The Panorama plugin for Azure centrally deploys, configures, and monitors your security posture in Azure cloud. It orchestrates VM-Series deployments in your Azure network so that you can enable security policies for managed firewalls. The plugin links to your Azure ARM deployment and Azure Monitor pages, providing visibility into the deployment status, usage, and performance of your VM-Series firewalls.

In Azure, the plugin orchestrates the deployment of Azure resources such as load balancers, subnets, and NAT gateways as well as VM-Series firewall autoscaling sets. In Panorama the plugin automatically configures Panorama device groups, template stacks, and NAT policies. It reads the tags from your Azure resources, then centrally enables tag-based policies on a group of firewalls.

The Panorama plugin can orchestrate deployments in one or more regions in your Azure environment. A deployment can consist of a hub stack or an inbound stack or both, depending on the traffic that needs to be secured for your deployment:

You can configure the number of firewalls in each stack. You have the option to configure a static amount of firewalls in your deployment or a range for the VMSS to use for scaling. Both stacks in the deployment create a VMSS of VM-Series firewalls and they can each scale up to as many as 25 firewalls.

A deployment uses a hub stack and leverages the Azure Internal Standard Load Balancer (with HA ports) to scale and load balance across a set of firewalls. You can then use the Standard Load balancer’s private IP address (2, “Hub/Egress Private IP” in the following figure) to route traffic to the firewalls for inspection and threat prevention. The hub stack secures your applications’ outbound and east-west traffic.

To protect your outbound traffic and east-west traffic, add route rules in your application VNETs to redirect traffic to the hub stack for inspection.

An Inbound firewall stack scales independently and adds visibility and security to your applications’ Inbound traffic.

To protect your inbound HTTP traffic, add UDRs in the Application Gateway’s subnet route tables to route all traffic to the Inbound stack (3, Ingress Private IP in the following figure). To protect the non-HTTP inbound traffic, use the Panorama plugin to create frontend entries for your application endpoints (4, Ingress Public IP frontends in the following figure). To enable inspection, the Panorama plugin automatically creates load balancer rules on the Azure Public Standard Load Balancer and NAT rules on the firewalls.

If you only have HTTP/HTTPS inbound traffic you can leave out the Inbound stack and protect that traffic with just the hub stack.

See Prepare for an Orchestrated Deployment and Orchestrate a VM-Series Firewall Deployment in Azure.