![]() |
|
Document:VM-Series Deployment Guide
About the VM-Series Firewall in Azure
Last Updated:
Fri May 01 17:28:13 PDT 2020
Current Version:
7.1 (EoL)
The VM-Series firewall on Azure must be deployed in a virtual network (VNet) using the Resource Manager deployment mode. You can deploy the VM-Series firewall in both the standard Azure public cloud and in the Azure Government Cloud environments. The VM-Series firewall in the Azure public marketplace supports the Bring Your Own License (BYOL) model and the hourly Pay-As-You-Go (PAYG) option in the usage-based licensing model. In the Azure Government Marketplace and Azure China, the VM-Series firewall is available in the bring your own license (BYOL) option only. To deploy the VM-Series on Azure Government, use the BYOL workflow outlined in the
Deploy the VM-Series Firewall in Azure (Solution Template) . Azure China has a slightly different workflow that is outlined in
Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template) .
For licensing details, see
License Types—VM-Series Firewalls , and refer to the list of
supported Azure regions
in which you can deploy the VM-Series firewall.
The Azure VNet infrastructure does not require virtual machines to have a network interface in each subnet. The architecture includes an internal route table (called system routes) that directly connects all virtual machines within a VNet such that traffic is automatically forwarded to a virtual machine in any subnet. For a destination IP address that is not within the VNet, the traffic is sent to the default Internet gateway or to a VPN gateway, if configured. In order to route traffic through the VM-Series firewall, you must create user defined routes (UDRs) that specify the next hop for traffic leaving a subnet. This route forces traffic destined to another subnet to go to the VM-Series firewall instead of using the system routes to directly access the virtual machine in the other subnet. For example, in a two-tiered application with a web tier and a database tier, you can set up UDRs for directing traffic from the web subnet to the DB subnet through the VM-Series firewall.
The solution templates for deploying the VM-Series firewall that are available in the Azure Marketplace, have three network interfaces. Because the VNet infrastructure does not require virtual machines to have a network interface in each subnet, three network interfaces are sufficient for most deployments. If you want to customize the template, use the ARM templates that are available in the GitHub repository.