There are multiple deployment models available with Cloud NGFW for Azure. The right model depends on the use case and requirements. You can use the native NGFW deployment method when you subscribe to Cloud NGFW via the Azure portal to procure a tenant. You can then deploy the Cloud NGFW resource for your VPCs using the Cloud NGFW console. These resources come with built-in resilience, scalability and life cycle management. Once you create the resource, you can author security policy rules using native policy management (rulestacks) or using Panorama or Strata Cloud Manager policy management.

For policy management, use Panorama to link your Cloud NGFW tenant with a Panorama appliance to author and manage policy rules for your Cloud NGFW resources. You'll use Panorama to author security rules on cloud device groups; the policy you author in the Panorama cloud device group manifests as global rulestacks in your Cloud NGFW tenant. In addition to Panorama, you can use Strata Cloud Manager for policy management. Strata Cloud Manager provides unified management for your entire network security deployment, which allows you to easily manage your Palo Alto Networks security infrastructure from a single, streamlined web interface. With this interface you gain comprehensive visibility into users, branch sites, applications, and threats across all network security enforcement points.

You can then use these Cloud NGFW for Azure resources to secure your Internet Ingress, Internet Egress, and lateral traffic traversing the hub virtual network or a virtual WAN hub. For a detailed traffic protection illustration, refer to Cloud NGFW for Azure deployment architectures.

For additional information, refer to the following pages:

• Cloud NGFW for Azure deployment behind Azure Application Gateway
• Configure Palo Alto Networks Cloud NGFW in Virtual WAN