The scenario requires deploying a firewall within Microsoft Azure to segment private applications. The VM-Series is the virtualized form-factor of the Palo Alto Networks NGFW designed specifically for deployment in public cloud environments like Azure. To achieve logical segmentation between different network segments (e.g., subnets for web, application, and database tiers), the standard and most robust method is to deploy the firewall in Layer 3 (routed) mode. In this configuration, the VM-Series firewall has Layer 3 interfaces assigned to different security zones, and it acts as the gateway, routing and inspecting all traffic that flows between these segmented subnets. This design places security enforcement directly in the traffic path and close to the applications, fulfilling the stated requirements.

A. On a VM-Series NGFW, configure several Layer 2 zones with Layer 2 interfaces assigned to logically segment the network.

While VM-Series is the correct platform, Layer 3 mode is the standard and more scalable method for routing-based segmentation between subnets in Azure.

B. On a PA-Series NGFW, configure several Layer 2 zones with Layer 2 interfaces assigned to logically segment the network.

PA-Series firewalls are physical hardware appliances and cannot be deployed directly within the Azure cloud environment to protect hosted applications.

D. On a PA-Series NGFW, configure several Layer 3 zones with Layer 3 interfaces assigned to logically segment the network.

PA-Series firewalls are physical hardware appliances. The correct form-factor for deployment within a public cloud like Azure is the VM-Series.

1. Palo Alto Networks

"VM-Series Deployment Guide for Azure

" Version 11.0. This guide explicitly details the deployment of the VM-Series virtualized firewall in Azure. The reference architectures

such as the "Basic deployment with a single VM-Series firewall

" show the firewall with multiple virtual network interfaces (vNICs) connected to different subnets (e.g.

Untrust

Trust

Management)

operating in Layer 3 to route and inspect traffic between them. This is the fundamental model for segmentation. (See: Chapter 2: Plan the VM-Series Firewall Deployment in Azure

Section: "Reference Architecture: Basic Deployment with a Single VM-Series Firewall").

2. Palo Alto Networks

"VM-Series on Azure

" Datasheet. This document specifies that the VM-Series is the virtual NGFW for Azure

designed to "protect your applications and data with next-generation security features that are deployed in a virtualized form factor." It contrasts with the PA-Series

which are hardware appliances. (See: "Product Overview" section).

3. Palo Alto Networks

"Firewall Interface Types

" PAN-OS® Administrator's Guide 11.0. This documentation describes the different interface types. It clarifies that Layer 3 interfaces "participate in Layer 3 routing" and are assigned to security zones

which is the mechanism for applying policy to traffic between different network segments. This is the core concept behind Layer 3 segmentation. (See: Networking > Network Interfaces > Firewall Interface Types > Layer 3 Interfaces).