Sizing FortiGate-VM on Microsoft Azure: A Comprehensive Guide

Sizing a FortiGate-VM in Microsoft Azure is a critical balance between required security performance and cloud infrastructure costs. Because Azure instances have varying limits on CPU, memory, and network interfaces (NICs), choosing the wrong "shape" can throttle your firewall’s throughput even if your license allows for more. 1. Key Performance Drivers in Azure

When sizing your instance, performance is determined by more than just raw CPU count. You must consider:

vCPU and RAM: Fortinet recommends at least 4 GB of RAM for proper operation, especially if you enable Unified Threat Management (UTM), ZTNA, or proxy features.

Accelerated Networking: This Azure feature is essential for high throughput. It offloads network processing to dedicated hardware (FPGA), significantly reducing latency and jitter. Ensure your chosen Azure size supports it.

vSPU Technology: FortiGate-VM uses Virtual Security Processing Units (vSPUs) to offload packet processing from the kernel, which can triple firewall throughput for UDP traffic. 2. Choosing the Right Azure Instance Family

FortiGate-VM supports several Azure instance families, each suited for different use cases: Instance Family Best Use Case Notable Limits Compute Optimized (F-Series) High-performance firewalling, IPS, and SSL inspection.

Often has lower NIC counts (e.g., F1/F2 may only support 2 NICs). General Purpose (D-Series)

Standard web filtering, VPN gateways, and general segmentation.

Balanced CPU/RAM; widely available across all Azure regions. ARM64 (Ampere Altra)

Cost-efficient high performance for specific modern workloads. Requires specific ARM64 FortiOS images. 3. Licensing vs. Azure Sizing

There are two primary ways to license your FortiGate-VM, and each impacts how you size the underlying VM: FortiGate VM on Microsoft Azure Data Sheet - Fortinet

Optimizing Network Security: A Guide to FortiGate-VM Sizing in Microsoft Azure

Deploying a FortiGate Next-Generation Firewall (NGFW) in Microsoft Azure requires a strategic approach to "right-sizing" to balance high-performance security with cloud cost-efficiency. Unlike physical appliances with fixed hardware, a FortiGate-VM’s power is determined by the Azure instance type it runs on and the Fortinet license applied to it. 1. Understanding the Licensing-Instance Link

Sizing begins with the vCPU count. FortiGate-VM licenses (e.g., VM-02, VM-04, VM-08) dictate the maximum number of vCPUs the software will utilize. While you can technically deploy a 2-vCPU license on an 8-vCPU Azure instance, the firewall will only use 2 cores for traffic processing.

BYOL (Bring Your Own License): Offers flexibility to choose specific vCPU/RAM ratios.

PAYG (Pay-As-You-Go): Often bundled with specific instance sizes in the Azure Marketplace. 2. Selecting the Right Azure VM Family

Not all Azure VM series are optimized for network security tasks. The most common choices include:

Compute-Optimized (F-Series): Ideal for high-throughput firewalling and IPsec VPNs. The Fsv2-series is frequently recommended for its high CPU-to-NIC ratio, which is crucial for complex HA (High Availability) setups requiring multiple interfaces.

General Purpose (D-Series): A balanced choice for standard workloads. The Dv4 and Dv5 series (e.g., Standard_D2s_v5) are common benchmarks in Fortinet datasheets.

Memory-Optimized (E-Series): Use these if you are running memory-intensive features like heavy SSL inspection, Proxy mode, or large-scale ZTNA (Zero Trust Network Access). A minimum of 4 GB RAM is recommended for stable operation. 3. Key Performance Enablers

To reach the multi-gigabit speeds advertised in datasheets, two Azure-specific features are non-negotiable:

Accelerated Networking (SR-IOV): This bypasses the virtual switch for direct host-to-NIC communication, drastically reducing latency and CPU overhead. It is available on most instances with 2 or more vCPUs.

Network Interface (NIC) Limits: Azure limits the number of NICs based on the VM size. If your design requires separate management, sync, and multiple traffic interfaces, you must select an instance size that supports at least 4 NICs. FortiGate VM on Microsoft Azure Data Sheet - Fortinet

FortiGate VM Sizing on Microsoft Azure: Strategic Overview Selecting the correct Azure virtual machine (VM) instance for a FortiGate-VM deployment requires balancing compute power (vCPUs), memory, and—crucially for networking—the maximum number of network interface cards (NICs) supported by the Azure instance. 1. Fundamental Sizing Metrics

Azure FortiGate-VM sizing is primarily driven by three factors:

vCPU Count: Determines the parallel processing capacity for traffic and security inspection (IPS, Antivirus, Application Control).

