![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 74%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDT%3C/text%3E%3C/svg%3E)
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 22%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETG%3C/text%3E%3C/svg%3E)
Hi Dimitrov, Todor,
What you're looking for is essentially symmetric NAT, where the same public IP is used for both inbound and outbound traffic for a given application/workload:
For an Active-Passive FortiGate HA deployment in Azure, the main challenge is that the public IPs attached to an Azure Standard Load Balancer frontend are owned and managed by the Load Balancer, not by the FortiGate itself. As a result, using those same frontend public IPs as FortiGate-controlled SNAT addresses is generally not the design pattern described in Fortinet's HA guidance and can lead to the asymmetric routing and session-state issues you are observing.
From the FortiGate Azure HA documentation, there are two primary HA models:
- Active-Passive HA with External/Internal Azure Load Balancers
- Public IPs remain attached to the Azure Load Balancer.
- The Load Balancer handles failover using health probes.
- Ingress and egress traffic can be inspected by the active FortiGate.
- This architecture provides high availability, but it does not inherently guarantee a one-to-one mapping between an inbound VIP public IP and the outbound SNAT public IP.
- Active-Passive HA with SDN Connector Failover
- FortiGate uses Azure API integration to update routes and shift public IP resources during failover.
- When the passive node becomes active, it can take ownership of the relevant Azure networking resources.
- This model is the closest match to your requirement of maintaining consistent public-IP identity across failover events.
Based on the requirement you've described, I would recommend evaluating the FortiGate SDN Connector HA architecture rather than attempting to use the Azure Standard Load Balancer frontend public IPs directly as SNAT addresses. The SDN Connector model was specifically designed to address Azure HA limitations around IP ownership and failover.
A couple of clarifying questions that will help determine the best design:
- Is the requirement specifically that Server A must always use Public IP A outbound because remote partners whitelist that address, or is it sufficient to use a consistent pool of outbound public IPs?
- Are the outbound connections originating from servers behind the FortiGate with a default route (0.0.0.0/0) pointing to the FortiGate?
- Which FortiGate Azure HA deployment model are you currently using (standard ELB/ILB HA, SDN Connector HA, custom automation, etc.)?
- Approximately how many public IP mappings need to maintain this inbound/outbound symmetry?
Those details will help determine whether the existing architecture can be adapted or whether a different FortiGate HA pattern would be more appropriate.