Table of contents
Topics on this page

Choose a deployment option

Network Security is offered as an Azure Virtual Machine (VM). When you decide how to deploy Network Security in your network, we recommend that you choose one of the following deployment options. The recommended deployment options use Azure VM scale sets. Learn more.

Network Security virtual appliances do not support auto-scaling.

Each deployment option is a reference architecture created for different common Azure environments. Choose the option that best suits your existing network structure and inspection needs. These deployment recommendations can also be modified to suit the individual requirements for your network.

Inspect lateral traffic

This deployment option describes how to protect lateral traffic using a scale set of virtual appliances with a private VNet. Deploying a scale set behind the Azure Load Balancer provides additional layers of availability that translates to minimal disruption if a virtual appliance experiences an outage.

The image below shows east/west traffic flow from Workload VNet 1 to Workload VNet 2:

|

Inspect inbound and outbound traffic with Azure Firewall

This deployment option describes how to protect inbound and outbound traffic using a scale set of virtual appliances behind the Azure Firewall, which provides advanced network protection. Deploying a scale set behind the Azure Load Balancer provides additional layers of availability that translates to minimal disruption if a virtual appliance experiences an outage.

The following diagram shows an example of the traffic flow for this deployment:

|

Inspect inbound traffic with Azure Application Gateway

This deployment option describes how to protect inbound traffic using a scale set of virtual appliances with an Azure Application Gateway. The Application Gateway enables you to manage web application traffic.

The following diagram shows an example of the traffic flow for this deployment:

|

Inspect inbound and outbound traffic with Azure Gateway Load Balancer

This deployment option describes how to protect inbound and outbound traffic using a scale set of virtual appliances with Gateway Load Balancer. Deploying with Gateway Load Balancer provides a simpler process that requires very few changes to your existing network environment. Gateway Load Balancer also adds additional layers of availability which translates to minimal disruption if a virtual appliance experiences an outage.

The following diagram shows an example of the traffic flow for this deployment:

|