FortiGate supports various instance families, primarily leveraging or General Purpose (D-series) . Feature Need Recommended Azure Series Standard DPI D-Series (e.g., D2s_v3, D4s_v3) Good balance of compute and memory for general UTM tasks. High Performance DPI F-Series (e.g., F4s, F8s)
Deploying a virtual appliance in the cloud requires a strict balance between security performance and infrastructure costs. Unlike physical firewalls with fixed hardware capacities, a Fortinet FortiGate Virtual Machine (VM) running in Microsoft Azure depends entirely on the underlying Azure virtual machine size for its CPU, memory, networking, and storage capabilities.
Constraint: Azure typically requires VM sizes with at least 2 or 4 vCPUs to enable Accelerated Networking. NIC Limitations by VM Size fortigate vm sizing azure
in Azure is a smart move for hybrid and cloud-native security, but "guessing" your VM size can lead to either expensive over-provisioning or sluggish performance bottlenecks. To build a secure, efficient environment, you need to align your Azure VM SKU with your specific traffic needs and FortiOS licensing. 1. Match the VM Series to Your Workload
When sizing, you must look beyond just "CPU and RAM." Azure imposes limits that can throttle your firewall. Unlike physical firewalls with fixed hardware capacities, a
💡 If you anticipate high growth, size your Azure VM for your "future" needs but use a BYOL license that allows for easy CPU upgrades without redeploying the instance.
B-series VMs accumulate CPU credits during idle periods but throttle performance when credits run out. This unpredictability is unacceptable for a security appliance that must process traffic consistently. Stick to compute-optimized Fsv2-series for production deployments. To build a secure, efficient environment, you need
The number of interfaces you can attach is strictly limited by the VM size. A single FortiGate instance often requires at least four NICs (Management, External, Internal, and HA Sync).
That means simply choosing the right BYOL license is not enough. You still need to provision a large enough Azure VM to meet your performance needs. The FortiGate-VM can't utilize vCPUs beyond its license, but it also can't exceed the network throughput and packet processing capacity of the underlying Azure VM.
To get the performance you sized for, you must enable specific features:
To avoid performance bottlenecks, ensure your chosen size supports Accelerated Networking . This offloads packet processing from the CPU to the NIC, drastically reducing latency and jitter. 2. Matching FortiGate Licenses to Azure Sizes
