Technical Tip: Configure SDN Connector for Active-Passive HA failover in Azure

Before configuring the SDN Connector, make sure both FortiGates have write access to the necessary Azure resources.

Review the following Admin Guide for details: Access control | FortiGate Public Cloud 7.4.0 | Fortinet Document Library.

Now, configure the SDN-Connector on the FortiGates:

On FortiGate A:

config system sdn-connector

edit "AzureHA"

set status enable

set type azure

set use-metadata-iam enable

set ha-status enable

set azure-region global

config nic

edit "FGT-A-Nic1"

config ip

edit "ipconfig1"

set public-ip "PublicIP1"

set resource-group ''

next

end

config ip <- This section is relevant if more Public IPs are in use.

edit "ipconfig2"

set public-ip "PublicIP2"

set resource-group ''

next

end

next

end

config route-table

edit "RouteTable-ProtectedSubnet"

config route

edit "Default"

set next-hop "10.0.2.69"

next

end

next

edit "RouteTable2"     <- If more Route Tables are in use.

set subscription-id "Sub2" <- If RouteTable2 is in another subscription.

set resource-group "RG2"   <- If RouteTable2 is in another resource group.

config route

edit "Default"

set next-hop "10.0.2.69"

next

end

next

end

end

On FortiGate B:

Use the same configuration used for FortiGate A for FortiGate B with the following changes:

config nic

    edit "FGT-B-Nic1"

config route

    edit "Default"

        set next-hop "10.0.2.70"

Update:

A new feature in Azure SDN Connector on FortiOS v7.4.5 allows for a more efficient failover process. It enables the connector to move the private IP address from the primary to the secondary trusted NIC during a failover event. This eliminates the need to update numerous User Defined Routes (UDRs) as all UDRs can be configured to use the secondary floating IP address as the next hop. When a failover happens, the connector simply switches the secondary floating private IP address to the new primary VM. This streamlined approach is particularly beneficial in environments with a large number of UDRs.

A secondary private IP needs to be added to the FGT-A trusted interface (port2). Then the existing SDN Connector configuration can be updated as below:

On FortiGate A:

    config system sdn-connector

        edit "AzureHA"

            config nic

                edit "FGT-A-Nic2"

                    set peer-nic "FGT-B-Nic2"

                    config ip

                        edit "floating-ip"

                            set private-ip "10.0.2.71"

                        next

                    end

...

end

On FortiGate B:

config system sdn-connector

        edit "AzureHA"

            config nic

                edit "FGT-B-Nic2"

                    set peer-nic "FGT-A-Nic2"

                    config ip

                        edit "floating-ip"

                            set private-ip "10.0.2.71"

                        next

                    end

...

end

Note: Using this new feature, the routing-table part won't be needed in the SDN Connector settings anymore and it can be removed.

Related documents:

• Configuring an SDN connector using a managed identity | FortiGate Public Cloud 7.4.0 | Fortinet Docu...
• Azure SDN connector service principal configuration requirements | FortiGate Public Cloud 7.4.0 | Fo...
• Azure SDN connector using service principal | FortiGate / FortiOS 7.4.3 | Fortinet Document Library
• Azure SDN connector moves private IP address on trusted NIC during A-P HA failover 7.4.5 | FortiGate...
• HA for FortiGate-VM on Azure | FortiGate Public Cloud 7.2.0 | Fortinet Document Library
• VIP Configuration on the FortiGate VM Act... - Fortinet Community