A common best practice is to match a BYOL license with a VM instance type that has an equal or greater number of vCPUs:
Sizing FortiGate-VM on Microsoft Azure Sizing a in Microsoft Azure requires balancing technical resource requirements with licensing models to ensure peak performance for your network security workload. Core System Requirements
Fortinet supports several Azure VM types, but certain families are highly optimized for network virtual appliances (NVAs). The F-Series (Compute-Optimized) — Highly Recommended
Deep packet inspection (SSL/TLS decryption), antivirus, sandboxing, and web filtering. This is the most resource-intensive tier, often reducing raw firewall throughput by 70% to 80%. Memory-to-vCPU Ratios fortigate vm sizing azure
If you want, I can also provide a comparison of versus Bring-Your-Own-License (BYOL) costs for your specific throughput needs.
💡 If you anticipate high growth, size your Azure VM for your "future" needs but use a BYOL license that allows for easy CPU upgrades without redeploying the instance.
A sizing mistake can lead to CPU throttling, dropped packets, or unnecessary cloud spend. This guide covers the technical nuances of sizing FortiGate VMs in Azure, matching workloads to Azure VM families, and optimizing configurations for maximum throughput. 1. Core Principles of FortiGate VM Sizing in Azure A common best practice is to match a
on Microsoft Azure is a powerful way to secure your cloud workloads. However, unlike physical appliances with fixed specs, "sizing" in the cloud is a balancing act between Azure instance limits Fortinet licensing
As a modern alternative, is a points-based, consumption-based licensing model. It is ideal for environments with fluctuating workloads, as it allows you to pay only for what you use, making it very easy to scale up or down without being locked into a specific license for a set number of vCPUs.
Properly sizing your FortiGate-VM on Azure is a multi-faceted process that goes beyond simply choosing a virtual machine size. By understanding the interplay between BYOL licensing and Azure VM instances, using the official sizing and performance tools, planning for high availability, and being aware of common pitfalls, you can build a security architecture that is both powerful and cost-effective. This is the most resource-intensive tier, often reducing
Azure caps the maximum aggregate egress bandwidth at the VM level. For example, a Standard_F4sv2 instance has an Azure network bandwidth limit of 4,000 Mbps (4 Gbps). Even if the FortiGate software can process 10 Gbps of pure firewall traffic, Azure will throttle the egress traffic at the hypervisor level to 4 Gbps. Always check the metric in the official Azure VM documentation. The Licensing Model (BYOL vs. PAYG)
It is critical to match your Fortinet license with the Azure VM's vCPU count:
Standard web filtering, VPN gateways, and general segmentation.
If your design requires dedicated interfaces for Management, Untrusted (External), Trusted (Internal), and DMZ, you must choose a VM size that supports (typically 4-vCPU sizes and larger), regardless of your throughput needs. Azure Bandwidth Caps per VM