You can deploy the VM-Series firewall in a virtual data
center (vDC) on VMware vCloud Air using the vCloud Air portal or
from the vCloud Director portal. And to centrally manage all your
physical and VM-Series firewalls, you can use an existing Panorama
or deploy a new Panorama on premise or on vCloud Air.
The VM-Series firewall on vCloud Air requires the following:
In order to efficiently deploy the VM-Series firewall,
include the firewall software image in a vApp. A vApp is a container
for preconfigured virtual appliances (virtual machines and operating
system images) that is managed as a single object. For example,
if your vApp includes a set of multi-tiered applications and the
VM-Series firewall, each time you deploy the vApp, the VM-Series
firewall automatically secures the web server and database server
that get deployed with the vApp.
License and subscriptions purchased from a partner, reseller,
or directly from Palo Alto Networks, in the Bring Your Own License
(BYOL) model; the usage-based licensing for the VM-Series on vCloud
Air is not available.
Due to the security restrictions imposed on vCloud Air, the
VM-Series firewall on vCloud Air is best deployed with Layer 3 interfaces
and the interfaces must be enabled to use the hypervisor assigned
MAC address. If you do not enable hypervisor assigned MAC address,
the VMware vSwitch cannot forward traffic to the dataplane interfaces
on the VM-Series firewall because the vSwitch on vCloud Air does
not support promiscuous mode or MAC forged transmits. The VM-Series
firewall cannot be deployed with tap interfaces, Layer 2 interfaces,
or virtual wire interfaces.
The VM-Series firewall on vCloud Air can be deployed in an active/passive
high availability configuration. However, the VM-Series firewall
on vCloud Air does not support VM Monitoring capabilities for virtual
machines that are hosted on vCloud Air.
To learn all about vCloud Air, refer to the VMware vCloud Air documentation.