Microsoft Azure allows you to deploy a virtual network in the cloud so that you can deploy a private cloud solution or you can extend the on-premises IT infrastructure to create a hybrid or cross-premises solution. The VM-Series firewall in Azure must be deployed in a virtual network (VNet) using the Azure Resource Manager (ARM) deployment mode only; the classic mode (Service Management-based deployments) is not supported. The VM-Series firewall in Azure must be of the Standard tier and any of the following types—A4, D3, D3_v2, D4 and D4_v2—that meet the
minimum system requirements. Because the Azure VNet is a Layer 3 network, the VM-Series firewall in Azure supports only Layer 3 interfaces. The VM-Series firewall in Azure supports the Bring Your Own License (BYOL) model and the usage-based licensing (PAYG) model.
You can deploy a VM-Series firewall in Azure to function as a VNet gateway that secures traffic destined to the servers in the VNet, as a VPN termination point to securely extend your physical data center to the Azure private cloud into Azure, or to set up an IPSec tunnel for traffic between two Azure VNets. You can also deploy the VM-Series firewall to function as a GlobalProtect gateway and portal to safely enable your mobile users with consistent security policy when they are not on the corporate network.
To deploy the VM-Series firewall, Palo Alto Networks provides an solution template in the Azure Marketplace and a customizable ARM template in the Palo Alto Networks GitHub repository. The ARM template includes two JSON files (a Template File and a Parameters File) to help you deploy the firewall. For more information, see the
VM-Series Deployment Guide.