Neither are ideal, but if you had to go with one I would choose running a virtual firewall distro. For grins and giggles I implemented something like this a little while back in lab with ESXi as the hypervisor and IPfire as the virtual firewall. As some one who works in large scale cloud environments, many of today's cloud based solutions deploy virtual firewalls/appliances to handle networking, so theirs no real security issue there, as long as you follow best practices when it comes to networking.
As for the complications of deploying a Linux/Unix based firewall, distros like pfSense, IPfire, Smoothwall take a lot of the complication out of it.