Ok,.. so you have some VM’s already running in Azure and are adding VM’s day-by-day you should consider adding a NGFW! Also, if you have ever run the Azure Advisor you should already have been notified to add a NGFW.
In Azure you can choose from different Firewall vendors:
Because i’m familliar with Forinet Firewalls I have created a FortiGate! The Fortigate NGFW is available as Pay-As-You-Go or Bring-Your-Own-License (BYOL).
- FortiGate-VM ‘virtual appliance’ designed for [Platform]. 2x vCPU cores and (up to) 4 GB RAM.
- SKU: FG-VM02(-Xen/HV/KVM/AWS/AZ)
- FortiGate-VM ‘virtual appliance’ designed for [Platform]. 4x vCPU cores and (up to) 6 GB RAM. No VDOM support.
- SKU: FG-VM04(-Xen/HV/KVM/AWS)
Note: Looks like there is a mistake in the Fortinet Datasheet (check link below) because this SKU suggests that there is no Azure Support and VDOM support!?
- FortiGate-VM ‘virtual appliance’ designed for [Platform]. 8x vCPU cores and (up to) 12 GB RAM.
- SKU: FG-VM08(-Xen/HV/KVM/AWS/AZ)
Check the visio-drawing on a ‘standard’ Fortigate (Single VM) deployment within Azure.
Resourses Create by the Deployment:
- 1x VM
- 1x Availability Set
- 1x Storage Account (No Managed disks!)
- 1x VNET
- 1x Address Space
- 2x Subnet (LAN and WAN)
- 2x Custom IP Routes
- 2x Network Interfaces (LAN and WAN)
- 1x Public IP Address
The deployment is quite simple:
- Create a VNET with two Subnets.
- Create a VM with two network interfaces and connect one network interface to the ‘LAN’ Subnet and one to the ‘WAN’ subnet.
- From there create a custom IP Route and assign it to the ‘LAN’ Subnet so traffic will be routed to the Fortigate LAN interface.
- Also create a custom IP Route on the ‘WAN’ subnet so traffic to the ‘Public IP’ will be routed to the Fortigate WAN interface.
Lets just create a Fortigate NGFW! Check the Azure Marketplace and search for ‘Fortigate’:
Fillin the details like Fortigate VM Name, Username, Password etc.
For this example i have choosen to create a new VNET. I have left the pre-populated unchanged (‘FortigateProtectedVNet’):
Note: Keep in mind when choosing a Address Space that you need two Subnets (one for LAN and one for WAN)
On the Subnets tab; fillin the details.
Notice the two subnets! (where ‘PublicFacingSubnet’ = WAN and ‘FortigateInternalSubnet’ = LAN)
Select a VM size as you should normally do with a VM. You could also choose a smaller one. Just for testing i selected a ‘Standard D2’, 2Cores,7GB)
Create a Storage Account which will store the OS-Disk and Data-Disk
Create a Public IP:
Assign a Domain name label to the Public IP. With this DNS name you can manage the Fortigate.
Note1: Your Fortigate will be availible via: HTTPS://<Your domain label>.<location>.cloudapp.azure.com
Note2: If you have created a Fortigate HA cluster, the second node will be availible via: HTTPS://<Your domain label>.<location>.cloudapp.azure.com:8443
Ok, Done! Now lets check the Resource group and its resources:
As explained above you will find all the resources outlined in the visio drawing.
So you have yourself a Fortigate NGFW in Azure! yeah! Now you will be able to login to the Fortigate Management interface and upload a license (BYOL) and manage the Fortigate as you normally should do.
Azure MarketPlave – Test-Drive
It is also possible to Test-Drive the Fortigate on Azure via the Marketplace. You can Test-Drive the Fortigate for 1 hour. This works great but you won’t be able to see the resources created and how things are connected to each other.