VM-Series for AWS and Azure Licensing Considerations
Environment
- VM Series Palo Alto Firewalls
- Public Cloud
- License information
Resolution
Note: The information is changed in the newer PAN-OS releases. Refer to VM-Series Firewall Licenses for Public Clouds for the latest info.
The VM-Series virtualized next-generation firewall can be deployed from both the AWS and Microsoft Azure Marketplace in either a bring your own license or pay as you go /consumption-based subscription model. This FAQ outlines the key considerations to account for when making a licensing choice.
What are the VM-Series licensing options for AWS and Microsoft Azure?
For both AWS and Microsoft Azure, the licensing options are bring your own license (BYOL) and pay as you go/consumption-based (PAYG) subscriptions.
- BYOL: Any one of the VM-Series models, along with the associated Subscriptions and Support, are purchased via normal Palo Alto Networks channels and then deployed through your AWS or Azure management console.
- PAYG: Purchase the VM-Series and select Subscriptions and Premium Support as an hourly subscription bundle from the AWS Marketplace.
- AWS:
- Bundle 1 contents: VM-300 firewall license, Threat Prevention Subscription (inclusive of IPS, AV, Malware prevention) and Premium Support.
- Bundle 2 contents: VM-300 firewall license, Advanced Threat Prevention (inclusive of IPS, AV, Malware prevention), Advanced WildFire™ threat intelligence service, Advanced URL Filtering, DNS Security, GlobalProtect Subscriptions and Premium Support.
- Bundle 3 contents: VM-300 firewall license, Advanced Threat Prevention (inclusive of IPS, AV, Malware prevention), Advanced URL Filtering, DNS Security, Wildfire, Global Protect.
- AZURE
- Bundle 1 contents: VM-300 firewall license, Threat Prevention Subscription (inclusive of IPS, AV, Malware prevention) and Premium Support.
- Bundle 2 contents: VM-300 firewall license, Advanced Threat Prevention (inclusive of IPS, AV, Malware prevention), Advanced WildFire™ threat intelligence service, Advanced URL Filtering, DNS Security, GlobalProtect Subscriptions and Premium Support.
- AWS:
What are the pricing options for PAYG?
- AWS pricing options are hourly and annual for both Bundle 1 and Bundle 2.
- Azure pricing is hourly only for Bundle 1 and Bundle 2.
Bundle 1 |
Bundle 2 | |||
AWS |
Azure |
AWS |
Azure | |
Annual |
X |
N/A |
X |
N/A |
Hourly |
X |
X |
X |
X |
Prices can be found in the AWS or Azure Marketplace
Can the PAYG Bundles be modified or customized?
- The Bundles are fixed. Customers who would like a variation of the Bundles should choose the BYOL option.
How does a customer deploy the VM-Series in AWS or Azure?
In both cases, the deployment is performed directly from the customer’s AWS or Azure management console.
- BYOL deployment entails the traditional purchase process of selecting a VM-Series firewall license, Subscriptions and Support, then executing the purchase process through normal channels. The customer will receive an authorization code that is then used to license the VM-Series directly from the AWS or Azure management console.
- PAYG deployment entails the customer selecting one of the two VM-Series bundles found in AWS or Azure marketplace, then executing the purchase directly from the management console.
Can the VM-Series be deployed in AWS or Azure GovCloud?
AWS GovCloud (US) is supported through the BYOL licensing model. Customers that have access to AWS GovCloud (US) would follow the BYOL purchase and deployment model outlined above. For Azure, Refer to this link for compatibility
How is Support handled?
Both PAYG bundles for AWS and Azure include Premium Support (verbal and written English only). PAYG customers will need to establish a support account, register their VM-Series and access Support resources, just as they would if they were using an appliance. Existing customers will add their VM-Series to their existing list of devices, just as they would if they were using an appliance, then access the appropriate Support resources. AWS and Azure BYOL customers can purchase any one of the Support options available on the price list including US Government specific support (USD), then access support in the same manner as described above.
Which licensing option should customers choose?
Customer choice is beneficial and the option chosen should be based on the type of project and associated workloads in use. The key considerations are outlined below.
Traditional Purchase (BYOL) |
Marketplace Bundle Purchase | |
Best suited for |
Long running steady state deployments that may scale over time |
On-demand, utility-style, elastic scale deployments |
Comparable to |
Buying |
Renting |
Costs |
CapEx (initial purchase in year 1) Opex (annual renewal after that) |
Fixed rate for both hourly (duration of use) and initial annual license and subsequent renewal. Typically OPEX |
Supported environments |
All hypervisors supported - move licenses between any supported hypervisor or public cloud environment |
Restricted to the specific public cloud Marketplace (AWS or Azure) where product is purchased |
GovCloud Supported? |
AWS GovCloud (US) is supported. For Azure Refer to this link for compatibility |
For Azure, Refer to this link for compatibility . |
Licensing, subscription, support flexibility |
Use any combination of capacity SKU (VM-100, -200, -300, -1000-HV), subscriptions and support |
Available choices of Bundle 1 or Bundle 2 with no option to mix and match features or support programs |
US Government (USG) Support available |
Federal Agencies can purchase USG support for VM-Series |
No, Premium support is included with both bundles; no option to purchase USG |
Pricing flexibility |
High volume purchase discounts apply |
Fixed pricing in Marketplace for Bundle 1 or Bundle 2. |