VM-Series Firewall in Microsoft Azure
Microsoft Azure allows you to deploy a virtual network in the cloud so that you can deploy a private cloud solution or you can extend the on-premises IT infrastructure to create a hybrid or cross-premises solution. The VM-Series firewall in Azure must be deployed in a virtual network (VNet) using the Azure Resource Manager (ARM) deployment mode only; the classic mode (Service Management-based deployments) is not supported. The VM-Series firewall in Azure must be of the Standard tier and any of the following types—A4, D3, D3_v2, D4 and D4_v2—that meet the minimum system requirements. Because the Azure VNet is a Layer 3 network, the VM-Series firewall in Azure supports only Layer 3 interfaces. The VM-Series firewall in Azure supports the Bring Your Own License (BYOL) model and the usage-based licensing (PAYG) model.
The VM-Series firewall (PAN-OS 7.1.1) is available on Azure Government, and the Azure Government Marketplace offers the BYOL option only. To deploy the VM-Series firewall on Azure Government, you will follow the same steps for BYOL deployments that are outlined in the documentation.
You can deploy a VM-Series firewall in Azure to function as a VNet gateway that secures traffic destined to the servers in the VNet, as a VPN termination point to securely extend your physical data center to the Azure private cloud into Azure, or to set up an IPSec tunnel for traffic between two Azure VNets. You can also deploy the VM-Series firewall to function as a GlobalProtect gateway and portal to safely enable your mobile users with consistent security policy when they are not on the corporate network.
To deploy the VM-Series firewall, Palo Alto Networks provides an solution template in the Azure Marketplace and a customizable ARM template in the Palo Alto Networks GitHub repository. The ARM template includes two JSON files (a Template File and a Parameters File) to help you deploy the firewall. For more information, see the VM-Series Deployment Guide.
The VM-Series firewall in Azure does not support native VM Monitoring capabilities for virtual machines that are hosted in Azure. VM-Series high availability configuration is not supported either; use the integration with Azure Gateway and Load balancer to address availability requirements for web facing applications.

Related Documentation