Fortigate Vm Sizing Azure May 2026
White Paper: FortiGate-VM Sizing and Performance in Microsoft Azure Executive Summary
Selecting the correct virtual machine (VM) size for a FortiGate-VM in Azure is critical for balancing security performance with operational costs. This paper outlines the key technical considerations, licensing models, and recommended instance types to ensure an optimized deployment. 1. Core Performance Drivers
FortiGate-VM performance in Azure is primarily determined by three factors: vCPU count, RAM, and the specific Azure VM family architecture. vCPU Scaling
: FortiOS is highly parallelized. Adding vCPUs directly increases throughput for compute-intensive tasks like IPS, Antivirus, and SSL Inspection. Memory Requirements : A minimum of
is strongly recommended for production environments, especially when enabling Unified Threat Management (UTM) or Proxy features. Smaller sizes (e.g., 1 vCPU / 1 GB RAM) are generally restricted to lab or testing environments and may require deployment via VHD rather than the Azure Marketplace. Accelerated Networking
: For high-bandwidth requirements, select Azure VM sizes that support Accelerated Networking
(e.g., Dv2, Dv3, F-series). This feature reduces latency and CPU overhead by utilizing SR-IOV. 2. Recommended Azure VM Families
Azure offers several VM series optimized for different FortiGate use cases: Deploy Fortigate VM Free in Azure on Low End Free Tier VPS
Mastering FortiGate VM Sizing on Azure: A Complete Guide Choosing the right size for your FortiGate VM on Microsoft Azure is a critical balancing act between security performance and cost optimization. Unlike physical appliances, virtual machines (VMs) share hardware resources, meaning your choice of Azure VM instance series directly impacts throughput, latency, and your firewall’s overall efficacy. 1. Understanding Azure VM Series for FortiGate fortigate vm sizing azure
Azure offers several VM families, but not all are suited for high-performance security inspection.
F-Series (Compute-Optimized): Generally recommended for FortiGate because they offer a higher NIC-to-CPU ratio, which is essential for network-heavy workloads.
D-Series (General Purpose): A solid choice for standard, balanced workloads. The Dv4 and Dsv5 series are frequently used in standard FortiGate deployments.
Accelerated Networking: To avoid performance bottlenecks, ensure your chosen size supports Accelerated Networking. This offloads packet processing from the CPU to the NIC, drastically reducing latency and jitter. 2. Matching FortiGate Licenses to Azure Sizes
FortiGate VM licenses are typically tiered by the number of virtual CPUs (vCPUs) they support. Sizing your Azure instance without matching your license will lead to wasted resources. License Model vCPU Range Typical Azure Instance VM-01S Standard_D2s_v5 (throttled) VM-02S up to 2 vCPUs Standard_F2s_v2 or D2s_v5 VM-04S up to 4 vCPUs Standard_F4s_v2 or D4s_v5 VM-08S up to 8 vCPUs Standard_F8s_v2 or D8s_v5
Pro Tip: If you use Bring Your Own License (BYOL), you can upgrade from a VM-01S to a VM-02S and then resize the Azure VM to match the new vCPU count within minutes. 3. Critical Sizing Constraints
When selecting your size in the Azure Marketplace, keep these three technical limits in mind:
Network Interfaces (NICs): The number of interfaces you can attach is strictly limited by the VM size. A single FortiGate instance often requires at least four NICs (Management, External, Internal, and HA Sync). The Definitive Guide to FortiGate VM Sizing in
Memory Requirements: While FortiGate-VM can run on as little as 2 GB of RAM, features like Intrusion Prevention (IPS) and Antivirus are memory-intensive. For production, aim for at least 4 GB to 8 GB to ensure the system doesn't enter conserve mode.
Throughput vs. Packet Size: Official Fortinet datasheets often list performance for large packets (1518 bytes). If your traffic is dominated by small packets (e.g., VoIP or DNS), you will need a larger VM size than the datasheet suggests to handle the higher packet-per-second (PPS) rate. 4. Deployment Strategies for Scalability
If a single VM isn't enough, consider these advanced architectures: FortiGate VM on Microsoft Azure Data Sheet - Fortinet
This is a comprehensive guide and "paper-style" breakdown regarding FortiGate VM Sizing on Microsoft Azure. This document covers the selection methodology, specific SKU mappings, licensing implications, and architectural best practices.
