Fortigate Vm Sizing Azure Repack -

Executive Summary: The "Useful" Review

Verdict: FortiGate-VM is the industry standard for Azure network security, but sizing is significantly more complex than on-premises hardware. Unlike a physical appliance where hardware is fixed, Azure requires you to balance Compute Power (vCPU/RAM) against Network Throughput limits imposed by Azure, not Fortinet.

The Golden Rule: In Azure, you are rarely limited by the FortiGate software capacity; you are almost always limited by the Azure Virtual Machine tier bandwidth caps.

1. Executive Summary

Sizing a FortiGate Virtual Machine (FGT-VM) in Azure requires a different methodology than sizing physical appliances. While physical firewalls are sized by hardware specs (CPU/RAM chips), virtual firewalls are sized by Throughput capacity and vCPU limits imposed by licensing.

In Azure, the performance of the FortiGate is bound by three factors: fortigate vm sizing azure

1. The Azure VM Instance Type: Determines raw CPU power and network bandwidth limits.
2. The Fortinet License Tier: Artificially caps throughput based on the entitlement purchased.
3. The Workload Profile: Inspection requirements (SSL VPN, IPS, Application Control).

3. Azure VM Sizing Matrix (Reference Guide)

Fortinet publishes specific Virtual Machine appliance IDs that map to Azure instance types. The "Appliance ID" is a variable used in Azure User-Data/Custom Data scripts to optimize driver settings.

4. Throughput Reality Check

Azure VM networking has a cumulative limit – all NICs share the same underlying bandwidth.

| VM Size | Max Network Bandwidth (Gbps) | FortiGate Realistic Inspection Throughput | |---------|------------------------------|--------------------------------------------| | D2s v3 | ~1.5 Gbps | ~0.8 Gbps (with basic firewall) | | D4s v3 | ~3.0 Gbps | ~1.5-2 Gbps (with IPS) | | D8s v3 | ~6.0 Gbps | ~3 Gbps (with SSL inspection) | | D16s v3 | ~12.0 Gbps | ~5-6 Gbps (mixed traffic) | The Azure VM Instance Type: Determines raw CPU

Heuristic: For full UTM (IPS + SSL + AV), expect 40-50% of the VM’s raw network bandwidth.

Active-Passive (recommended for most)

• VM size: Two identical VMs (same SKU/license)
• Azure Load Balancer (internal or public) in front
• Floating IP enabled on LB rule
• Heartbeat: Use a dedicated Azure internal LB or direct VNet peering

FortiGate-VM Sizing Guide for Microsoft Azure

Version: 2024 Standards Scope: Infrastructure Architects, Security Engineers, Cloud Administrators

Part 5: Real-World Sizing Scenarios (With Math)

Let’s walk through three actual customer examples. millions of sessions

Part 9: Cost Optimization Strategies

Sizing isn’t just about performance – it’s about spend. Here’s how to save money without breaking throughput.

| Strategy | Impact | Implementation | |----------|--------|----------------| | Reserved Instances (RI) | Save 40-60% | Purchase 1-year RI for BYOL FortiGate VM after 30 days stable usage | | Right-size at night | Save 50% | Use Azure Automation to scale down FG-VM08 → FG-VM02 from 2 AM to 6 AM (if traffic allows) | | Use AMD-based instances | Save 20% | Dasv4 series same vCPU count as Dv3 but 20% cheaper – good for non-VPN workloads | | Offload SSL inspection | Save vCPUs | Use Azure Application Gateway for public SSL termination, then send plain HTTP to FortiGate | | Enable Flow-based inspection | Save 30% CPU | Use set policy-mode flow instead of proxy-mode (default in new FortiOS 7.4+) |

3. Recommended Azure VM Series for FortiGate

Not all Azure VM families work well for firewalls. The following are field-proven:

| Azure Series | Characteristics | Best For | |--------------|----------------|-----------| | Dv5 / Dsv5 (General purpose) | Balanced compute & memory, good for most inspection workloads | Mixed firewall + IPS + SSL inspection (500 Mbps – 2 Gbps) | | Ev5 / Esv5 (Memory optimized) | Higher memory-to-vCPU ratio | Large NAT tables, millions of sessions, VPN termination | | Fsv2 (Compute optimized) | High clock speed (3.4+ GHz) | Low-latency, high-packet-rate environments (e.g., gaming, trading) | | Dasv5 (AMD EPYC) | Cheaper per core, good sustained performance | Cost-sensitive production deployments |

Avoid: Burstable B-series (unpredictable under load), older A-series (low network performance).