Internal segmentation firewalls, environments with large routing tables, or configurations utilizing extensive FortiGuard database lookups. 3. Sizing Matrix: Standard Deployment Tiers
: Accelerated Networking uses Single Root I/O Virtualization (SR-IOV) to provide high-throughput, low-latency networking for Azure VMs. It is highly recommended to enable it on your FortiGate-VM's interfaces where supported by the chosen instance family.
FortiGate-VM on Azure is available in two primary licensing models:
When running an Active-Passive FortiGate cluster using the FortiOS native FGCP (FortiGate Clustering Protocol) or Azure Load Balancers (ALBs), the secondary firewall sits idle or handles sync traffic. fortigate vm sizing azure
The solution uses two scale sets:
Azure offers several VM series optimized for different FortiGate use cases: Deploy Fortigate VM Free in Azure on Low End Free Tier VPS
Azure offers several VM series optimized for different roles, though some legacy series may no longer appear in the Marketplace: It is highly recommended to enable it on
This comprehensive guide covers everything you need to size your FortiGate-VM on Azure, from the two licensing models—bring your own license (BYOL) and pay as you go (PAYG)—to recommended VM types, network interface (NIC) limitations, and high availability architectures. By the end, you'll have the knowledge to confidently choose the right Azure VM size and licensing model for your specific needs.
FortiOS recommends a minimum of 2 GB of RAM for all versions. In practice, for production workloads with security features enabled (IPS, web filtering, antivirus, etc.), 4 GB or more is strongly advised for stable operation.
: Sizing is often driven by the number of required interfaces rather than just CPU power. For example, the D2v2 instance type only supports 2 NICs , while D4v2 supports up to 8 NICs . Licensing Models : By the end, you'll have the knowledge to
The industry standard for FortiGate deployments. Built on Intel Xeon Platinum processors, these instances provide high clock speeds, which directly accelerate single-thread firewall operations and heavy SSL/TLS decryption.
The most common sizing mistake in Azure is selecting a VM that is much larger than your licensed FortiGate vCPU capacity. Because Azure bills for the entire virtual machine regardless of how many vCPUs the FortiGate license can actually use, you can end up paying for idle compute resources.
The license scales dynamically with the size of the Azure VM instance you select. There are no software-enforced vCPU limits, allowing you to scale the VM size up or down via the Azure portal during maintenance windows. 6. Best Practices for Deployment and Scaling
FortiGate VM Sizing in Azure: A Comprehensive Engineering Guide