Different Azure series are optimized for specific firewall workloads:
This is a comprehensive guide and "paper-style" breakdown regarding FortiGate VM Sizing on Microsoft Azure. This document covers the selection methodology, specific SKU mappings, licensing implications, and architectural best practices.
A few key differences impact sizing decisions. . If your architecture depends on VDOMs for logical segmentation, BYOL is your only option. Also, you cannot convert an existing VM. PAYG and BYOL are not interchangeable ; once you launch a PAYG instance, you cannot later inject a BYOL license onto the same VM.
The balances compute resources and memory. It is highly resilient and serves as an excellent all-rounder for mid-tier enterprise architectures. fortigate vm sizing azure
For optimal performance, choose Azure instances that support , which drastically improves throughput and reduces latency.
In Azure Marketplace, FortiGate-VM offers based on license. The license determines the licensed throughput (e.g., 1 Gbps, 2 Gbps, 5 Gbps). The VM size must support that throughput.
If using the FortiGate as a VPN hub (Site-to-Site or Client VPN), you must account for encryption overhead. Different Azure series are optimized for specific firewall
FortiGate-VM BYOL licenses are sold in tiers based on the number of the firewall can actively use to process traffic. Available tiers include FG-VM01 (1 licensed vCPU), FG-VM02 (2 licensed vCPUs), FG-VM04 (4), FG-VM08 (8), FG-VM16 (16), FG-VM32 (32), and FG-VMUL (Unlimited).
| Instance Type | vCPU | Max NIC | Recommended BYOL License | | :--- | :--- | :--- | :--- | | Standard_F2 | 2 | 2 | FG-VM02 or FG-VM02v | | Standard_F4s | 4 | 4 | FG-VM04 or FG-VM04v | | Standard_F8s_v2 | 8 | 4 | FG-VM08 or FG-VM08v | | Standard_F16 | 16 | 8 | FG-VM16 or FG-VM16v | | Standard_F32s_v2 | 32 | 8 | FG-VM32 or FG-VM32v |
FortiOS recommends a minimum of 2 GB of RAM for all versions. In practice, for production workloads with security features enabled (IPS, web filtering, antivirus, etc.), 4 GB or more is strongly advised for stable operation. PAYG and BYOL are not interchangeable ; once
RSS distributes network receive processing across multiple vCPUs, preventing a single core from becoming a bottleneck during high-volume ingress events. Verify that RSS is active within FortiOS to guarantee that traffic flows are evenly balanced across all available vCPU worker threads. Disk Subsystem Sizing (IOPS)
By leveraging these tools and resources, you can ensure that your FortiGate VM is properly sized and configured to meet the security needs of your Azure environment.
The FortiGate-VM will boot and function normally. It will only use the number of vCPUs specified in your license for traffic processing. The remaining vCPUs in the Azure VM remain idle, but Azure continues to bill you for the full VM size . Properly right-sizing your Azure VM to match your licensed vCPU count is essential for cost efficiency.