fortinet/fortigate-terraform-deploy

Public IP for Azure HA setup is not zone redundant

Closed this issue · 1 comments

agyss commented

fortigate-terraform-deploy/azure/7.4/ha-port1-mgmt-3ports/network.tf

Lines 37 to 46 in 0def245

resource "azurerm_public_ip" "ClusterPublicIP" {
name = "ClusterPublicIP"
location = var.location
resource_group_name = azurerm_resource_group.myterraformgroup.name
allocation_method = "Static"
tags = {
environment = "Terraform HA AP SDN FortiGates - 3 Ports"
}
}

As specified by Microsoft here: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip#zones
and in Forti docu here: https://docs.fortinet.com/document/fortigate/6.2.0/new-features/953379/support-ha-between-azs-6-2-1

The public ip address must be explicitly configured to reside in multiple availability zones. As this is currently not configured, if azure fails in the region of the primary system, the failover would take place but no public ip would be available.

To fix this, the config could be adapted to

 resource "azurerm_public_ip" "ClusterPublicIP" { 
   name                = "ClusterPublicIP" 
   location            = var.location 
   resource_group_name = azurerm_resource_group.myterraformgroup.name 
   allocation_method   = "Static" 
   sku                 = "Standard"
   zones               = [var.zone1, var.zone2]
  

   tags = { 
     environment = "Terraform HA AP SDN FortiGates - 3 Ports" 
   } 
 }
mobilesuitzero commented

the cross-zone is in the different location. azure/7.4/ha-port1-mgmt-crosszone.

Added the zones in that folder.

azure/7.4/ha-port1-mgmt-crosszone/network.tf