Higher CPU-to-memory ratio, ideal for compute-heavy SSL inspection. VMSS (Scale Sets)
You purchase a perpetual or subscription license directly from Fortinet (e.g., VM-04) and apply it to the VM. You must match your Azure vCPU count precisely to your FortiGate license limit.
, which can be restrictive if you need separate interfaces for Management, WAN, LAN, and HA Heartbeat. Larger instances
: For high-throughput requirements, ensure the chosen VM size supports Accelerated Networking (SR-IOV) to reduce CPU overhead for networking tasks. Recommended Azure Instance Types
Sizing the virtual machine is only half the battle; you must align the Azure infrastructure to support the firewall's network requirements. Accelerated Networking (SR-IOV) fortigate vm sizing azure
: The BYOL model is tied to vCPU count, not RAM. In Azure, you are free to select any VM size and its associated RAM, as FortiGate-VM BYOL licenses do not have RAM restrictions in public clouds like Azure, a change from earlier FortiOS versions.
A common best practice is to match a BYOL license with a VM instance type that has an equal or greater number of vCPUs:
Azure dictates the maximum number of NICs a VM can possess based on its size. A standard high-availability (HA) enterprise firewall architecture typically requires at least three to four interfaces: Out-of-band administration. External (untrust): Facing the Internet or ExpressRoute.
For more detailed performance metrics and to download the latest datasheet, you can explore the FortiGate VM on Microsoft Azure page. , which can be restrictive if you need
The sizing process begins with the you choose, as it defines the compute resources your virtual firewall can use. FortiGate-VM on Azure offers two primary licensing models, each suited to different operational and financial strategies.
This matters because your FortiGate architecture might require separate interfaces for management, external traffic (public-facing), internal traffic (protected subnets), and high availability (HA) communication. If you need more interfaces, your VM size must increase accordingly—even if your throughput requirements are modest.
: FortiGate-VM uses Virtual Security Processing Units (vSPUs) to offload packet processing from the kernel, which can triple firewall throughput for UDP traffic. 2. Choosing the Right Azure Instance Family
The official is your primary source for these throughput numbers, which vary by the number of vCPUs assigned. Accelerated Networking (SR-IOV) : The BYOL model is
Fortinet licensing is strictly tied to vCPU count. This creates a "Tax" on oversizing.
If a single VM isn't enough, consider these advanced architectures: FortiGate VM on Microsoft Azure Data Sheet - Fortinet
Logging heavily to the local disk can slow down the system. Use a Premium SSD for the OS and log disks to prevent "wait" states on the CPU. Sizing Tier Guide Recommended Azure Size vCPU / RAM Small Office / Lab Standard_F2s_v2 Mid-Sized Enterprise Standard_F4s_v2 High Performance / Hub Standard_F8s_v2 Data Center Edge Standard_F16s_v2 Licensing Considerations Your Azure VM size must align with your FortiGate license.
Fortinet recommends specific Azure VM series that provide the best balance of compute and high-speed networking. 1. F-Series (Compute Optimized) The series is the "gold standard" for FortiGate VMs.