When sizing a FortiGate VM, you must look beyond Fortinet’s data sheets and account for Microsoft Azure's infrastructure limitations. Azure Network Interface (NIC) Limits
: Double the VM resources (two VMs active). For A/A, you also need more throughput per VM.
Dedicated interface for heartbeats and session synchronization. fortigate vm sizing azure
FortiOS reserves a portion of the first vCPU and a baseline memory footprint (typically 2GB to 4GB) solely for system management, logging, and control plane operations.
High CPU impact. Full deep packet inspection (DPI) requires the FortiGate to act as a transparent proxy, decrypting TLS traffic, scanning the payload, and re-encrypting it. This reduces nominal throughput by 60% to 80% compared to basic routing. Azure Network Throttling When sizing a FortiGate VM, you must look
This matters because your FortiGate architecture might require separate interfaces for management, external traffic (public-facing), internal traffic (protected subnets), and high availability (HA) communication. If you need more interfaces, your VM size must increase accordingly—even if your throughput requirements are modest.
This bypasses the virtual switch for direct host-to-NIC communication, drastically reducing latency and CPU overhead. It is available on most instances with 2 or more vCPUs. Full deep packet inspection (DPI) requires the FortiGate
The single most important factor in sizing your FortiGate-VM on Azure is . For each Azure VM, network bandwidth is allocated as a total limit for outbound traffic across all network interfaces attached to the virtual machine. That means you cannot add more NICs to increase total bandwidth—the limit is per VM.
The solution uses two scale sets: