Fortigate Vm Sizing — Azure

If you are planning a deployment, follow this rough estimation guide:

| Estimated Traffic Throughput | Recommended VM Tier (Approx) | vCPU / RAM | Notes | | :--- | :--- | :--- | :--- | | < 500 Mbps | Standard D2s_v5 | 2 vCPU / 8GB | Good for VPN hub or small spoke. | | 1 - 2 Gbps | Standard D4s_v5 | 4 vCPU / 16GB | Common mid-size hub. Enable Accelerated Networking. | | 3 - 5 Gbps | Standard D8s_v5 | 8 vCPU / 32GB | Ideal for heavy inspection/UTM. | | > 5 Gbps | Standard D16s_v5 or Fxs_v4 | 16+ vCPU | Check Azure bandwidth caps carefully here. |

My Advice: Start with a D-series v5 instance. They offer the best balance of CPU performance, network bandwidth credits, and cost. Deploy active-passive (AP) clustering via Azure Load Balancer for HA, and leverage the "Usage" graphs in the Azure Portal to verify if your CPU or Network Out metrics are hitting the ceiling.

Once upon a time, in the rapidly expanding kingdom of Azure, a network architect named was tasked with deploying a FortiGate VM

to protect the realm’s digital borders. Alex knew that in the cloud, picking the wrong "armor" (VM size) could lead to either a sluggish defense or a treasury drained by overprovisioning. The Foundation: Choosing the Right Series

Alex started by looking at the standard issue Azure instance families. The Reliable D-Series : For most standard workloads, Alex looked at the Standard_D2s_v5

). These offer a solid balance of CPU and memory for everyday traffic. The Swift F-Series

: When the kingdom needed high-speed packet processing, Alex turned to the Compute-optimized F-series Standard_F2s or F8 fortigate vm sizing azure

). These were built for speed, though Alex noted they require at least 4GB of RAM to keep the defenses steady. Matching the License to the Armor

Alex discovered a curious rule in the land of FortiGate: the Azure instance must work in harmony, but they aren't identical. : If Alex bought a license, it would only use , even if he placed it on a massive 32-vCPU Azure instance. RAM Freedom

: Unlike private kingdoms (VMware), Azure doesn't strictly limit the RAM through the license, but Fortinet recommends at least 4GB to 8GB

to handle advanced features like Unified Threat Management (UTM) or SSL VPNs. The Secret Weapon: Accelerated Networking

To ensure the firewall didn't become a bottleneck, Alex made sure to enable Accelerated Networking

. This feature offloads traffic processing to the hardware, but it only works on certain Azure sizes (typically those with 2 or more vCPUs). Alex’s Quick Sizing Guide

Alex summarized his findings into a simple scroll for future architects: Recommended Azure Instance Small Branch/Dev Standard_D2s_v5 Standard Enterprise Standard_D4s_v5 High Throughput Standard_F8s If Alex ever realized the armor was too small, he could resize the VM in the Azure portal , though he always remembered that this requires a brief of the firewall. cost comparison between these common Azure instance types? If you are planning a deployment, follow this

How to Change Azure VM Size — And What You Must Think About First

Recommendation: For production >2 Gbps, always choose BYOL with a 3-year commitment. For variable workloads under 1 Gbps, PAYG works but watch your monthly bill.

| Use Case | Recommended VM Size (BYOL) | License | Expected Throughput | |----------|----------------------------|---------|----------------------| | Small branch / Dev test | D2sv5 (2 vCPU, 8 GB) | PAYG | 300–500 Mbps | | Medium enterprise hub | D4sv5 (4 vCPU, 16 GB) | BYOL | 1–1.5 Gbps | | IPS + SSL inspection (1 Gbps) | E8sv5 (8 vCPU, 64 GB) | BYOL | 800 Mbps – 1.2 Gbps | | VPN concentrator (500 users) | F8sv2 (8 vCPU, 16 GB) | BYOL | 1.5 Gbps IPSec | | Large perimeter (>2 Gbps) | E16sv5 (16 vCPU, 128 GB) | BYOL | 4–6 Gbps |

PAYG limitation: The largest PAYG FortiGate in Azure Marketplace is typically capped at ~4 vCPUs unless you contact Microsoft/Fortinet for custom SKUs.

Mandatory. Without it, you lose SR-IOV, and throughput drops by >70%.

Follow this process before clicking “Deploy”:

  • Apply derating factors:

  • Map to FortiGate model
    Baseline throughput × Derated ÷ 0.6 (safety margin) = Required datasheet throughput
    Look up that number in Fortinet’s Azure datasheet for the chosen instance family.

  • Select Azure instance type
    Start with D4s_v3 (4 vCPU) for FG-VM02, then load-test. Do not upsize blindly – each step doubles cost.

  • Enable Accelerated Networking – non-negotiable.

  • Deploy, then test with real traffic using FortiGate’s built-in diagnose sys top and Azure’s az network vnet list metrics.

    • Before selecting an Azure VM size, you must understand the Fortinet license tiers. The software license places a "hard cap" on throughput, regardless of how powerful the underlying Azure VM is.

    | License Tier | Max Throughput (Firewall) | Max Throughput (Threat Protection) | vCPU Limit (Soft) | | :--- | :--- | :--- | :--- | | VM01 | 1 Gbps | 500 Mbps | 2 vCPU | | VM02 | 2 Gbps | 1 Gbps | 2 vCPU | | VM04 | 5 Gbps | 2.5 Gbps | 4 vCPU | | VM08 | 10 Gbps | 5 Gbps | 8 vCPU | | VM16 | 20 Gbps | 10 Gbps | 16 vCPU | | VMXL | Unlimited* | Unlimited* | Unlimited* |

    Note: "Unlimited" is constrained only by the underlying Azure instance size. | Use Case | Recommended VM Size (BYOL)

    Key Takeaway: If you purchase a VM04 license but deploy a 32-vCPU Azure instance, your throughput will cap at 5 Gbps (Firewall). Conversely, if you purchase a VMXL license but deploy a small instance, you are limited by the instance's hardware.