This 3,000+ word guide will walk you through the anatomy of FortiGate VM sizing in Azure, covering SKU selection, throughput calculations, licensing models, high availability (HA) implications, and real-world deployment patterns.
FortiGate-VM performance in Azure is primarily determined by three factors: vCPU count, RAM, and the specific Azure VM family architecture. vCPU Scaling
| Throughput Type | Description | Impact on Sizing | |---|---|---| | (1518-byte UDP) | Measured with large packets, raw forwarding, no inspection | Provides a baseline but is not reflective of real-world mixed traffic. | | Firewall Throughput (64-byte UDP) | Measured with small packets; a much more challenging metric for firewalls. | Higher numbers here are better for environments with many small packets (e.g., VoIP, IoT). | | IPsec VPN Throughput | The maximum VPN throughput. | Critical for site-to-site connectivity. | | Threat Protection Throughput (Enterprise Mix) | Simulates real-world traffic with all security services (IPS, Application Control, etc.) enabled. | The most realistic metric for sizing for a security-conscious organization. | | NGFW Throughput | Firewall with IPS enabled. | Provides a middle-ground performance estimate between firewall-only and full threat protection. |
Crucial. Ensure your chosen VM size supports Accelerated Networking , which offloads networking tasks from the CPU to the hardware, significantly reducing latency and jitter. 3. Aligning with FortiGate Licenses
If your traffic needs change, you can resize the VM without losing configuration: Stop the FortiGate VM within the Azure Portal. Navigate to in the VM menu. fortigate vm sizing azure
FortiGate is a popular network security appliance that provides advanced threat protection, firewall, and VPN capabilities. In Azure, FortiGate can be deployed as a virtual machine (VM) to secure your cloud infrastructure. However, sizing the FortiGate VM correctly is crucial to ensure optimal performance, security, and cost-effectiveness. In this article, we will guide you through the process of sizing a FortiGate VM in Azure.
4 Gbps → 16+ vCPU + scale out
High traffic volumes with many simultaneous connections require more RAM. 2. FortiGate VM Licensing & Azure Instance Matching
Segmented East-West inspection inside a Hub-and-Spoke VNet architecture where memory-intensive routing tables (BGP) are used. Recommended Sizes: Standard_D4ds_v5 or Standard_D8ds_v5. Memory-Optimized: E-Series (Esv3, Edsv4) This 3,000+ word guide will walk you through
The balances compute resources and memory. It is highly resilient and serves as an excellent all-rounder for mid-tier enterprise architectures.
The license scales dynamically with the size of the Azure VM instance you select. There are no software-enforced vCPU limits, allowing you to scale the VM size up or down via the Azure portal during maintenance windows. 6. Best Practices for Deployment and Scaling
The is the gold standard for high-performance FortiGate deployments. Powered by Intel Xeon Platinum processors, these VMs offer high clock speeds, making them ideal for CPU-heavy tasks like pattern matching in IPS and Threat Protection.
This article details how to map your security requirements to the correct Fortinet licenses and Azure compute tiers. 1. Understanding FortiGate-VM Architecture in the Cloud | | Firewall Throughput (64-byte UDP) | Measured
Internal segmentation firewalls, environments with large routing tables, or configurations utilizing extensive FortiGuard database lookups. 3. Sizing Matrix: Standard Deployment Tiers
By matching your throughput needs, inspection levels, and interface requirements to the correct compute-optimized Azure VM series, you can build a highly resilient cloud security architecture that performs reliably without inflating your monthly cloud bill.
Firewall performance degrades as inspection levels deepen. Sizing models must account for this performance curve:
The offer a balanced mix of vCPU and memory.
FortiOS requires sufficient memory to maintain session tables, routing tables, and system management overhead. A deficit in RAM can trigger FortiGate's "Conserve Mode," where the firewall drops packets or limits security scanning to protect system stability. The vCPU-to-RAM Golden Ratio