Active/Passive HA FortiGate Pair with External and Internal Azure Load Balancer Phil Huang Sr. Cloud Solution Architect | CNCF Ambassador 2024/10/27 Fortinet on Azure

Fortinet/azure-templates

Base: Fortinet / azure-templates https://github.com/fortinet/azure-templates/tree/main/FortiGate/Active-Passive-ELB-ILB

Differences This templates mainly have internet capability, but I don't need internet connection here, so I added Private load balancer by myself.

Azure

Route Table View

Effective Routes: vm-blue

Effective Routes: vm-yellow Additional UDRs need to be written to override the Vnet Peering routes ILB

Effective Routes: vm-red

Effective Routes: vm-green Same as vm-red

External/Internal Load Balancer: Health Probes The Health Probes will need to work with FGT’s internal setting “config system probe-respone” https://github.com/fortinet/azure-templates/blob/main/FortiGate/Active-Passive-ELB-ILB/doc/config-ha.md

External/Internal Load Balancer: Health Probe Status If the FGT are configured in Active-Passive mode, it is expected that the 2nd firewall WILL NOT respond to Load Balancer

External/Internal Load Balancer: Rules External Private LB Internal Private LB External Private LB (172.16.0.10) Internal Private LB (172.16.0.68) Traffic transiting via FGT VMs https://github.com/fortinet/azure-templates/blob/main/FortiGate/Active-Passive-ELB-ILB/doc/config-inbound-connections.md#when-to-enable-the-floating-ip-in-the-azure-load-balancing-rule Traffic transiting via FGT VMs If you will need to use Ipsec Tunnels, you will need to disable Floating IP

FortiGate

Interface View (FGT A) External Interface Internal Interface HA Sync Interface Mgmt Interface

Enable Specific probe config on TCP/8008 https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-VM-probe-on-Azure-or-AWS-load-balancer/ta-p/250184

Static Route: Static Route to Azure DNS https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview#probe-source-ip-address 168.63.129.16/32 Interface GW IP Interface Name You MUST ALLOW 168.63.129.16/32 in any Azure NSG and FortiGate Firewall Policy

Static Route: Route via External Interface External CIDRs External Interface GW IP External Interface Name

Static Route: Route via Internal Interface Internal CIDRs Internal Interface GW IP Internal Interface Name

Firewall Policy Should be disable NAT Since there is a need for East-West (Spoke to Spoke) Vnet traffic, this needs to be set specifically, otherwise the default will be denied !!! Please config the FGT Firewall Policy according to the actual situation

Scenario 1: FGT HA Failover Test

Scenario 1: FGT HA Failover Test Before

Scenario 1: FGT HA Failover After

Scenario 1: FGT HA Result (failover)

Scenario 1: FGT HA Result (failback)

Scenario 2: Network Reachable

Scenario 2: Network Reachability Test (Blue)

Scenario 2: Network Reachability Test (Blue)

Scenario 2: Network Reachability Test (Green / Red)

Scenario 2: Network Reachability Test (Green / Red)

Scenario 2: Network Reachability Test (Yellow)

Scenario 2: Network Reachability Test (Yellow)

Scenario 3: Latency

Scenario 3: Latency Since all my testing VM are b1ms models and do not support accelerated network capability, I do not perform this test

Thank you