Add additional public IPs to FortiWeb-VM on Azure

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

By default, your FortiWeb-VM Azure instance has a single public IP address that clients use to reach FortiWeb and the servers it protects. You can use an Azure load balancer to specify multiple public IP addresses instead. This is useful when, for example, your server pool hosts several web services and clients access each service using a different IP address.

You use load balancer frontend objects to add public IP addresses to the load balancer. Azure NAT rules allow you to associate the IP addresses with a FortiWeb-VM instance by mapping frontend ports to FortiWeb-VM network interface ports.

When you add a load balancer, any public IP address that you specified when you created your FortiWeb-VM on Azure instance is not reachable. Clients contact FortiWeb using one or more IP addresses associated with the load balancer only.

In this example, the load balancer does not provide load balancing functionality.

1. Create a load balancer

For detailed information on creating a load balancer, see Azure documentation. For example:

Create a front end IP pool and a backend address pool

Because the load balancer in this example does not balance traffic, it does not use a front end IP pool or backend address pool.

2. Create additional public IP addresses

Azure allows you to create public IP addresses using the portal, PowerShell, or CLI.

For example, the following CLI command creates the public IP address NRPPublicIP with DNS name loadbalancernrp.eastus.cloudapp.azure.com:

azure network public-ip create -g <resource-group> -n NRPPublicIP -l <location> -d loadbalancernrp -a static -i 4

where:

  • <resource_group> is the Azure resource group where your load balancer and Forti-Web instances are located.
  • <location> is the Azure cloud service location of your load balancer and Forti-Web instances.

3. Add the additional public IP addresses to the load balancer  

You use load balancer frontend objects to add public IP addresses. You can use PowerShell or the CLI to add a public IP address to each frontend.

For example, the following CLI command adds a frontend and associates a public IP address with it:

azure network lb frontend-ip create -g <resource-group> -l <load-balancer-name> -n <frontend-name> -i <public-ip>

where:

  • <load-balancer-name> is the name of the load balancer you created earlier.
  • <frontend-name> is a name you choose for the new frontend.
  • <public-ip> is the IP address you created earlier.

4. Create a NAT rule that routes traffic for the public IP address to FortiWeb 

To route traffic to the FortiWeb, you create a NAT rule that maps an outside port on the load balancer frontend to an inside port on FortiWeb. FortiWeb listens on the inside port for traffic destined for the servers it protects.

You can specify the same port for both outside and inside. However, you can use an outside port only once for each frontend and an inside port only once for each FortiWeb.

For example, a rule translates port 443 on the frontend to port 443 on the FortiWeb network interface. An additional rule routes traffic from a different frontend to the same FortiWeb instance using the frontend port 443 again, but the mapped port on FortiWeb is 10443. (To avoid having to reconfigure the back-end servers, you can configure FortiWeb to use the original port to connect to the server pool.) 

To create the configuration, you first create the rule, then associate the rule with the FortiWeb network interface.

azure network lb inbound-nat-rule create -g <resource-group> -l <load-balancer-name> -p tcp -t <frontend-name> -f <outside-port> -b <inside-port> -n <rule-name>

where:

  • <outside-port> is the port on the frontend.
  • <inside-port> is the port on the FortiWeb network interface.
  • <rule-name> is the name you choose for the rule.

azure network nic inbound-nat-rule add -g <resource-group> -n FortiWebNic0 -r <rule-name> --lb-name <load-balancer-name>

where the name of the FortiWeb network interface is the default value (FortiWebNic0).

5. Configure FortiWeb-VM to use the load balancer  

 

Log in to the web UI for the FortiWeb-VM instance, and then go to Server Objects > Server > Virtual Server.

Select Use Interface IP and for Interface, select port1.

 
 

Create a server pool that contains the servers that the FortiWeb-VM routes traffic to.

 

Go to Server Objects > Service > Custom and create a service that uses the inside port you specified earlier.

Remember, a unique FortiWeb port is required for each frontend you configure on the load balancer. When you repeat these FortiWeb-VM configuration steps for an additional public IP, configure a new custom service with the unique port.

 
Create a server policy that uses the virtual server, server pool, and service that you configured earlier.  
Repeat the configuration for each public IP address you added to the load balancer. 

For further reading, see the FortiWeb-VM for Azure Install Guide and FortiWeb Adminstration Guide.

  • Was this helpful?
  • Yes   No