The VM-Series next-generation firewall allows customers to securely migrate their applications and data to Azure, protecting them from known and unknown threats with application whitelisting and threat prevention policies. Designed to facilitate fully automated deployments, the VM-Series can be embedded into your application deployment process, allowing security to keep pace with the speed of the cloud.
Developers and cloud security architects can use ARM Templates, Azure Functions or third party tools combined with a VM-Series bootstrap configuration to create "touchless" deployments. Application whitelisting and segmentation policies can be dynamically updated based on workload tags, allowing you to reduce the attack surface area and achieve compliance while threat prevention policies can block threats and stop data exfiltration.
Advanced architectures based on Azure Load Balancers allow you to assemble scalable VM-Series deployments to address managed scale for inbound traffic, outbound scale combined with protecting workloads from lateral (east-west) threat movement and a Transit VNET-based shared services architecture that centralizes security and connectivity.
When deployed from Marketplace, a VM-Series virtual machine is created with multiple network interfaces. You then select an existing (empty) or new resource group, storage account and VNET with three subnets (MGMT, Untrust and Trust). Once the VM-Series deployed, it will need to be licensed, configured and user-defined rules (UDR) created to steer traffic from the Trust and Untrust subnets through the firewall. Documentation and sample ARM templates: http://azure.paloaltonetworks.com