Panorama Orchestrated Azure Deployments Now in Beta


ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

L5 Sessionator

Panorama Orchestrated Azure Deployments Now in Beta.png


Panorama Orchestrated Azure Deployments

We are excited to announce the beta availability of “Panorama Orchestrated VM-Series Deployments” in your Azure environment. The Panorama orchestrated deployment method leverages the ability of Panorama to centrally manage firewalls while also providing a centralized location to enable the deployment of the VM-Series in your Azure networks.

With this feature, Palo Alto Networks offers a Panorama console for users to ease the deployment of Palo Alto Networks virtual firewalls that scales dynamically based on your traffic needs. With this console feature, you can easily build and operate the firewall deployments, integrating it with your Azure cloud networks. You no longer need to operate complex templates to deploy firewalls to protect your cloud workloads. You can now use the workflow offered by the console to build and manage scalable firewall deployments without experiencing a steep learning-curve on Azure networking constructs.


Understanding Panorama Orchestration in Azure Deployments 


With this feature, you can use Panorama to enable one or two autoscaling firewall deployments. The "Hub firewall" deployment allows you to protect your outbound traffic and east-west traffic of your application workloads. The additional "Inbound firewall" deployment allows you to protect your inbound traffic to your applications. This feature allows you to deploy the hub and the Inbound firewall in the same or different VNETs


Panorama Plugin for Azure

The Panorama plugin for Azure allows you to read the tags of your Azure resources, and then centrally enable tag-based policies on a group of firewalls. With this feature, the Panorama plugin provides you a centralized location to deploy, configure, and monitor your security posture in the cloud. The Panorama plugin now allows you to orchestrate VM-Series deployments in your Azure network and then enable the security policies to these firewalls. The plugin also redirects you to your Azure ARM deployment and Azure Monitor pages to gain visibility into the deployment status, usage, and performance of your VM-Series firewalls.


  • The minimum VM-Series PAN-OS software version is 10.0.1
  • The minimum Panorama PAN-OS Software version is 10.0
  • The minimum Panorama plugin for Azure version is 3.0.0
    • There is no upgrade path for the beta plugin


Automated Deployment

In the cloud, you use templates to automate the deployment of Auto Scale architectures. Depending on your automation requirements, these templates can be very complex. They often involve multiple components and moving parts, which hampers your journey to the cloud. Panorama orchestration simplifies the current autoscaling solution by bringing all configurations into one workflow that your Panorama Plugin offers. The plugin automatically deploys the necessary Azure resources such as load balancers, subnets, NAT gateways. Additionally, the plugin also automatically creates the Panorama and VM-Series configurations, such as the device groups and template stacks, as well as the NAT policies.



We encourage you to learn more about this integration by watching the demo video:
For information on being a part of the Panorama Orchestrated Azure Deployment Beta, please reach out to your Palo Alto Networks account team. 
You may also find more information about Azure on the LIVEcommunity VM-Series on the Azure resource page.
L3 Networker

This is brilliant, great job everyone who worked on it!

L0 Member

Why only one or two deployments?

L5 Sessionator

@mathieu.legros   Thank you for the comment.  This is a beta run so although the Beta limited to one deployment scenario that supports securing both outbound and east|west traffic, GA will also add inbound to the equation. This doesn't mean it will be limited to and we will have the flexibility to add architectures as the solution evolves. Feedback is important so we appreciate it.  

L0 Member

Right now we have 8 Hubs (8 pairs of VM-300), with a east-west and outbound architecture. I understand we will be able to replace all of them with this feature and facilitate auto-scaling.

Instead of creating a new DG and Template, can we specify an existing DG and template?

Also, can we discuss a feature to facilitate updating the running VM's ? Load balancers can be leveraged to add new VM to the target release and then, old VM decomissionned after active sessions has been bled from them?

L0 Member

We are planning to add support for accomodating existing DG. But we plan to have the template stack dedicated for the Orchestration software.  Hope that will work for the customer. Please unicast me if you have additional questions