Use the Panorama plugin for Azure to orchestrate VM-Series
firewall deployments in Azure and enable security policies for managed
The Panorama plugin for Azure centrally deploys, configures,
and monitors your security posture in Azure cloud. It orchestrates
VM-Series deployments in your Azure network so that you can enable
security policies for managed firewalls. The plugin links to your
Azure ARM deployment and Azure Monitor pages, providing visibility
into the deployment status, usage, and performance of your VM-Series
In Azure, the plugin orchestrates the deployment of Azure resources
such as load balancers, subnets and NAT gateways as well as VM-Series
firewall autoscaling sets. In Panorama the plugin automatically
configures Panorama device groups, template stacks, and NAT policies.
It reads the tags from your Azure resources, then centrally enables
tag-based policies on a group of firewalls.
The Panorama plugin can orchestrate deployments in one or more
regions in your Azure environment. A deployment can consist of a
hub stack or an inbound stack or both, depending on the traffic
that needs to be secured for your deployment:
stack protects outbound traffic
and East-West traffic between your application workloads.
stack secures traffic to and from
your public facing applications.
You can configure the number of firewalls in each stack. You
have the option to configure a static amount of firewalls in your
deployment or a range for the VMSS to use for scaling. Both stacks
in the deployment create a VMSS of VM-Series firewalls and they
can each scale up to as many as 25 firewalls.
A deployment uses a Hub stack and leverages the Azure Internal
Standard Load Balancer (with HA ports) to scale and load balance
across a set of firewalls. You can then use the Standard Load balancer’s
private IP address (
, “Hub/Egress Private IP” in the following
figure) to route traffic to the firewalls for inspection and threat
prevention. The Hub stack secures your applications’ outbound and
To protect your outbound traffic and East-West traffic, add route
rules in your application VNETs to redirect traffic to the Hub stack
An Inbound firewall stack scales independently and adds visibility
and security to your applications’ Inbound traffic.
Each inbound stack can secure up to 10 applications.
To protect your inbound HTTP traffic, add UDRs in the Application
Gateway’s subnet route tables to route all traffic to the Inbound
, Ingress Private IP in the following figure). To
protect the non-HTTP inbound traffic, use the Panorama plugin to
create front-end entries for your application endpoints (
Ingress Public IP Front Ends in the following figure). To enable
inspection, the Panorama plugin automatically creates load balancer
rules on the Azure Public Standard Load Balancer and NAT rules on
If you only have HTTP/HTTPS inbound traffic you can leave out
the Inbound stack and protect that traffic with just the hub stack.