NIC Density: Azure enforces strict limits on the number of NICs per VM size. For example, a high-availability (Active-Passive) setup typically requires at least 4 NICs (Management, Internal, External, Heartbeat), which mandates a minimum of 4 vCPUs in most Azure families (e.g., D4 series).

Throughput Requirements: Performance varies significantly based on whether security features are enabled. 2. Recommended Azure Instance Families

Fortinet generally recommends compute-optimized or general-purpose instances for production workloads. Instance type support | FortiGate Public Cloud 7.6.0

Right-Sizing Your FortiGate VM in Microsoft Azure: A Practical Guide Deploying a FortiGate Next-Generation Firewall (NGFW)

in Azure is a smart move for hybrid and cloud-native security, but "guessing" your VM size can lead to either expensive over-provisioning or sluggish performance bottlenecks. To build a secure, efficient environment, you need to align your Azure VM SKU with your specific traffic needs and FortiOS licensing. 1. Match the VM Series to Your Workload

Azure offers various VM families, but not all are created equal for high-performance security. Dv5 and Dsv5-Series (General Purpose):

These are the modern standards for FortiGate deployments. They include Accelerated Networking

by default, which is essential for low-latency traffic processing. F-Series (Compute Optimized):

Ideal if you are running heavy inspection services like deep-packet SSL inspection or high-volume IPS, where raw CPU speed is the priority. A-Series (Entry Level):

Generally avoided for production due to limited Network Interface Card (NIC) support and lower throughput. 2. The NIC Bottleneck: More Than Just Speed One of the most overlooked aspects of Azure sizing is NIC limits

. In Azure, the number of virtual interfaces you can attach is strictly tied to the VM size. Small instances (e.g., 2 vCPUs) often only support

, which can be restrictive if you need separate interfaces for Management, WAN, LAN, and HA Heartbeat. Larger instances

are required if your architecture demands multiple segmented subnets or a complex Hub-and-Spoke design. 3. Aligning with FortiGate Licensing

Your sizing decision must sync with your licensing model to avoid "dead" resources. Pay-As-You-Go (PAYG):

The most flexible option. You are charged based on the Azure instance size, and the license scales automatically as you resize the VM. Bring Your Own License (BYOL):

Licenses are typically sold by vCPU count (e.g., VM-02, VM-04, VM-08). If you license a (2 vCPUs) but deploy it on a Standard_D4s_v5 (4 vCPUs), the FortiGate will only utilize 2 of those CPUs , wasting half of your Azure compute costs. 4. Performance Expectations

While Azure doesn't provide "official" benchmark tools, real-world testing and community data suggest general targets: Throughput:

Larger VM sizes generally support higher network bandwidth. For example, some older v2 instances surprisingly support higher throughput (up to 1500 Mbps) compared to certain v4 variants (800 Mbps) due to Azure's internal throttling policies. RAM Usage: Aim for at least 4GB to 8GB

of RAM. Smaller instances with only 2GB or 4GB may struggle if you enable multiple UTM features (Antivirus, IPS, and Application Control). 5. Resizing Best Practices

Sizing FortiGate-VM on Microsoft Azure Sizing a FortiGate-VM in Microsoft Azure requires balancing technical resource requirements with licensing models to ensure peak performance for your network security workload. Core System Requirements

To operate effectively in a cloud environment, FortiGate-VMs must meet baseline hardware specifications:

Memory (RAM): A minimum of 4 GB is recommended for proper operation, particularly when enabling intensive security features like Unified Threat Management (UTM) or proxy services.

vCPUs: Basic deployments typically require at least 2 vCPUs, while environments with higher traffic or demanding security requirements should scale to 4 or 8 vCPUs to avoid performance degradation.

Disk Space: A minimum of 32 GB to 40 GB is required for the operating system and configuration, though additional space may be needed for extensive logging. Selecting Azure Instance Types

Azure offers several VM series optimized for different roles, though some legacy series may no longer appear in the Marketplace:

Compute Optimized (F-Series): Ideal for high-throughput tasks like batch processing or high-performance web servers.

