>
    Strata Copilot
    Prepare for an Orchestrated Deployment
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on Azure
    4. Panorama Orchestrated Deployments in Azure
    5. Prepare for an Orchestrated Deployment
    Download PDF
    VM-Series

    Prepare for an Orchestrated Deployment

    Table of Contents

    Prepare for an Orchestrated Deployment

    Learn about the prerequisites to create an orchestrated deployment.
    Where Can I Use This?What Do I Need?
    • Microsoft Azure
    • Microsoft Azure Stack
    • Azure® Marketplace
    • Azure China Marketplace
    • Azure Government Marketplace
    • VM-Series License (PAYG or BYOL)
    • VM-Series plugin
    • Panorama
    • Panorama plugin for Azure
    Complete the following tasks before you orchestrate a VM-Series firewall on Azure.

    Configuration Prerequisites

    Complete the following basic tasks on Panorama and Azure.
    • Azure
      • Create a service principal to enable the plugin to make API calls.
      • Plan a CIDR block dedicated to VM-Series firewall Transit VNet. The plugin manages this CIDR block and uses it to deploy the initial firewall VNet and perform as future upgrades to new template stacks.
        The minimum CIDR range is /22.
    • Panorama
      • Ensure that you have a valid license API key configured on Panorama. This allows the plugin to manage to delicense on scale-in auto scaling events. See Install a License Deactivation API Key.
      • Install the latest version of the VM-Series plugin on Panorama to allow Application Insight configuration to be added to the template stack.
    • Qualified Azure Regions
      Panorama orchestrated deployments are supported in all regions that support the VM-Series firewall. The following regions have been qualified; if you deploy in an unlisted region and you encounter an issue, contact support.
      • West US
      • West US 2
      • North Central US
      • East US
      • East US 2
      • West Europe
      • Germany West Central
      • UAE North
      • West India
      • Australia Southeast
    While planning your deployment, please note that if you're currently running a Panorama plugin for Azure version 2.x, upgrading to the current version isn't allowed. Along with this, once the current version is installed, downgrading to a version 2.x plugin isn't allowed. See the Panorama plugin for Azure in the Compatibility Matrix.

    Orchestration Permissions

    There is a sample JSON file with permissions for the template Deployer role. In the AssignableScopes section, include all relevant subscriptions that must be queried, including the subscription into which the deployment is deployed and EVERY subscription containing an application VNET that is peered to the VM-Series firewall VNet where protected resources exist.
    {
    "Name": "Template Deployment",
    "IsCustom": true,
    "Description": "Manage template deployments.",
    "Actions": [
        "Microsoft.Resources/subscriptions/resourcegroups/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/deployments/operationStatuses/read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Resources/deployments/delete",
        "Microsoft.Network/publicIPPrefixes/write",
        "Microsoft.Network/publicIPPrefixes/read",
        "Microsoft.Network/publicIPPrefixes/delete",
        "Microsoft.Network/publicIPAddresses/write",
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/publicIPAddresses/delete",
        "Microsoft.Network/publicIPAddresses/join/action",
        "Microsoft.Network/natGateways/write",
        "Microsoft.Network/natGateways/read",
        "Microsoft.Network/natGateways/delete",
        "Microsoft.Network/natGateways/join/action",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/write",
        "Microsoft.Network/virtualNetworks/delete",
        "Microsoft.Network/virtualNetworks/subnets/write",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/delete",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
        "Microsoft.Network/networkSecurityGroups/write",
        "Microsoft.Network/networkSecurityGroups/read",
        "Microsoft.Network/networkSecurityGroups/delete",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Network/loadBalancers/write",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/loadBalancers/delete",
        "Microsoft.Network/loadBalancers/probes/join/action",
        "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
        "Microsoft.Network/loadBalancers/frontendIPConfigurations/read",
        "Microsoft.Network/locations/serviceTags/read",
        "Microsoft.Network/applicationGateways/read",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Compute/virtualMachineScaleSets/write",
        "Microsoft.Compute/virtualMachineScaleSets/read",
        "Microsoft.Compute/virtualMachineScaleSets/delete",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Compute/images/read",
        "Microsoft.insights/components/write",
        "Microsoft.insights/components/read",
        "Microsoft.insights/components/delete",
        "Microsoft.insights/autoscalesettings/write"
    ]
     "NotActions": [
    ],
     "AssignableScopes": [
        "/subscriptions/{deployment-subscription}",
        "/subscriptions/{app1-subscription}",
        "/subscriptions/{app2-subscription}",
        .
        .
        .
    ]
}

    Create a Custom Role and Associate It with an Active Directory

    1. To create an Active Directory in Azure, Navigate to Azure Active Directory and click on App Registrations on the left. Create a custom role using the permissions the plugin requires.
      An example JSON is included below.
      1. Click add and provide a name. Select the role created from the above JSON file, leave "Assign access to" as Active Directory user, and then select the Active Directory created in the first step and click Save.
      2. Select the type.
        Don't modify anything under Redirect URI.
    2. Create a custom role with the permissions the plugin requires.
      See Orchestration Permissions.
      1. Log in to the Azure CLI.
        az login
      2. Create a custom role from the file in Orchestration Permissions.
        az role definition create --role-definition <role-json-file>
    3. Associate the role with Active Directory you created in Step 1. You can use the console or the CLI.
      Repeat this step in every subscription defined in the assignableScope section of the custom role in Orchestration Permissions.
      Console
      1. On the Azure portal, navigate to Subscriptions and select your subscription.
      2. On the left select Access Control (IAM) and then Role Assignments on the top bar.
      3. Select Add and chose add role assignment.
        • Select the role created you created in Step 3 and leave "Assign access to" as Active Directory user.
        • Select the Active Directory created in Step 1 and click Save.
      CLI:
      In the following command, <role-name> refers to the name in the sample JSON file, in the earlier example, Template Deployment.
      az ad sp create-for-rbac --name <name-of-service-principal>
--role <role-name>
--output json

    Find Your Azure Directory Domain Name

    For the plugin to provide links to your Azure deployment and Application Insights instance in Azure Portal, you must identify the directory domain for your subscription, as shown below:

    © 2026 Palo Alto Networks, Inc. All rights reserved.