Fortigate Vm Sizing Azure Jun 2026

The Definitive Guide to FortiGate VM Sizing in Microsoft Azure Deploying a FortiGate Next-Generation Firewall (NGFW) in Microsoft Azure is a best practice for securing hybrid and cloud-native workloads. However, unlike on-premises appliances where you buy fixed hardware, Azure offers a dizzying array of VM sizes. Choosing the wrong size leads to either poor performance (packet drops, high latency) or unnecessary cloud spend. This article breaks down how to correctly size a FortiGate-VM in Azure based on throughput, features, and workload type. 1. The Core Challenge: vCPU vs. Throughput Licensing Before selecting an Azure VM size, you must understand Fortinet’s licensing model. FortiGate-VM licenses are tied to the number of vCPUs provisioned in Azure, not the VM memory or clock speed. | License Tier | vCPUs (Azure) | Typical Raw Throughput* | Use Case | | :--- | :--- | :--- | :--- | | FG-VM02 | 2 | ~1 Gbps | Dev/Test, branch office | | FG-VM04 | 4 | ~2-4 Gbps | Small production, DMZ | | FG-VM08 | 8 | ~4-8 Gbps | Mid-size enterprise | | FG-VM16 | 16 | ~8-16 Gbps | Large hub, heavy inspection |

*Throughput varies dramatically with features (SSL inspection, IPS, threat protection).

Critical rule: If you assign an 8‑vCPU Azure VM but purchase only a VM04 license, the FortiGate will only use 4 vCPUs. Right-size both the Azure VM and the license. 2. Azure VM Families for FortiGate Not all Azure VM sizes are equal. FortiGate is CPU-intensive (especially for VPN and SSL inspection). Memory is less critical (minimum 4-8 GB required per Fortinet, but Azure often provides more). Recommended Families (Best to Good) | Family | Example Size | vCPUs | Memory | Best For | | :--- | :--- | :--- | :--- | :--- | | D-Series v5 (Dsv5) | Standard_D2s_v5 | 2 | 8 GB | General purpose – ideal for most. High CPU perf, fair price. | | D-Series v4 (Dsv4) | Standard_D4s_v4 | 4 | 16 GB | Mature, widely available, good for mid-range. | | F-Series (Fsv2) | Standard_F4s_v2 | 4 | 8 GB | CPU-optimized – excellent for IPsec VPN termination. | | E-Series (Esv5) | Standard_E4s_v5 | 4 | 32 GB | Memory-heavy – only needed for huge session tables (>2M). | | B-Series (Burstable) | Standard_B2s | 2 | 4 GB | NOT recommended for production – CPU credits run out quickly. | Avoid: Any -as v4 sizes (they have less network acceleration) and older A-series VMs. 3. Sizing by Throughput & Feature Activation Apply these reference rules based on your expected traffic and enabled features. Scenario A: Basic Routing & NAT (No UTM)

Bandwidth: Up to 1 Gbps → D2s_v5 + VM02 license Bandwidth: 1–3 Gbps → D4s_v5 + VM04 license fortigate vm sizing azure

Scenario B: Full UTM (IPS, AV, Web Filtering) UTM cuts throughput by 40–60% compared to raw firewalling.

500 Mbps UTM → D4s_v5 + VM04 1 Gbps UTM → D8s_v5 + VM08 2 Gbps UTM → D16s_v5 + VM16 (or cluster)

Scenario C: IPsec VPN Termination (Site-to-Site) VPN is crypto-bound. Prefer Fsv2 series. The Definitive Guide to FortiGate VM Sizing in

Up to 1 Gbps VPN → F4s_v2 + VM04 2 Gbps VPN → F8s_v2 + VM08

Scenario D: SSL Deep Inspection (Decryption) This is the most CPU-hungry feature. Multiply vCPUs x2.

200 Mbps SSL inspect → D4s_v5 500 Mbps SSL inspect → D8s_v5 or F8s_v2 This article breaks down how to correctly size

4. Azure-Specific Performance Boosters Enable Accelerated Networking Mandatory. Without it, you lose SR-IOV, and throughput drops by >70%.

Supported on all Dv5, Fsv2, and most newer series. Enable at deployment time (can be added later with a restart).