Deploying a FortiGate Next-Generation Firewall (NGFW) in Microsoft Azure is a best practice for securing hybrid and cloud-native workloads. However, unlike on-premises appliances where you buy fixed hardware, Azure offers a dizzying array of VM sizes. Choosing the wrong size leads to either poor performance (packet drops, high latency) or unnecessary cloud spend.
This article breaks down how to correctly size a FortiGate-VM in Azure based on throughput, features, and workload type.
Sizing a FortiGate VM in Azure is equal parts art and science. The safe starting point for any production workload today (2025) is:
Remember three non-negotiables: Accelerated Networking enabled, never B-series, and always derate datasheet numbers by 40% for Azure.
Finally, test with your real traffic – not synthetic UDP floods. Cloud networking behaves differently on Tuesday at 2 PM vs. Friday at 5 PM. Use FortiView’s “Top Threats” and “Top Applications” to refine your sizing every quarter.
Your Azure cloud is only as secure as your firewall’s ability to process traffic without dropping packets. Size wisely.
Need a sizing spreadsheet? Fortinet offers a free “Azure Sizing Calculator” on their support portal. Or, use the open-source fortinet-sizer tool on GitHub.
Sizing FortiGate-VM on Microsoft Azure Sizing a FortiGate-VM in Microsoft Azure requires balancing technical resource requirements with licensing models to ensure peak performance for your network security workload. Core System Requirements
To operate effectively in a cloud environment, FortiGate-VMs must meet baseline hardware specifications:
Memory (RAM): A minimum of 4 GB is recommended for proper operation, particularly when enabling intensive security features like Unified Threat Management (UTM) or proxy services.
vCPUs: Basic deployments typically require at least 2 vCPUs, while environments with higher traffic or demanding security requirements should scale to 4 or 8 vCPUs to avoid performance degradation.
Disk Space: A minimum of 32 GB to 40 GB is required for the operating system and configuration, though additional space may be needed for extensive logging. Selecting Azure Instance Types
Azure offers several VM series optimized for different roles, though some legacy series may no longer appear in the Marketplace:
Compute Optimized (F-Series): Ideal for high-throughput tasks like batch processing or high-performance web servers.
General Purpose (D-Series): Frequently used for standard firewall deployments. Specifically, Dv5 and Dsv5 series support Accelerated Networking by default, which can triple throughput for certain traffic types.
Performance Enhancements: Utilizing vSPU (virtual Security Processing Unit) technology allows FortiGate-VM to offload packet processing, overcoming the typical throughput bottlenecks of virtual firewalls. Licensing and Scaling Considerations
Your choice of licensing impacts how you can size and scale your environment: FortiGate VM on Microsoft Azure Data Sheet - Fortinet
FortiGate VM Sizing on Microsoft Azure: Strategic Overview Selecting the correct Azure virtual machine (VM) instance for a FortiGate-VM deployment requires balancing compute power (vCPUs), memory, and—crucially for networking—the maximum number of network interface cards (NICs) supported by the Azure instance. 1. Fundamental Sizing Metrics fortigate vm sizing azure
Azure FortiGate-VM sizing is primarily driven by three factors:
vCPU Count: Determines the parallel processing capacity for traffic and security inspection (IPS, Antivirus, Application Control).
NIC Density: Azure enforces strict limits on the number of NICs per VM size. For example, a high-availability (Active-Passive) setup typically requires at least 4 NICs (Management, Internal, External, Heartbeat), which mandates a minimum of 4 vCPUs in most Azure families (e.g., D4 series).
