Backing up virtual appliance attached to a public Azure Load Balancer

[Lewpy]

When we attempt to backup a FortiGate virtual appliance in Azure IaaS sandwiched between Azure Load Balancers (part of an HA pair), we get this error

The client 'xxx' with object id 'xxx' does not have authorization to perform action 'Microsoft.Network/loadBalancers/read' over scope '/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Network/loadBalancers/xxx-publicLoadBalancer' or the scope is invalid

I can see that we could add the required permission to the Veeam Azure Service Account (it is not part of the set of permissions that Veeam automatically grants it), but would this be an "okay" thing to do and not cause problems?
I get the feeling that restoration of the virtual appliance may be problematic at best anyway, with the Azure Load Balancers thrown in the mix, and normal configuration backups within the virtual appliance's interface are best maintained (Azure's own backup doesn't let you back the VMs up).

Thanks,
Lewis.

[HannesK]

Hello,
To me it sounds like deploying a fresh appliance and restoring the configuration backup is the way how it is designed.

I would stick to the vendors (Fortinet) recommendations. What does Fortinet say about backup & restore?

Best regards,
Hannes

[nielsengelen]

Agree with Hannes. While we may be able to back it up, there is no direct integration with the solution and knowing the importance of these - it may be required.

Does Fortinet provide any guidance in this case as we may be able to look into this for enhancements within VBA?

I can see statements from 2020 that it was not supported at all to back it up and customers who use SCP to back up the config.

[Lewpy]

Hi Hannes/Niels,

Thank you for your replies
The FortiGate firewall appliance supports backing up the configuration to local disk via the management GUI, so there is an inbuilt backup process (the same as their physical firewalls).
Due to the "complexities" of the Azure configuration, which mixes appliance VMs with Azure Load Balancers, I question the "value" of a VM-level backup, to be honest.
It was more a case of "We can pick it for backup in the GUI, let's back it up".
I guess the ability to restore the entire VM back quickly (from snapshot or storage) could be useful if someone does something drastic to the virtual appliance, such that gaining access to the management console is no longer possible, so a configuration backup can't be restored. Although this will be against manufacturers (FortiNet) advice I suspect.
Redeploying the entire appliance from scratch is do-able, just highly complex, and would take down Internet access for the whole vNet while happening (the FortiGate's act as the Internet firewall) not to mention having to be very careful to keep any Public IPs allocated and migrated, otherwise all site-to-site VPNs, DNS records, etc. will need changed.

I am guessing this permission error isn't something that has been seen before then?
Perhaps blocking the VM from being selected for backup in the console is the "correct" enhancement

Thanks,
Lewis.