public Interface. set peer-nic "FGT-B-Nic1" config ip edit "floating-ip-wan" set private-ip "10.0.2.7" <--- Secondary Private IP. set public-ip "PublicIP2" <--- Public IP associated with Secondary IP. next end
Related documents: Azure SDN connector using service principal | FortiGate / FortiOS 7.4.3 | Fortinet Document Library HA for FortiGate-VM on Azure | FortiGate Public Cloud 7.2.0 | Fortinet Document Library Technical Tip: VIP Configuration on the FortiGate VM Active-Passive HA Cluster |
