VM-Series Firewall on Azure
VM-Series on Azure brings the security features of Palo Alto Networks
Next-Generation Firewall as a virtual machine in the Azure Marketplace.
| Where Can I Use This? | What Do I Need? |
|---|
- Microsoft Azure
- Microsoft Azure Stack
- Azure® Marketplace
- Azure China Marketplace
- Azure Government Marketplace
|
- VM-Series License (PAYG or BYOL)
- VM-Series plugin
- Panorama
- Panorama plugin for Azure
|
The VM-Series firewall provides a complete set of security functionality to
protect your virtual machine workloads and data. The capabilities that the firewall
enables are different from native security features such as Security Groups, web
application firewalls and native, port-based firewall.
On Azure, the VM-Series is available in the bring your own license (BYOL) model or
in the pay-as-you-go (PAYG) hourly model. Microsoft Azure allows you to deploy the
firewall to secure your workloads within the virtual network in the cloud, so that you
can deploy a public cloud solution or you can extend the on-premises IT infrastructure
to create a hybrid solution.
Deploy the VM-Series firewall on Azure in a virtual network (VNet) using
the Resource Manager deployment mode. You can deploy the VM-Series
firewall on the standard Azure public cloud, Azure China, and Azure Government—including
DoD on Azure Government, which meets the security requirements for DoD Impact Level 5
data and FedRAMP High standards.
The VM-Series firewall on the marketplace for the Azure public cloud, Azure Government,
and Azure DoD regions, supports both the Bring Your Own License (BYOL) model and the
hourly Pay-As-You-Go (PAYG) option (usage-based licensing). For licensing details, see
VM-Series Firewall License Types, and refer to
the list of
supported Azure regions in which you can
deploy the VM-Series firewall.
Deploying the VM-Series firewall on Azure Stack, Microsoft's private cloud
solution allows you to use Azure services within your organization's data center. With
Azure Stack, build a hybrid cloud solution that unifies your public Azure deployment
with your on-premises Azure Stack set up. To download the VM-Series
firewall BYOL offer from the Azure Marketplace and make it available to your tenants on
the Azure Stack, see
Deploy the VM-Series Firewall on Azure
Stack.
Deployments Supported on Azure
Use the VM-Series firewall on Azure to secure your network users in
the following scenarios:
Hybrid and VNet to VNet—The VM-Series firewall on Azure
allows you to securely extend your physical data center/private cloud into
Azure using IPSec and ExpressRoute. To improve your data center security, if
you have segmented your network and deployed your workloads in separate
VNets, you can secure traffic flowing between VNets with an IPSec tunnel and
policies that allow application traffic.
Inter-Subnet —The VM-Series firewall can front your
servers in a VNet and protects against lateral threats for inter-subnet
traffic between applications in a multi-tier architecture.
Gateway—The VM-Series firewall serves as the VNet
gateway to protect Internet-facing deployments in the Azure Virtual Network
(VNet). The VM-Series firewall secures traffic destined to
the servers in the VNet and it also protects against lateral threats for
inter-subnet traffic between applications in a multi-tier architecture.
GlobalProtect—Use the Azure infrastructure to quickly and easily
deploy the VM-Series firewall as GlobalProtect™ and extend
your gateway security policy to remote users and devices, regardless of
location.
