Sizing a FortiGate VM in Azure for Deep Inspection (SSL/TLS decryption) is CPU-intensive and requires careful alignment between Azure instance capabilities and Fortinet licensing. For reliable performance with deep inspection enabled, a minimum of 4 GB RAM is recommended. Core Sizing Considerations
CPU Impact: Deep packet inspection (DPI) and SSL/TLS inspection significantly increase CPU load. For example, one user's browsing and file downloading can consume up to 12% of a single CPU core when deep inspection is active.
NIC Limitations: Azure limits the number of Network Interfaces (NICs) based on the VM size. D2/D2v2: Supports only 2 NICs. D4/D4v2: Supports up to 8 NICs.
Accelerated Networking: For high-throughput requirements, ensure the chosen VM size supports Accelerated Networking (SR-IOV) to reduce CPU overhead for networking tasks. Recommended Azure Instance Types
FortiGate supports various instance families, primarily leveraging Compute Optimized (F-series) or General Purpose (D-series). Feature Need Recommended Azure Series Standard DPI D-Series (e.g., D2s_v3, D4s_v3) Good balance of compute and memory for general UTM tasks. High Performance DPI F-Series (e.g., F4s, F8s) fortigate vm sizing azure
Higher CPU-to-memory ratio, ideal for compute-heavy SSL inspection. Scalability VMSS (Scale Sets)
Allows auto-scaling FortiGate instances based on traffic demand. Licensing vs. VM Size
It is critical to match your Fortinet license with the Azure VM's vCPU count:
FortiGate VM sizing for MS Azure - explicit proxy, full UTM, ssl deep inspeciton, ICAP Sizing a FortiGate VM in Azure for Deep
f faz).Before selecting an Azure VM size, you must understand Fortinet’s licensing model. FortiGate-VM licenses are tied to the number of vCPUs provisioned in Azure, not the VM memory or clock speed.
| License Tier | vCPUs (Azure) | Typical Raw Throughput* | Use Case | | :--- | :--- | :--- | :--- | | FG-VM02 | 2 | ~1 Gbps | Dev/Test, branch office | | FG-VM04 | 4 | ~2-4 Gbps | Small production, DMZ | | FG-VM08 | 8 | ~4-8 Gbps | Mid-size enterprise | | FG-VM16 | 16 | ~8-16 Gbps | Large hub, heavy inspection |
*Throughput varies dramatically with features (SSL inspection, IPS, threat protection).
Critical rule: If you assign an 8‑vCPU Azure VM but purchase only a VM04 license, the FortiGate will only use 4 vCPUs. Right-size both the Azure VM and the license. Why it fails: FortiGate reserves 10-15% of CPU
| FortiGate Model | vCPU Range | RAM | Azure Instance Family | Typical Use Case | |----------------|------------|-----|----------------------|-------------------| | FG-VM01 | 1-2 | 1-2 GB | B-series, D2s_v3 | Dev/Test, Site-to-site VPN only | | FG-VM02 | 2-4 | 4-8 GB | D4s_v3, D4as_v4 | Small production, branch hub | | FG-VM04 | 4-8 | 8-16 GB | D8s_v3, E8s_v3 | Medium enterprise, SSL inspection | | FG-VM08 | 8-16 | 16-32 GB | D16s_v3, E16s_v3 | Large enterprise, data center exit | | FG-VM16 | 16-32 | 32-64 GB | D32s_v3, E32s_v3 | High-performance, service provider | | FG-VM32 | 32-64 | 64-128 GB | D64s_v3, M64 | Very high throughput (10+ Gbps) |
Critical Insight: Azure vCPUs are not equal to physical cores. A
D8s_v3offers 8 vCPUs (Hyper-threaded on Intel Xeon Platinum 8171M). FortiGate performance is bursty; ensure you understand the baseline performance of your chosen Azure series.
FortiGate is a popular network security appliance that provides advanced threat protection, firewall, and VPN capabilities. In Azure, FortiGate can be deployed as a virtual machine (VM) to secure your cloud infrastructure. However, sizing the FortiGate VM correctly is crucial to ensure optimal performance, security, and cost-effectiveness. In this article, we will guide you through the process of sizing a FortiGate VM in Azure.