Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lpizziniaco
Staff
Staff

Created on ‎09-02-2025 02:38 AM Edited on ‎09-02-2025 02:38 AM By Moderator

Article Id 408120

Technical Tip: Using the FortiGate SDN Connector in Azure for Multi-Tenant Failover

Description This article describes how to configure and use the FortiGate SDN Connector in Microsoft Azure for multi-tenant environments.
Scope FortiGate.
Solution

Managing dynamic resources across multiple tenants in Azure and ensuring failover introduces complexity. The SDN Connector addresses this by integrating FortiGate with Azure APIs, automating resource management, and maintaining service continuity during failovers.

 

In Azure, FortiGate SDN Connector is deployed in an Active/Passive HA topology, and it must also update external dependencies' IP addresses, routing tables, and backend pools when failover occurs.

The SDN Connector automates this process:

  • Reassigns public IP addresses from the failed instance to the new active unit.

  • Updates User Defined Routes (UDRs) to direct traffic to the correct instance.

 

Without this automation, the HA state will change within FortiGate, but Azure resources would continue directing traffic to the wrong node. To better understand the main configurations, refer to this article: Technical Tip: Configuring Azure Cluster Failover with FortiGate: a comprehensive walkthrough.

 

Multi-Tenant Deployments Without Managed Identity.

When a Managed Identity is not an option, multiple Azure tenants can be integrated by configuring each tenant to allow communication between the FortiGate SDN Connector and the Azure Infrastructure. This setup enables Dynamic Objects resolution and, eventually, to modify routing tables and other elements (for details on this feature, refer to the article: Technical Tip: Azure Role Requirements for FortiGate-VM).

For each tenant, it is now possible to create a connector using a configuration like the following:

 

config system sdn-connector
    edit "azure-sp-connector-t"
        set type azure
        set tenant-id "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
        set client-id "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy"
        set client-secret ENC <encrypted-secret>
        set subscription-id "zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz"

        set resource-group "tttt"
    next
end

 

If the SDN Connector is used for the failover, the option set ha-status enable must be configured. During a failover event, if the sections config nic and/or config route-table are defined, the appropriate Azure API requests will be executed on each tenant to make sure the required changes on the deployment are correctly made. On the other hand, if ha-status is not enabled, the SDN Connector will be used exclusively for resolving dynamic objects stored in the tenant.
208
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.