About the VM-Series Firewall in Azure
The VM-Series firewall on Azure must be deployed in a virtual network (VNet) using the Resource Manager deployment mode. You can deploy the VM-Series firewall in both the standard Azure public cloud and in the Azure Government Cloud environments. The VM-Series firewall in the Azure public marketplace supports the Bring Your Own License (BYOL) model and the hourly Pay-As-You-Go (PAYG) option in the usage-based licensing model. In the Azure Government Marketplace and Azure China, the VM-Series firewall is available in the bring your own license (BYOL) option only. To deploy the VM-Series on Azure Government, use the BYOL workflow outlined in the Deploy the VM-Series Firewall in Azure (Solution Template). Azure China has a slightly different workflow that is outlined in Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template).
For licensing details, see License Types—VM-Series Firewalls, and refer to the list of supported Azure regions in which you can deploy the VM-Series firewall.
Azure DoD is a special region that offers a higher level of security classification than Azure Government. The VM-Series firewall is not supported on Azure DoD regions.
Azure Networking and VM-Series
The Azure VNet infrastructure does not require virtual machines to have a network interface in each subnet. The architecture includes an internal route table (called system routes) that directly connects all virtual machines within a VNet such that traffic is automatically forwarded to a virtual machine in any subnet. For a destination IP address that is not within the VNet, the traffic is sent to the default Internet gateway or to a VPN gateway, if configured. In order to route traffic through the VM-Series firewall, you must create user defined routes (UDRs) that specify the next hop for traffic leaving a subnet. This route forces traffic destined to another subnet to go to the VM-Series firewall instead of using the system routes to directly access the virtual machine in the other subnet. For example, in a two-tiered application with a web tier and a database tier, you can set up UDRs for directing traffic from the web subnet to the DB subnet through the VM-Series firewall.
In Azure, UDRs are for traffic leaving a subnet only. You cannot create user defined routes to specify how traffic comes into a subnet from the Internet or to route traffic to virtual machines within a subnet. For documentation on Microsoft Azure, refer to https://azure.microsoft.com/en-us/documentation/.
The solution templates for deploying the VM-Series firewall that are available in the Azure Marketplace, have three network interfaces. Because the VNet infrastructure does not require virtual machines to have a network interface in each subnet, three network interfaces are sufficient for most deployments. If you want to customize the template, use the ARM templates that are available in the GitHub repository.
VM-Series Firewall Templates in Azure
You can deploy the VM-Series firewall in Azure using templates. Palo Alto Networks provides two kinds of templates:
Solution Templates in the Azure Marketplace —The solution templates that are available in the Azure Marketplace allow you to deploy the VM-Series firewall using the Azure portal. You can use an existing resource group and storage account (or create them new) to deploy the VM-Series firewall with the following default settings for all regions except Azure China: VNet CIDR; you can customize the CIDR to a different private IP address range. Three subnets— (management), (untrust), (trust) Three network interfaces, one in each subnet. If you customize the VNet CIDR, the subnet ranges map to your changes.
ARM Templates in the GitHub Repository —In addition to Marketplace based deployments, Palo Alto Networks provides Azure Resource Manager templates in the GitHub Repository to simplify the process of deploying the VM-Series firewall in Azure. The ARM template includes two JSON files (a Template file and a Parameters File) to help you deploy and provision all the resources within the VNet in a single, coordinated operation.
If you want to use the Azure CLI to locate all the images available from Palo Alto Networks, you the need the following details to complete the command (show vm-image list): Publisher: paloaltonetworks Offer: vmseries1 SKU: byol, bundle1, bundle 2 Version: 7.1.1 or latest
Minimum System Requirements for the VM-Series in Azure
You must deploy the VM-Series firewall in the Azure Resource Manager (ARM) mode only; the classic mode (Service Management based deployments) is not supported. The VM-Series firewall in Azure must meet the following requirements:
Azure VMs of the following types: Standard_D3 (default), Standard_D3_v2, Standard_D4, Standard_D4_v2, Standard_A4. Four or eight CPU cores to deploy the firewall; the management plane only uses one CPU core and the additional cores are assigned to the dataplane. Up to three network interfaces (NICs). A primary interface is required for management access and up to two interfaces for data traffic.
On Azure, because a virtual machine does not require a network interface in each subnet, you can set up the VM-Series firewall with just three network interfaces. To create zone-based policy rules on the firewall, in addition to the management interface, you need at least two dataplane interfaces so that you can assign one dataplane interface to the trust zone, and the other dataplane interface to the untrust zone.
Because the Azure VNet is a Layer 3 network, the VM-Series firewall in Azure supports Layer 3 interfaces only.
Minimum of 4GB of memory for all models except the VM-1000-HV, which needs 5GB. Any additional memory will be used by the management plane only. Minimum of 40GB of virtual disk space. You can add additional disk space of 40GB to 8TB for logging purposes. The VM-Series firewall does not utilize the temporary disk that Azure provides.
The VM-Series firewall in Azure does not support a high availability configuration; native VM Monitoring capabilities for virtual machines that are hosted in Azure is also not available.

Related Documentation