The Definitive Guide to FortiGate VM Sizing in Microsoft Azure
Deploying a FortiGate Next-Generation Firewall (NGFW) in Microsoft Azure is a best practice for securing hybrid and cloud-native workloads. However, unlike on-premises appliances where you buy fixed hardware, Azure offers a dizzying array of VM sizes. Choosing the wrong size leads to either poor performance (packet drops, high latency) or unnecessary cloud spend.
This article breaks down how to correctly size a FortiGate-VM in Azure based on throughput, features, and workload type.
10. Quick Reference: Sizing by Use Case
| Use Case | FortiGate SKU | Azure VM Size | vCPU | RAM | |----------|--------------|---------------|------|-----| | Small office (100 users, 300 Mbps) | FG-VM01 | D2s v3 | 2 | 8 GB | | Branch (500 users, 1.5 Gbps, IPS) | FG-VM02 | D4s v3 | 4 | 16 GB | | HQ (2000 users, 3 Gbps + SSL) | FG-VM04 | D8s v3 | 8 | 32 GB | | VPN concentrator (1000 tunnels) | FG-VM08 | D16s v3 | 16 | 64 GB | | Heavy SSL + logging (5 Gbps) | FG-VM08 | E8s v3 | 8 | 64 GB |
Final tip: Always over-provision by one VM size in Azure—you can scale down later, but undersizing causes production packet loss. Use Azure’s reserved instances for 1-3 year commitment to reduce cost. Final tip : Always over-provision by one VM
6. High Availability (HA) in Azure
1. Core Sizing Factors for Azure
Unlike on-premises hardware, Azure sizing depends on vCPUs, RAM, and Azure’s own networking performance. Do not rely solely on FortiGate’s datasheet—Azure VM types have hard throughput caps.
| Factor | Key Questions | |--------|----------------| | Throughput | Total traffic (ingress+egress) in Gbps? | | Inspection | SSL inspection (CPU-heavy)? IPS/AV (memory+CPU)? | | Tunnels | Number of IPsec VPN tunnels (each consumes CPU/RAM) | | High Availability | A/P or A/A cluster? (requires load balancer & extra VM) | | Features | Explicit proxy, WAF, logging to disk (needs more RAM/disk IO) |
Mistake #3: Overlooking the Management Interface Overhead
- Why it fails: FortiGate reserves 10-15% of CPU for management, logging, and the FortiGate-Azure integration daemon (
f faz). - Fix: Never run a production FortiGate above 70% sustained CPU utilization as reported in FortiView.
2. The Licensing Constraint (Critical Step)
Before selecting an Azure VM size, you must understand the Fortinet license tiers. The software license places a "hard cap" on throughput, regardless of how powerful the underlying Azure VM is.
| License Tier | Max Throughput (Firewall) | Max Throughput (Threat Protection) | vCPU Limit (Soft) | | :--- | :--- | :--- | :--- | | VM01 | 1 Gbps | 500 Mbps | 2 vCPU | | VM02 | 2 Gbps | 1 Gbps | 2 vCPU | | VM04 | 5 Gbps | 2.5 Gbps | 4 vCPU | | VM08 | 10 Gbps | 5 Gbps | 8 vCPU | | VM16 | 20 Gbps | 10 Gbps | 16 vCPU | | VMXL | Unlimited* | Unlimited* | Unlimited* |
Note: "Unlimited" is constrained only by the underlying Azure instance size.
Key Takeaway: If you purchase a VM04 license but deploy a 32-vCPU Azure instance, your throughput will cap at 5 Gbps (Firewall). Conversely, if you purchase a VMXL license but deploy a small instance, you are limited by the instance's hardware.
Scenario B: Full UTM (IPS, AV, Web Filtering)
UTM cuts throughput by 40–60% compared to raw firewalling.
- 500 Mbps UTM → D4s_v5 + VM04
- 1 Gbps UTM → D8s_v5 + VM08
- 2 Gbps UTM → D16s_v5 + VM16 (or cluster)
5.2 Disk Sizing for Logging
- FortiGate logs to disk if you enable local logging. Use Premium SSD (not Standard HDD) for disk I/O.
- Minimum: 64 GB (OS + logs). Production: 128–256 GB to avoid log rollover.