General Purpose (D-Series): Frequently used for standard firewall deployments. Specifically, Dv5 and Dsv5 series support Accelerated Networking by default, which can triple throughput for certain traffic types.

Performance Enhancements: Utilizing vSPU (virtual Security Processing Unit) technology allows FortiGate-VM to offload packet processing, overcoming the typical throughput bottlenecks of virtual firewalls. Licensing and Scaling Considerations

Your choice of licensing impacts how you can size and scale your environment: FortiGate VM on Microsoft Azure Data Sheet - Fortinet

Mistake #4: Not Testing with Real Packet Sizes

• Why it fails: Datasheet uses 1518-byte packets. Cloud traffic is often 64-byte ACKs (gaming, VoIP, Redis). Small packets kill PPS capacity.
• Fix: Use iPerf3 in Azure with -l 64 for worst-case PPS test.

3. Sizing by Throughput & Feature Activation

Apply these reference rules based on your expected traffic and enabled features.

C. High Performance (Large Hub / Data Center)

• Target Throughput: 5 Gbps – 20 Gbps+
• License: VM08 / VM16 / VMXL
• Recommended Azure Sizes:
  • Standard_D8s_v3 / v4 / v5 (8 vCPU) – Sweet spot for VM08.
  • Standard_D16s_v3 / v4 / v5 (16 vCPU) – Sweet spot for VM16.
  • Standard_F16s_v2 (16 vCPU) – High compute frequency, excellent for encrypted traffic decryption.

Conclusion: Size Conservatively, Test Aggressively

Sizing a FortiGate VM in Azure is equal parts art and science. The safe starting point for any production workload today (2025) is:

• Minimum: D4s_v3 (4 vCPU) with FG-VM02 license
• Typical SMB: D8s_v3 with FG-VM04 (allows SSL inspection)
• Enterprise: E16s_v3 with FG-VM08 in active-active HA

Remember three non-negotiables: Accelerated Networking enabled, never B-series, and always derate datasheet numbers by 40% for Azure.

Finally, test with your real traffic – not synthetic UDP floods. Cloud networking behaves differently on Tuesday at 2 PM vs. Friday at 5 PM. Use FortiView’s “Top Threats” and “Top Applications” to refine your sizing every quarter.

Your Azure cloud is only as secure as your firewall’s ability to process traffic without dropping packets. Size wisely.

Need a sizing spreadsheet? Fortinet offers a free “Azure Sizing Calculator” on their support portal. Or, use the open-source fortinet-sizer tool on GitHub.

Once upon a time, in the rapidly expanding kingdom of Azure, a network architect named was tasked with deploying a FortiGate VM

to protect the realm’s digital borders. Alex knew that in the cloud, picking the wrong "armor" (VM size) could lead to either a sluggish defense or a treasury drained by overprovisioning. The Foundation: Choosing the Right Series

Alex started by looking at the standard issue Azure instance families. The Reliable D-Series : For most standard workloads, Alex looked at the Standard_D2s_v5

). These offer a solid balance of CPU and memory for everyday traffic. The Swift F-Series

: When the kingdom needed high-speed packet processing, Alex turned to the Compute-optimized F-series Standard_F2s or F8

). These were built for speed, though Alex noted they require at least 4GB of RAM to keep the defenses steady. Matching the License to the Armor

Alex discovered a curious rule in the land of FortiGate: the Azure instance must work in harmony, but they aren't identical. : If Alex bought a license, it would only use , even if he placed it on a massive 32-vCPU Azure instance. RAM Freedom

: Unlike private kingdoms (VMware), Azure doesn't strictly limit the RAM through the license, but Fortinet recommends at least 4GB to 8GB

to handle advanced features like Unified Threat Management (UTM) or SSL VPNs. The Secret Weapon: Accelerated Networking

To ensure the firewall didn't become a bottleneck, Alex made sure to enable Accelerated Networking

. This feature offloads traffic processing to the hardware, but it only works on certain Azure sizes (typically those with 2 or more vCPUs). Alex’s Quick Sizing Guide

Alex summarized his findings into a simple scroll for future architects: Recommended Azure Instance Small Branch/Dev Standard_D2s_v5 Standard Enterprise Standard_D4s_v5 High Throughput Standard_F8s If Alex ever realized the armor was too small, he could resize the VM in the Azure portal , though he always remembered that this requires a brief of the firewall. cost comparison between these common Azure instance types?

How to Change Azure VM Size — And What You Must Think About First