Deploying Fortinet HA on Azure: Standard vs. Gateway Load Balancers Explained

Fortinet’s suite of security solutions — including FortiGate, FortiWeb, and FortiMail — is widely used to secure cloud environments. In Microsoft Azure, deploying Fortinet appliances in high availability (HA) mode requires careful planning, particularly in how traffic is distributed to these appliances.

One of the most critical architectural choices you’ll make is selecting the right Azure load balancer. Azure offers two primary options:

• The Standard Load Balancer
• The Azure Gateway Load Balancer

Both can support Fortinet HA deployments — but they serve distinct purposes. In this post, we’ll explain how each one works, when to use them, and provide practical examples for your Fortinet deployments on Azure.

Standard Load Balancer

The Standard Load Balancer is a general-purpose load balancer that operates at Layer 4 of the OSI model (transport layer). According to Microsoft’s documentation, this load balancer is designed to handle a wide range of workloads, including network virtual appliances (NVAs) like Fortinet appliances.

How It Works

• Distributes incoming TCP/UDP traffic across a backend pool of virtual machines.
• Supports both inbound and outbound scenarios.
• Integrated with Azure HA configurations.
• Works well with FortiWeb, FortiGate, FortiMail, and other Fortinet products.

When to Use It

Use the Standard Load Balancer when you need general HA and load balancing across Fortinet appliances such as:

• FortiWeb for web application firewall (WAF) protection.
• FortiMail for secure email gateway deployments.
• FortiGate VMs that do not require service chaining.

Example Scenario

If you deploy two FortiWeb VMs to protect a public-facing website, you can use a Standard Load Balancer to distribute incoming traffic evenly across both VMs while maintaining session persistence and failover.

Azure Gateway Load Balancer

The Azure Gateway Load Balancer is a more specialized load balancer, designed specifically for use cases involving service chaining with NVAs like FortiGate.

How It Works

• Operates transparently by inserting the FortiGate (or any NVA) into the traffic path.
• Uses VXLAN encapsulation to pass traffic between Azure’s Gateway Load Balancer and the FortiGate VM.
• Enables traffic inspection, modification, and advanced security without requiring application changes.
• Simplifies management of FortiGate VM as a service point in your Azure network.

When to Use It

Use Azure Gateway Load Balancer when you want to place FortiGate in the path of traffic flowing between:

• On-premises and Azure.
• Azure virtual networks.
• Azure public endpoints and backend resources.

This is ideal for east-west and north-south traffic inspection scenarios.

Example Scenario

If you want to deploy a FortiGate VM as a firewall for traffic entering or leaving your Azure network, you should use the Azure Gateway Load Balancer. It allows you to seamlessly insert FortiGate into the service chain and inspect all traffic at scale.

Summary: When to Use Which?

Architecture Diagram

Final Thoughts

Both Standard Load Balancer and Azure Gateway Load Balancer play critical roles in designing scalable, secure Azure environments with Fortinet.

• The Standard Load Balancer offers simplicity and broad flexibility across Fortinet products.
• The Azure Gateway Load Balancer enables deep traffic inspection and seamless service chaining with FortiGate.

Choosing the right one depends on your architecture and security goals. For complex environments where FortiGate needs to be transparently inserted into the traffic path, the Gateway Load Balancer is your best friend. For traditional HA scenarios with multiple Fortinet VMs, the Standard Load Balancer will likely meet your needs.

The post HA Firewall Appliances on Azure appeared first on Azure Security Architect.