Vm Sizing Azure | Fortigate

This guide examines the key considerations, VM series options, performance expectations, and cost trade-offs when deploying FortiGate’s Next-Generation Firewall (NGFW) as a virtual machine in Azure.

Mistake #2: Ignoring East-West Traffic

  • Why it fails: You size for internet ingress (2 Gbps) but forget that your Azure VMs send 5 Gbps between subnets – all inspected.
  • Fix: Use Azure Network Watcher for 7 days to capture intra-VNet traffic. Add 100% buffer.

2. Azure VM Families for FortiGate

Not all Azure VM sizes are equal. FortiGate is CPU-intensive (especially for VPN and SSL inspection). Memory is less critical (minimum 4-8 GB required per Fortinet, but Azure often provides more). fortigate vm sizing azure

Example 1: E-commerce Web App (1 Gbps inbound, IPS + WAF)

  • Required: ~1 Gbps UTM
  • Recommendation: Standard_D8s_v5 (8 vCPUs) + VM08 license
  • HA: Active-Passive (two D8s_v5)

7. Conclusion: A Simple Sizing Workflow

  1. Estimate peak throughput (include SSL, VPN, UTM).
  2. Apply feature penalty:
    • Raw firewall: 100% of estimate
    • +IPS/AV: Multiply by 2x
    • +SSL inspection: Multiply by 3x
  3. Select vCPUs:
    • < 1 Gbps → 2 vCPU (D2s_v5)
    • 1–2 Gbps → 4 vCPU (D4s_v5)
    • 2–4 Gbps → 8 vCPU (D8s_v5)

    • 4 Gbps → 16+ vCPU + scale out

  4. Match license tier to vCPU count.
  5. Always enable Accelerated Networking and deploy at least two VMs for production HA.

By following these Azure-specific sizing rules, you’ll avoid the two worst outcomes: a sluggish firewall that drops traffic or an oversized VM that burns cloud budget. Test with your actual traffic pattern using FortiGate’s built-in performance diagnostics before finalizing your VM size. This guide examines the key considerations, VM series

Need exact numbers? Deploy a D4s_v5 with a temporary PAYG license. Run diag hardware cpu and get system performance status under load to measure real CPU usage. Scale up or down accordingly. Mistake #2: Ignoring East-West Traffic

Part 9: Cost Optimization Strategies

Sizing isn’t just about performance – it’s about spend. Here’s how to save money without breaking throughput.

| Strategy | Impact | Implementation | |----------|--------|----------------| | Reserved Instances (RI) | Save 40-60% | Purchase 1-year RI for BYOL FortiGate VM after 30 days stable usage | | Right-size at night | Save 50% | Use Azure Automation to scale down FG-VM08 → FG-VM02 from 2 AM to 6 AM (if traffic allows) | | Use AMD-based instances | Save 20% | Dasv4 series same vCPU count as Dv3 but 20% cheaper – good for non-VPN workloads | | Offload SSL inspection | Save vCPUs | Use Azure Application Gateway for public SSL termination, then send plain HTTP to FortiGate | | Enable Flow-based inspection | Save 30% CPU | Use set policy-mode flow instead of proxy-mode (default in new FortiOS 7.4+) |

Mistake #1: Using B-series VMs for Production

  • Why it fails: B-series earns CPU credits then throttles. Packet loss begins at 30 minutes of sustained 100 Mbps.
  • Fix: Minimum D2s_v3 for any production FortiGate.

Mistake #3: Overlooking the Management Interface Overhead

  • Why it fails: FortiGate reserves 10-15% of CPU for management, logging, and the FortiGate-Azure integration daemon (f faz).
  • Fix: Never run a production FortiGate above 70% sustained CPU utilization as reported in FortiView.