Hi,

We have a FortiGate Active/Passive HA deployment in Azure, deployed across availability zones in the North Europe region.

Currently, the following Azure VMs utilize public IP addresses based in the Ireland (North Europe) region for integration with a third-party vendor:

- TEMPAZYHSCRPSC01
- TEMPAZYHSCRSB01
- TEMPAZYHSCRSQL01
- TEMPAZYHSCRSQL02
- TEMPAZYHSCRWEB01 *(this VM has its own separate public IP)*

We have a vendor that has implemented geographical restrictions on their network, requiring public IP addresses originating from England (UK South).

They have requested that we change the public IP addresses used by these VMs accordingly.

Any changes to public IP addresses must include corresponding updates to all associated NAT and firewall rules within the FortiGate.

## Technical Limitation

> Azure currently restricts associating a public IP address from a different region (UK South) directly to an external load balancer deployed in the North Europe region.
> This prevents us from simply updating the frontend IP configuration of the existing external load balancer to a UK South public IP address.

## Current Traffic Flow

```
Azure VM (e.g., TEMPAZYHSCRPSC01)
→ FortiGate Internal Load Balancer (port2)
→ FortiGate firewall policy processing (including SNAT/DNAT rules)
→ FortiGate WAN interface
→ External Load Balancer Public IP (North Europe region)
```

## Questions for Fortinet

1. What is Fortinet's recommended solution to meet this requirement given Azure’s geographical limitations?
2. Would the recommended solution be creating a separate external load balancer with a public IP in the UK South region?
3. How can we safely test this configuration with minimal downtime or risk to production services?
4. What specific FortiGate configuration considerations or changes would be necessary to ensure only these specified VMs route traffic through the UK-based public IP?

Cheers!