About the VM-Series Firewall in Azure

The VM-Series firewall on Azure must be deployed in a virtual network (VNet) using the Resource Manager deployment mode. You can deploy the VM-Series firewall in both the standard Azure public cloud and in the Azure Government Cloud environments. The VM-Series firewall in the Azure public marketplace supports the Bring Your Own License (BYOL) model and the hourly Pay-As-You-Go (PAYG) option in the usage-based licensing model. In the Azure Government Marketplace and Azure China, the VM-Series firewall is available in the bring your own license (BYOL) option only. To deploy the VM-Series on Azure Government, use the BYOL workflow outlined in the Deploy the VM-Series Firewall in Azure (Solution Template). Azure China has a slightly different workflow that is outlined in Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template).

For licensing details, see License Types—VM-Series Firewalls, and refer to the list of supported Azure regions in which you can deploy the VM-Series firewall.

The Azure VNet infrastructure does not require virtual machines to have a network interface in each subnet. The architecture includes an internal route table (called system routes) that directly connects all virtual machines within a VNet such that traffic is automatically forwarded to a virtual machine in any subnet. For a destination IP address that is not within the VNet, the traffic is sent to the default Internet gateway or to a VPN gateway, if configured. In order to route traffic through the VM-Series firewall, you must create user defined routes (UDRs) that specify the next hop for traffic leaving a subnet. This route forces traffic destined to another subnet to go to the VM-Series firewall instead of using the system routes to directly access the virtual machine in the other subnet. For example, in a two-tiered application with a web tier and a database tier, you can set up UDRs for directing traffic from the web subnet to the DB subnet through the VM-Series firewall.

The solution templates for deploying the VM-Series firewall that are available in the Azure Marketplace, have three network interfaces. Because the VNet infrastructure does not require virtual machines to have a network interface in each subnet, three network interfaces are sufficient for most deployments. If you want to customize the template, use the ARM templates that are available in the GitHub repository.

You can deploy the VM-Series firewall in Azure using templates. Palo Alto Networks provides two kinds of templates:

You must deploy the VM-Series firewall in the Azure Resource Manager (ARM) mode only; the classic mode (Service Management based deployments) is not supported. The VM-Series firewall in Azure must meet the following requirements:

The VM-Series firewall in Azure does not support a high availability configuration; native VM Monitoring capabilities for virtual machines that are hosted in Azure is also not available.