A single FortiGate-VM on Azure provides an Azure service-level agreement (SLA) of . For most production deployments, however, you will want higher availability. A single VM remains a single point of failure during both operations and planned maintenance.
Larger VM sizes generally support higher network bandwidth. For example, some older v2 instances surprisingly support higher throughput (up to 1500 Mbps) compared to certain v4 variants (800 Mbps) due to Azure's internal throttling policies. RAM Usage: Aim for at least 4GB to 8GB
For cloud-native architectures experiencing unpredictable spikes in traffic, deploying FortiGate within an Azure Virtual Machine Scale Set (VMSS) is the preferred approach.
FortiOS recommends a minimum of 2 GB of RAM for all versions. In practice, for production workloads with security features enabled (IPS, web filtering, antivirus, etc.), 4 GB or more is strongly advised for stable operation. fortigate vm sizing azure
They provide more memory per vCPU than the F-series, making them incredibly stable against memory-related conserve mode issues.
Suitable for large-scale deployments requiring high throughput and large memory for intensive threat protection.
). These were built for speed, though Alex noted they require at least 4GB of RAM to keep the defenses steady. Matching the License to the Armor A single FortiGate-VM on Azure provides an Azure
The most resource-intensive task. Because cloud VMs lack specialized Fortinet ASIC chips (SPU/CPRI), the main CPU handles all cryptographic decryption. Over-provision your vCPU count by 50% to 100% if you plan to decrypt high volumes of HTTPS traffic. 4. Architectural Best Practices for Sizing Scale Up vs. Scale Out
Instead of scaling vertically to massive, expensive VM sizes, consider a scale-out architecture. Use Azure Route Server (ARS) or Azure Load Balancers to distribute traffic across a pool of smaller, highly efficient FortiGate VMs.
). These offer a solid balance of CPU and memory for everyday traffic. The Swift F-Series Larger VM sizes generally support higher network bandwidth
Pure packet forwarding, Layer 4 access control lists (ACLs), and IPsec termination. This relies heavily on raw CPU clock speed and network interface card (NIC) efficiency.
Requires signature matching, increasing CPU load.
When vertical scaling (moving to a larger VM size) becomes cost-prohibitive or hits Azure's physical limits, you must scale horizontally. High Availability (HA) Sizing Considerations
If you'd like to narrow down your architecture, let me know: