| Description |
This article describes the functionality of the Floating IP option in the Azure Load Balancer and how to use it in the Azure FortiGate HA ILB/ELB setup. |
| Scope | Azure FortiGate HA ILB/ELB setup. |
| Solution |
In an Azure FortiGate ILB/ELB HA setup, there is an external and internal Load Balancer configured. They act as a virtual IP address that is exposed to the internet or internal network and are used to distribute incoming traffic across multiple back-end servers according to the load balancing rule for each type of traffic.
Floating IP is an important option in the load balancing rule for each type of traffic.
Floating IP disabled: When the traffic hit the load balancer external IP and this rule, the destination IP will be changed to the mapped IP in the backend pool.
For example, if this option is disabled on the Load Balancing rule for HTTPS traffic, when trying to connect to the front-end IP on the load balancer on port 443, the destination IP of the actual port 443 traffic received by FortiGate will be the FortiGate port1 interface IP, which is in the backend pool. The packet sniffer on FortiGate shown below proves this:
Floating IP enabled: When the traffic hits the load balancer external IP, the destination will remain the same (i.e. users should access the real IP on VM instead of the load balancer external IP. The VM IP is exposed.) For example, when the floating IP is enabled on the load balancing rule for HTTPS traffic, the destination of the HTTPS traffic received by the FortiGate remains the same.
In an Azure FortiGate ILB/ELB HA setup, the floating IP should be disabled in the load balancing rule in the External Load balancer. Traffic coming from the Internet to the internal VM in the protected network will firstly hit the frontend Load Balancer, which distributes the traffic in the active FortiGate according to the Load Balancer rule. FortiGate further forwards traffic to the VM in the protected network. The traffic diagram is as follows:
In this case, the traffic should target to the port1 interface IP on the FortiGate. So the Azure Load Balancer should convert the destination IP from the frontend IP to the port1 interface IP. There may be scenarios where the Floating IP should be enabled. That is when the FortiGate has the public IP (the same as the frontend IP) configured as the secondary IP of the port1 or the external IP of the VIP. In this case, the destination IP of the traffic should remain unchanged.
Conversely, the floating IP should be enabled in the load balancing rule in the Internal Load balancer. As shown in below diagram, the traffic originated from the client VM in the protected network will be sent to the frontend IP of the Internal load balancer, which forwards the traffic to the active FortiGate. FortiGate will further forward the traffic to the Internet.
Since the destination IP of the traffic originated from the client VM is the public IP on the Internet, this IP should remain unchanged when passing through the Internal Load Balancer rule. That’s why the floating IP should be enabled.
Related articles: |
