VM-Series for AWS and Azure Licensing Considerations

VM-Series for AWS and Azure Licensing Considerations

Created On 09/25/18 15:12 PM - Last Modified 07/17/23 21:06 PM


  • VM Series Palo Alto Firewalls
  • Public Cloud
  • License information


Note:  The information is changed in the newer PAN-OS releases. Refer to VM-Series Firewall Licenses for Public Clouds for the latest info.

The VM-Series virtualized next-generation firewall can be deployed from both the AWS and Microsoft Azure Marketplace in either a bring your own license or pay as you go /consumption-based subscription model. This FAQ outlines the key considerations to account for when making a licensing choice.



What are the VM-Series licensing options for AWS and Microsoft Azure?

For both AWS and Microsoft Azure, the licensing options are bring your own license (BYOL) and pay as you go/consumption-based (PAYG) subscriptions.

  • BYOL: Any one of the VM-Series models, along with the associated Subscriptions and Support, are purchased via normal Palo Alto Networks channels and then deployed through your AWS or Azure management console.
  • PAYG: Purchase the VM-Series and select Subscriptions and Premium Support as an hourly subscription bundle from the AWS Marketplace.
    • Bundle 1 contents: VM-300 firewall license, Threat Prevention Subscription (inclusive of IPS, AV, Malware prevention) and Premium Support.  
    • Bundle 2 contents: VM-300 firewall license, Threat Prevention (inclusive of IPS, AV, Malware prevention), WildFire™ threat intelligence service, URL Filtering, GlobalProtect Subscriptions and Premium Support.


What are the pricing options for PAYG?

  • AWS pricing options are hourly and annual for both Bundle 1 and Bundle 2.
  • Azure pricing is hourly only for Bundle 1 and Bundle 2.



Bundle 1

Bundle 2

















Prices can be found in the AWS or Azure Marketplace


Can the PAYG Bundles be modified or customized?

  1. The Bundles are fixed. Customers who would like a variation of the Bundles should choose the BYOL option.


How does a customer deploy the VM-Series in AWS or Azure?

In both cases, the deployment is performed directly from the customer’s AWS or Azure management console.

  • BYOL deployment entails the traditional purchase process of selecting a VM-Series firewall license, Subscriptions and Support, then executing the purchase process through normal channels. The customer will receive an authorization code that is then used to license the VM-Series directly from the AWS or Azure management console.
  • PAYG deployment entails the customer selecting one of the two VM-Series bundles found in AWS or Azure marketplace, then executing the purchase directly from the management console.


Can the VM-Series be deployed in AWS or Azure GovCloud?

AWS GovCloud (US) is supported through the BYOL licensing model. Customers that have access to AWS GovCloud (US) would follow the BYOL purchase and deployment model outlined above. For Azure, Refer to this link for compatibility


How is Support handled?

Both PAYG bundles for AWS and Azure include Premium Support (verbal and written English only). PAYG customers will need to establish a support account, register their VM-Series and access Support resources, just as they would if they were using an appliance. Existing customers will add their VM-Series to their existing list of devices, just as they would if they were using an appliance, then access the appropriate Support resources. AWS and Azure BYOL customers can purchase any one of the Support options available on the price list including US Government specific support (USD), then access support in the same manner as described above.


Which licensing option should customers choose?

Customer choice is beneficial and the option chosen should be based on the type of project and associated workloads in use. The key considerations are outlined below.



Traditional Purchase (BYOL)

Marketplace Bundle Purchase

Best suited for

Long running steady state deployments that may scale over time

On-demand, utility-style, elastic scale deployments

Comparable to




CapEx (initial purchase in year 1)

Opex (annual renewal after that)

Fixed rate for both hourly (duration of use) and initial annual license and subsequent renewal. Typically OPEX

Supported environments

All hypervisors supported - move licenses between any supported hypervisor or public cloud environment

Restricted to the specific public cloud Marketplace (AWS or Azure) where product is purchased

GovCloud Supported?

AWS GovCloud (US) is supported. For Azure Refer to this link for compatibility

For Azure, Refer to this link for compatibility .

Licensing, subscription, support flexibility

Use any combination of capacity SKU (VM-100, -200, -300, -1000-HV),  subscriptions and support

Available choices of Bundle 1 or Bundle 2 with no option to mix and match features or support programs

US Government (USG) Support available

Federal Agencies can purchase USG support for VM-Series

No, Premium support is included with both bundles; no option to purchase USG

Pricing flexibility

High volume purchase discounts apply

Fixed pricing in Marketplace for Bundle 1 or Bundle 2.



  • Print
  • Copy Link


Choose Language