VM-Series Firewall on vCloud Air
Learn how to deploy the VM-Series in vCloud Air.
| Where Can I Use This? | What Do I Need? |
|---|
The VM-Series firewall can be deployed in a virtual
data center (vDC) on vCloud Air using the vCloud Air portal, from
the vCloud Director portal or using the vCloud Air API.
You can deploy the VM-Series firewall in a virtual data center (vDC) on
VMware vCloud Air using the vCloud Air portal or from the vCloud Director portal. And to
centrally manage all your physical and VM-Series firewalls, you can use an existing
Panorama or deploy a new Panorama on premise or on vCloud Air.
The VM-Series firewall on vCloud Air requires the following:
To efficiently deploy the VM-Series firewall, include the firewall software image
in a vApp. A vApp is a container for preconfigured virtual appliances (virtual
machines and operating system images) that is managed as a single object. For
example, if your vApp includes a set of multitiered applications and the
VM-Series firewall, each time you deploy the vApp, the VM-Series firewall
automatically secures the web server and database server that get deployed with
the vApp.
License and subscriptions are purchased from a partner, reseller, or directly
from Palo Alto Networks, in the Bring Your Own License (BYOL) model; the
usage-based licensing for the VM-Series on vCloud Air isn’t available.
Due to the security restrictions imposed on vCloud Air, the VM-Series firewall on
vCloud Air is best deployed with Layer 3 interfaces and the interfaces must be
enabled to use the hypervisor assigned MAC address. If you don’t enable
hypervisor assigned MAC address, the VMware vSwitch can’t forward traffic to the
dataplane interfaces on the VM-Series firewall because the vSwitch on vCloud Air
does not support promiscuous mode or MAC forged transmits. The VM-Series
firewall can’t be deployed with tap interfaces, Layer 2 interfaces, or virtual
wire interfaces.
The VM-Series firewall on vCloud Air can be deployed in an active/passive high
availability configuration. However, the VM-Series firewall on vCloud Air does not
support VM Monitoring capabilities for virtual machines that are hosted on vCloud
Air.
To learn all about vCloud Air, refer to the VMware
vCloud Air documentation.
Deployments Supported on vCloud Air
To enable applications safely, block known and unknown threats, and to keep pace with
changes in your environment, you can deploy the VM-Series firewall on vCloud Air
with Layer 3 interfaces in the following ways:
Secure the virtual data center perimeter—Deploy the VM-Series firewall
as a virtual machine that connects isolated and routed networks on vCloud
Air. In this deployment the firewall secures all north-south traffic
traversing the infrastructure on vCloud Air.
Set up a hybrid cloud—Extend your data center and private cloud into
vCloud Air and use a VPN connection to enable communication between the
corporate network and the data center. In this deployment, the VM-Series
firewall uses IPSec to encrypt traffic and secure users accessing the
cloud.
Secure traffic between application subnets in the vDC—To improve
security, segment your network and isolate traffic by creating application
tiers, and then deploy the VM-Series firewall to protect against lateral
threats between subnets and application tiers.
The following illustration combines all three deployments scenarios and includes
Panorama. Panorama streamlines policy updates, centralizes policy management, and
provides centralized logging and reporting.
