To enable applications safely, block known and unknown threats, and to keep pace with changes in your environment, you can deploy the VM-Series firewall in vCloud Air with Layer 3 interfaces in the following ways:
Secure the virtual data center perimeter —Deploy the VM-Series firewall as a virtual machine that connects isolated and routed networks in vCloud Air. In this deployment the firewall secures all north-south traffic traversing the infrastructure in vCloud Air. Set up a hybrid cloud —Extend your data center and private cloud into vCloud Air and use a VPN connection to enable communication between the corporate network and the data center. In this deployment, the VM-Series firewall uses IPSec to encrypt traffic and secure users accessing the cloud. Secure traffic between application subnets in the vDC —To improve security, segment your network and isolate traffic by creating application tiers, and then deploy the VM-Series firewall to protect against lateral threats between subnets and application tiers.
The following illustration combines all three deployments scenarios and includes Panorama. Panorama streamlines policy updates, centralizes policy management, and provides centralized logging and reporting.

Related Documentation