Skip to main content

Cloud NGFW for Azure

You can discover Cloud NGFW in the Azure Marketplace and consume it in your AWS Virtual Private Clouds (VPC). With Cloud NGFW, you can access the core NGFW capabilities such as App-ID, URL filtering based on URL categories and geolocations, SSL/TLS Decryption, etc.

Getting Started with Cloud NGFW for Azure

  • Subscribe to the Cloud NGFW Service—Begin by subscribing to the Cloud NGFW for Azure service through the Azure Marketplace. You can also search for "Cloud NGFW" in the Azure Services to locate Local Rulestack and Cloud NGFW resources. The service relies on your Entre ID and IAM permissions and generally requires a "Contributor" role on the subscription.
  • Create Rulestacks—Local Rulestack allow creating rules and rulestacks
  • Create NGFWs—Deploy NGFW firewall resources to protect your VNets and vWAN Hubs. While creating your NGFWs, associate the local rulestacks you created previously or associate a Panorama instance.

You have two options to manage the security policy on Cloud NGFW for Azure.

In the first (Azure Rulestack managed) option, you create rules based on matching criteria and leverage the Security Services straight from Azure Portal.

Alternatively, in the second (Panorama-managed) option, you specify the Registration string generated in Panorama that allows the firewall to connect to Panorama and obtain its policy. In this option, Cloud NGFW requires IP-connectivity to the Panorama IP specified when generating the string.

  • Update User-Defined Route—After deploying your Cloud NGFW resource, you must direct Traffic to Cloud NGFW by updating your Route table and associating it with the spokes. Traffic is then directed to the NGFW firewall resource for inspection and enforcement.
  • Configure Routing Intent and Policy-After securing your vWAN hub using Palo Alto Networks SaaS, you must program the Routing Intent and Policy and set the next hop as Cloud NGFW NVA. This will force Internet and/or Private traffic via the Cloud NGFW service.

Managing Cloud NGFW for Azure

You can deploy Cloud NGFW in your Azure environment in multiple ways:

  • Azure Portal is a graphical user interface that provides a native experience similar to any other Azure service.
  • Azure CLI/PowerShell/SDK/Terraform can deploy Cloud NGFW resources programmatically in an Infrastructure-as-Code way.

For a description of the Cloud NGFW for Azure APIs, see the API Reference.

To begin using Terraform to manage your Cloud NGFW for Azure, see the Getting Started guide.

See Cloud NGFW for Azure Documentation for more information.