>
    Strata Copilot
    Deploy the VM-Series Firewall on Azure Stack
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on Azure
    4. Deploy the VM-Series Firewall on Azure Stack
    Download PDF
    VM-Series

    Deploy the VM-Series Firewall on Azure Stack

    Table of Contents

    Deploy the VM-Series Firewall on Azure Stack

    Deploy the firewall to secure your workloads in your Azure Stack (on-premises) implementation and shift into the public Azure cloud as needed.
    Where Can I Use This?What Do I Need?
    • Microsoft Azure
    • Microsoft Azure Stack
    • Azure® Marketplace
    • Azure China Marketplace
    • Azure Government Marketplace
    • VM-Series License (PAYG or BYOL)
    • VM-Series plugin
    • Panorama
    • Panorama plugin for Azure
    You can deploy the VM-Series firewall on Azure Stack to secure inter-subnet traffic between applications in a multi-tier architecture and outbound traffic from servers within your Azure Stack deployment. If you want to use the VM-Series firewall as a gateway that secures inbound traffic destined to the servers within your Azure Stack deployment, you must deploy a NAT appliance in front of the firewall that receives inbound traffic and forwards it to the firewall. The NAT appliance is required because on Azure Stack you can't assign a public IP address to a non-primary interface of a virtual machine, such as the VM-Series firewall.
    The VM-Series firewall on Azure stack does not have support for bootstrapping, Azure Application Insights, or the Azure Security Center integration.
    Unlike on public Azure, you don't have a solution template to deploy the VM-Series firewall on Azure Stack. Therefore, you must use an ARM template to deploy the VM-Series firewall. To get started, you can use the community supported sample ARM template on GitHub, and then develop your own ARM template for production deployments.
    1. Download marketplace items from Azure to AzureStack.
      To deploy the VM-Series firewall on Azure Stack, you need access to the BYOL offer of the VM-Series firewall PAN-OS image (8.1 or later). You can download the image directly from the Azure Marketplace to Azure Stack in a connected deployment.
    2. Access the Azure Stack portal.
      Your Azure Stack operator (either a service provider or an administrator in your organization), should provide the correct URL to access the portal.
    3. Deploy the VM-Series firewall.
      A solution template for the VM-Series firewall isn't available on Azure Stack. Therefore, you must reference the image that you downloaded in the previous step, in an ARM template to deploy the VM-Series firewall. To get started, you can deploy the sample ARM template that’s available on GitHub under the community-supported policy:
      1. Get the sample Azure Stack GitHub template.
        • Select azurestackdeploy.json to view the contents.
        • Click Raw and copy the contents of the JSON file.
      2. Deploy the sample GitHub template.
        You can deploy the firewall in an existing resource group that’s empty or into a new resource group. The default VNet in the template is 192.168.0.0/16, and it deploys a VM-Series firewall has three network interfaces, one management interface on 192.168.0.0/24 subnet and two dataplane interfaces on 192.168.1.0/24 and 192.168.2.0/24 subnets. You can customize these subnets to match your needs.
        • Log in to the Azure Stack portal.
        • Select NewCustomTemplate deployment.
        • Edit template, delete all existing content in the template, and paste the JSON template contents you copied earlier andSave.
        • Edit parameters, enter the values for the required parameters and modify the defaults if you need to, then click OK.
        • Choose the Subscription you want to use, and then click OK.
        • Choose an existing Resource Group that’s empty or create a new one, and click OK.
        • Click Create. A new tile on the dashboard displays the progress of the template deployment.
    4. Next Steps:
      1. Log in to the web interface of the firewall.
        Using a secure connection (HTTPS) from your web browser, log in to the DNS name for the firewall. Enter the username/password you defined earlier. You will see a certificate warning; that’s okay. Continue to the webpage.
      2. Activate the license on the VM-Series firewall.
        1. Create a Support Account and Register the VM-Series Firewall (with Auth Code).
        2. On the firewall web interface, select DeviceLicenses and select Activate feature using authentication code.
        3. Enter the capacity auth code that you registered on the support portal. The firewall will connect to the update server (updates.paloaltonetworks.com), and download the license and reboot automatically.
        4. Log back in to the web interface on the Dashboard, confirm that a valid Serial# displays.
          The VM Mode displays as Microsoft Azure.
          If the term Unknown displays, it means the device isn't licensed. To view traffic logs on the firewall, you must install a valid capacity license.
    5. Deploy the VM-Series firewall using an Azure Solution Template.

    © 2026 Palo Alto Networks, Inc. All rights reserved.