Throughput Requirements: Performance varies significantly based on whether security features are enabled. 2. Recommended Azure Instance Families
Fortinet generally recommends compute-optimized or general-purpose instances for production workloads. Instance type support | FortiGate Public Cloud 7.6.0
When sizing a FortiGate VM in Microsoft Azure, you must align the Azure instance type with both your expected network performance and your Fortinet licensing model. Performance & Specifications
Throughput varies significantly based on the Azure instance series and whether Accelerated Networking is enabled. FortiGate Model Azure Instance Shape vCPU (Min/Max) Azure Expected Bandwidth VM-02 VM-04 VM-08 VM-16 VM-32 16,000 Mbps Source: FortiGate VM on Azure Data Sheet Critical Sizing Factors
Memory Requirements: A minimum of 8 GB RAM is recommended for standard operation. For advanced features like Unified Threat Management (UTM) or Zero Trust Network Access (ZTNA), at least 4 GB is strictly necessary.
Network Interfaces (NICs): Sizing is often driven by the number of required interfaces rather than just CPU power. For example, the D2v2 instance type only supports 2 NICs, while D4v2 supports up to 8 NICs. Licensing Models:
Pay-As-You-Go (PAYG): The license automatically scales with the Azure instance size.
Bring Your Own License (BYOL): The license is tied to a specific number of vCPUs. While you can use a larger Azure VM, only the licensed number of cores will process traffic. Resizing Best Practices
If you need to upscale your deployment, follow these steps to prevent data loss:
Backup: Always save your FortiGate configuration before resizing.
Maintenance Window: Expect a brief period of downtime during the restart.
Process: Shut down the VM from the Azure Portal, navigate to Availability + Scale > Size, select the new instance, and power it back on.
Licensing Check: If using BYOL, ensure your new vCPU count matches your license capacity.
For detailed configuration steps, refer to the FortiOS Azure Administration Guide. Need a sizing spreadsheet
Resizing an Azure FortiGate VM instance - Fortinet Community
Sizing FortiGate-VM on Microsoft Azure: A Comprehensive Guide
Sizing a FortiGate-VM in Microsoft Azure is a critical balance between required security performance and cloud infrastructure costs. Because Azure instances have varying limits on CPU, memory, and network interfaces (NICs), choosing the wrong "shape" can throttle your firewall’s throughput even if your license allows for more. 1. Key Performance Drivers in Azure
When sizing your instance, performance is determined by more than just raw CPU count. You must consider:
vCPU and RAM: Fortinet recommends at least 4 GB of RAM for proper operation, especially if you enable Unified Threat Management (UTM), ZTNA, or proxy features.
Accelerated Networking: This Azure feature is essential for high throughput. It offloads network processing to dedicated hardware (FPGA), significantly reducing latency and jitter. Ensure your chosen Azure size supports it.
vSPU Technology: FortiGate-VM uses Virtual Security Processing Units (vSPUs) to offload packet processing from the kernel, which can triple firewall throughput for UDP traffic. 2. Choosing the Right Azure Instance Family
FortiGate-VM supports several Azure instance families, each suited for different use cases: Instance Family Best Use Case Notable Limits Compute Optimized (F-Series) High-performance firewalling, IPS, and SSL inspection.
Often has lower NIC counts (e.g., F1/F2 may only support 2 NICs). General Purpose (D-Series)
Standard web filtering, VPN gateways, and general segmentation.
Balanced CPU/RAM; widely available across all Azure regions. ARM64 (Ampere Altra)
Cost-efficient high performance for specific modern workloads. Requires specific ARM64 FortiOS images. 3. Licensing vs. Azure Sizing
There are two primary ways to license your FortiGate-VM, and each impacts how you size the underlying VM: FortiGate VM on Microsoft Azure Data Sheet - Fortinet
Sizing a FortiGate VM in Azure for Deep Inspection (SSL/TLS decryption) is CPU-intensive and requires careful alignment between Azure instance capabilities and Fortinet licensing. For reliable performance with deep inspection enabled, a minimum of 4 GB RAM is recommended. Core Sizing Considerations
CPU Impact: Deep packet inspection (DPI) and SSL/TLS inspection significantly increase CPU load. For example, one user's browsing and file downloading can consume up to 12% of a single CPU core when deep inspection is active.
