: Panorama Orchestrated Deployments in Azure
Focus
Focus

Panorama Orchestrated Deployments in Azure

Table of Contents
End-of-Life (EoL)

Panorama Orchestrated Deployments in Azure

Use the Panorama plugin for Azure to orchestrate VM-Series firewall deployments in Azure and enable security policies for managed firewalls.
The Panorama plugin for Azure centrally deploys, configures, and monitors your security posture in Azure cloud. It orchestrates VM-Series deployments in your Azure network so that you can enable security policies for managed firewalls. The plugin links to your Azure ARM deployment and Azure Monitor pages, providing visibility into the deployment status, usage, and performance of your VM-Series firewalls.
In Azure, the plugin orchestrates the deployment of Azure resources such as load balancers, subnets and NAT gateways as well as VM-Series firewall autoscaling sets. In Panorama the plugin automatically configures Panorama device groups, template stacks, and NAT policies. It reads the tags from your Azure resources, then centrally enables tag-based policies on a group of firewalls.
The Panorama plugin can orchestrate deployments in one or more regions in your Azure environment. A deployment can consist of a hub stack or an inbound stack or both, depending on the traffic that needs to be secured for your deployment:
  • A Hub firewall stack protects outbound traffic and East-West traffic between your application workloads.
  • An Inbound firewall stack secures traffic to and from your public facing applications.
You can configure the number of firewalls in each stack. You have the option to configure a static amount of firewalls in your deployment or a range for the VMSS to use for scaling. Both stacks in the deployment create a VMSS of VM-Series firewalls and they can each scale up to as many as 25 firewalls.
Hub Stack
A deployment uses a Hub stack and leverages the Azure Internal Standard Load Balancer (with HA ports) to scale and load balance across a set of firewalls. You can then use the Standard Load balancer’s private IP address (2, “Hub/Egress Private IP” in the following figure) to route traffic to the firewalls for inspection and threat prevention. The Hub stack secures your applications’ outbound and East-West traffic.
To protect your outbound traffic and East-West traffic, add route rules in your application VNETs to redirect traffic to the Hub stack for inspection.
Inbound Stack
An Inbound firewall stack scales independently and adds visibility and security to your applications’ Inbound traffic.
Each inbound stack can secure up to 10 applications.
To protect your inbound HTTP traffic, add UDRs in the Application Gateway’s subnet route tables to route all traffic to the Inbound stack (3, Ingress Private IP in the following figure). To protect the non-HTTP inbound traffic, use the Panorama plugin to create front-end entries for your application endpoints (4, Ingress Public IP Front Ends in the following figure). To enable inspection, the Panorama plugin automatically creates load balancer rules on the Azure Public Standard Load Balancer and NAT rules on the firewalls.
If you only have HTTP/HTTPS inbound traffic you can leave out the Inbound stack and protect that traffic with just the hub stack.