Share via

How many public IP addresses can be attached to a FortiGate NVA deployed in Azure VWAN?

Akshay Karoo 46 Reputation points
2025-02-04T13:20:06.5266667+00:00

The team is deploying a FortiGate Firewall as a Network Virtual Appliance (NVA) in Azure VWAN architecture. The FortiGate firewall will serve as a centralized firewall to inspect traffic from other subscription VNets.

Additionally, there is a need to expose multiple services and applications to the internet using the FortiGate firewall, which requires multiple public IP addresses.

  1. What is the maximum number of public IP addresses that can be used for the FortiGate firewall, and what are the associated restrictions?
  2. Is it necessary to utilize both internal and external load balancers for DNAT or inbound internet traffic?

The following articles are being referenced, but they do not resolve these doubts:

  1. FortiGate Public Cloud - Azure VWAN SD-WAN NGFW Deployment Guide
  2. Adding additional public IP addresses

@GitaraniSharma-MSFT

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
242 questions
Azure Load Balancer
Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
475 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,261 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ganesh Patapati 3,530 Reputation points Microsoft Vendor
    2025-02-04T19:30:20.7866667+00:00

    @Akshay Karoo

    Greetings!

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    For 1st question,

    • For a FortiGate firewall deployed in Azure, you can assign multiple public IP addresses to the NIC of the FortiGate instance, but you should also consider the limits imposed by the FortiGate itself, as it may have its own restrictions on the number of IP addresses it can manage effectively. It depends on FortiGate's own capabilities and licensing.

    Please reach out to https://support.fortinet.com/welcome/#/

    For 2nd question,

    External Load Balancer: Necessary for managing inbound internet traffic. To expose multiple services or applications to the internet through the FortiGate firewall, an external load balancer is required to handle the incoming traffic and distribute it to the FortiGate instance.

    Azure internet edge inbound/DNAT use case

    Refer: https://docs.fortinet.com/document/fortigate-public-cloud/7.4.0/azure-vwan-sd-wan-ngfw-deployment-guide/823683

    The internet inbound use case will have an External Load Balancer (ELB) deployed as part of the managed application. Load balancing rules will be configured from the FortiGate CLI, and once configured, they will be automatically pushed with an API call to the ELB.

    It is generally necessary to use an external load balancer for managing inbound internet traffic and DNAT, while an internal load balancer can be used for distributing traffic among internal resources if needed.

    Hope this helps! Please let me know if you have any questions. Thank you!

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.