Active/Passive HA FortiGate Pair with External and Internal Azure Load Balancer

Transcript

1. Active/Passive HA FortiGate Pair with External and Internal Azure Load

   Balancer Phil Huang <[email protected]> Sr. Cloud Solution Architect | CNCF Ambassador 2024/10/27 Fortinet on Azure

2. Fortinet/azure-templates

3. Base: Fortinet / azure-templates https://github.com/fortinet/azure-templates/tree/main/FortiGate/Active-Passive-ELB-ILB

4. Differences This templates mainly have internet capability, but I don't

   need internet connection here, so I added Private load balancer by myself.

5. Azure

6. Route Table View

7. Effective Routes: vm-blue

8. Effective Routes: vm-yellow Additional UDRs need to be written to

   override the Vnet Peering routes ILB

9. Effective Routes: vm-red

10. Effective Routes: vm-green Same as vm-red

11. External/Internal Load Balancer: Health Probes The Health Probes will need

    to work with FGT’s internal setting “config system probe-respone” https://github.com/fortinet/azure-templates/blob/main/FortiGate/Active-Passive-ELB-ILB/doc/config-ha.md

12. External/Internal Load Balancer: Health Probe Status If the FGT are

    configured in Active-Passive mode, it is expected that the 2nd firewall WILL NOT respond to Load Balancer

13. External/Internal Load Balancer: Rules External Private LB Internal Private LB

    External Private LB (172.16.0.10) Internal Private LB (172.16.0.68) Traffic transiting via FGT VMs https://github.com/fortinet/azure-templates/blob/main/FortiGate/Active-Passive-ELB-ILB/doc/config-inbound-connections.md#when-to-enable-the-floating-ip-in-the-azure-load-balancing-rule Traffic transiting via FGT VMs If you will need to use Ipsec Tunnels, you will need to disable Floating IP

14. FortiGate

15. Interface View (FGT A) External Interface Internal Interface HA Sync

    Interface Mgmt Interface

16. Enable Specific probe config on TCP/8008 https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-VM-probe-on-Azure-or-AWS-load-balancer/ta-p/250184

17. Static Route: Static Route to Azure DNS https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview#probe-source-ip-address 168.63.129.16/32 Interface

    GW IP Interface Name You MUST ALLOW 168.63.129.16/32 in any Azure NSG and FortiGate Firewall Policy

18. Static Route: Route via External Interface External CIDRs External Interface

    GW IP External Interface Name

19. Static Route: Route via Internal Interface Internal CIDRs Internal Interface

    GW IP Internal Interface Name

20. Firewall Policy Should be disable NAT Since there is a

    need for East-West (Spoke to Spoke) Vnet traffic, this needs to be set specifically, otherwise the default will be denied !!! Please config the FGT Firewall Policy according to the actual situation

21. Scenario 1: FGT HA Failover Test

22. Scenario 1: FGT HA Failover Test Before

23. Scenario 1: FGT HA Failover After

24. Scenario 1: FGT HA Result (failover)

25. Scenario 1: FGT HA Result (failback)

26. Scenario 2: Network Reachable

27. Scenario 2: Network Reachability Test (Blue)

28. Scenario 2: Network Reachability Test (Blue)

29. Scenario 2: Network Reachability Test (Green / Red)

30. Scenario 2: Network Reachability Test (Green / Red)

31. Scenario 2: Network Reachability Test (Yellow)

32. Scenario 2: Network Reachability Test (Yellow)

33. Scenario 3: Latency

34. Scenario 3: Latency Since all my testing VM are b1ms

    models and do not support accelerated network capability, I do not perform this test

35. Thank you