NIC Limitations: Azure limits the number of Network Interfaces (NICs) based on the VM size. D2/D2v2: Supports only 2 NICs. D4/D4v2: Supports up to 8 NICs.
Accelerated Networking: For high-throughput requirements, ensure the chosen VM size supports Accelerated Networking (SR-IOV) to reduce CPU overhead for networking tasks. Recommended Azure Instance Types and VPN capabilities. In Azure
FortiGate supports various instance families, primarily leveraging Compute Optimized (F-series) or General Purpose (D-series). Feature Need Recommended Azure Series Standard DPI D-Series (e.g., D2s_v3, D4s_v3) Good balance of compute and memory for general UTM tasks. High Performance DPI F-Series (e.g., F4s, F8s)
Higher CPU-to-memory ratio, ideal for compute-heavy SSL inspection. Scalability VMSS (Scale Sets)
Allows auto-scaling FortiGate instances based on traffic demand. Licensing vs. VM Size
It is critical to match your Fortinet license with the Azure VM's vCPU count:
FortiGate VM sizing for MS Azure - explicit proxy, full UTM, ssl deep inspeciton, ICAP
Follow this process before clicking “Deploy”:
Apply derating factors:
Map to FortiGate model
Baseline throughput × Derated ÷ 0.6 (safety margin) = Required datasheet throughput
Look up that number in Fortinet’s Azure datasheet for the chosen instance family.
Select Azure instance type
Start with D4s_v3 (4 vCPU) for FG-VM02, then load-test. Do not upsize blindly – each step doubles cost.
Enable Accelerated Networking – non-negotiable.
Deploy, then test with real traffic using FortiGate’s built-in diagnose sys top and Azure’s az network vnet list metrics.
Before selecting an Azure VM size, you must understand Fortinet’s licensing model. FortiGate-VM licenses are tied to the number of vCPUs provisioned in Azure, not the VM memory or clock speed.
| License Tier | vCPUs (Azure) | Typical Raw Throughput* | Use Case | | :--- | :--- | :--- | :--- | | FG-VM02 | 2 | ~1 Gbps | Dev/Test, branch office | | FG-VM04 | 4 | ~2-4 Gbps | Small production, DMZ | | FG-VM08 | 8 | ~4-8 Gbps | Mid-size enterprise | | FG-VM16 | 16 | ~8-16 Gbps | Large hub, heavy inspection |
*Throughput varies dramatically with features (SSL inspection, IPS, threat protection).
Critical rule: If you assign an 8‑vCPU Azure VM but purchase only a VM04 license, the FortiGate will only use 4 vCPUs. Right-size both the Azure VM and the license.
Version: 2024 Standards Scope: Infrastructure Architects, Security Engineers, Cloud Administrators
| Family | Characteristics | FortiGate Recommendation | |--------|----------------|--------------------------| | Dv3 / Dv4 | General purpose, Intel Xeon, good balance | Best for 80% of use cases (VPN + inspection) | | Ev3 / Ev4 | Memory-optimized, same CPU as Dv3 | Required for large session tables (>2M) or many IPsec tunnels | | Fsv2 | High frequency Intel (3.4 GHz) | Ideal for SSL inspection and low-latency requirements | | Dasv4 | AMD EPYC (3.0+ GHz) | Excellent price/performance for stateful firewall only (not VPN-heavy) | | B-series (Burstable) | Use only for lab/DevTest | Production traffic will exhaust CPU credits and drop packets |
FortiGate is a popular network security appliance that provides advanced threat protection, firewall, and VPN capabilities. In Azure, FortiGate can be deployed as a virtual machine (VM) to secure your cloud infrastructure. However, sizing the FortiGate VM correctly is crucial to ensure optimal performance, security, and cost-effectiveness. In this article, we will guide you through the process of sizing a FortiGate VM in Azure.
This is the most CPU-hungry feature. Multiply vCPUs x2.