By default, your FortiWeb-VM Azure instance has a single public IP address that clients use to reach FortiWeb and the servers it protects. You can use an Azure load balancer to specify multiple public IP addresses instead. This is useful when, for example, your server pool hosts several web services and clients access each service using a different IP address.
You use load balancer frontend objects to add public IP addresses to the load balancer. Azure NAT rules allow you to associate the IP addresses with a FortiWeb-VM instance by mapping frontend ports to FortiWeb-VM network interface ports.
When you add a load balancer, any public IP address that you specified when you created your FortiWeb-VM on Azure instance is not reachable. Clients contact FortiWeb using one or more IP addresses associated with the load balancer only.
In this example, the load balancer does not provide load balancing functionality.
1. Create a load balancer |
|
|
For detailed information on creating a load balancer, see Azure documentation. For example: Create a front end IP pool and a backend address pool Because the load balancer in this example does not balance traffic, it does not use a front end IP pool or backend address pool. |
|
2. Create additional public IP addresses |
|
|
Azure allows you to create public IP addresses using the portal, PowerShell, or CLI. For example, the following CLI command creates the public IP address
where:
|
|
3. Add the additional public IP addresses to the load balancer |
|
|
You use load balancer frontend objects to add public IP addresses. You can use PowerShell or the CLI to add a public IP address to each frontend. For example, the following CLI command adds a frontend and associates a public IP address with it:
where:
|
|
4. Create a NAT rule that routes traffic for the public IP address to FortiWeb |
|
|
To route traffic to the FortiWeb, you create a NAT rule that maps an outside port on the load balancer frontend to an inside port on FortiWeb. FortiWeb listens on the inside port for traffic destined for the servers it protects. You can specify the same port for both outside and inside. However, you can use an outside port only once for each frontend and an inside port only once for each FortiWeb. For example, a rule translates port 443 on the frontend to port 443 on the FortiWeb network interface. An additional rule routes traffic from a different frontend to the same FortiWeb instance using the frontend port 443 again, but the mapped port on FortiWeb is 10443. (To avoid having to reconfigure the back-end servers, you can configure FortiWeb to use the original port to connect to the server pool.) To create the configuration, you first create the rule, then associate the rule with the FortiWeb network interface.
where:
where the name of the FortiWeb network interface is the default value ( |
|
5. Configure FortiWeb-VM to use the load balancer |
|
|
Log in to the web UI for the FortiWeb-VM instance, and then go to Server Objects > Server > Virtual Server. Select Use Interface IP and for Interface, select port1. |
 |
|
Create a server pool that contains the servers that the FortiWeb-VM routes traffic to.
|
|
|
Go to Server Objects > Service > Custom and create a service that uses the inside port you specified earlier. Remember, a unique FortiWeb port is required for each frontend you configure on the load balancer. When you repeat these FortiWeb-VM configuration steps for an additional public IP, configure a new custom service with the unique port. |
 |
| Create a server policy that uses the virtual server, server pool, and service that you configured earlier. |  |
| Repeat the configuration for each public IP address you added to the load balancer. | |
For further reading, see the FortiWeb-VM for Azure Install Guide and FortiWeb Adminstration Guide.
The post Add additional public IPs to FortiWeb-VM on Azure appeared first on Fortinet Cookbook.