I’ll deep dive into challenges that normally come with deploying third-party appliances in public clouds and how this integration and how the integration with OCI addresses these problems.
Cloud Security Trade-Offs
The VM-Series virtual firewall delivers prevention-based protection for workloads, applications, and data on OCI. VM-Series augments OCI native network security controls by protecting against exploits, malware, known and unknown threats, and data exfiltration.
Until now, most customers deployed VM-Series in Active-Passive HA mode in every Application OCI Virtual Cloud Network (VCN) where applications reside. Another option was to deploy VM-Series into its own VCN. To protect traffic between application VCNs, administrators could route inter-VCN traffic to the VM-Series VCN. This design, recommended by Palo Alto Networks, is known as the Hub and Spoke configuration and is shown in figure 1. In either architecture design, only one VM-Series firewall is active in a VCN.
While this method has effectively protected applications and data on OCI, it introduced challenges which required customers to make two trade-offs:
Trade-off #1 - Scale & Performance
This option limits customers to scale beyond a single active VM-Series firewall Per OCI Availability Domain to route the traffic through the VM-Series firewall for Outbound and East-West traffic.
Trade-off #2 - Configuration Complexities
The customer has to manage the life cycle and policy of VM-Series running in each application VCN. Also beside that they have to maintain dynamic groups and policies to support Active-Passive HA configuration.
Figure 1: VM-Series deployed on OCI in a Hub and Spoke architecture before the integration with the Flexible Network Load Balancer
The New Way with OCI Flexible Network Load Balancer
With the OCI Flexible Network load balancer launch, customers can now deploy and scale VM-series firewalls on OCI.
The OCI Flexible Network Load Balancer is a non-proxy load balancing solution that performs pass-through load balancing of layer 3 and layer 4 (TCP/UDP/ICMP) workloads. It offers an elastically scalable regional VIP address that can scale up or down based on client traffic with no minimum or maximum bandwidth configuration requirement. Additionally, it provides the benefits of flow high availability, source/destination IP address, and port preservation.
The integration between the OCI Flexible Network LoadBalancer and VM-Series firewall will alleviate the above tradeoff concerns. Customers will be able to deploy VM-Series in Active-Active mode behind a single regional IP address, simplify their network connectivity and automate network security at scale. It will also enable customers to manage firewalls and security policies centrally. With this integration, customers still take advantage of the great capabilities offered by VM-Series including layer 7 visibility and threat protection for both encrypted and unencrypted traffic.
Figure 2 illustrates how using the OCI Flexible Network Load Balancer integration with VM-Series simplifies your OCI Hub and Spoke environments. You can continue to use a centralized security VCN as you did previously. But now, you can leverage the OCI FLexible Network LoadBalancer to scale and load-balance traffic across the stack of VM-Series firewalls in your centralized security VCN.
Figure 2: Integration between VM-Series and OCI Flexible Network Load Balancer improves scale and performance
Three Ways the Integration Pays Off
The VM-Series firewall integration with OCI Flexible Network Load Balancer offers the following benefits:
Simplified connectivity – Easily insert an auto-scaling VM-Series firewall stack in OCI in Active-Active mode to protect inbound, outbound, and east-west communication paths.
Automate network security at scale – Use native Oracle Cloud networking constructs to horizontally scale VM-Series firewalls and automate network security deployments.
Cost Effective - Reduce the number of firewalls needed to protect your Oracle Cloud environment and consolidate your overall network security posture using hub and spoke architecture for centralized security management.
VM-Series with Flexible Load Balancing Use Cases
With the new integration between VM-Series firewall and the OCI Flexible Network Load balancer, customers can augment cloud network security with three use cases:
Inbound Traffic Security: The traffic from the Internet or On-Prem Data Center will hit the OCI Flexible Network Load Balancer, which will act as a bump-in-the-wire layer 3 transparent load balancer that does not modify the packet characteristics and preserves the client source and destination IP header information. The traffic will then forward to one of the VM series firewalls that sit behind the load balancer. The VM-Series firewall will inspect the packet, apply security policies and deliver it to the back-end Application or Database servers.
East-West Traffic Security: East-West traffic refers to Inter-VCN traffic, such as the traffic between source and destination workloads in two different VCNs. The VM-Series firewalls protect east-west traffic flows against malware propagation. The Local Peering Gateway (LPG) connected to a VCN will send the traffic to the internal OCI Flexible Network Load Balancer, which will forward the traffic to the VM-Series firewall. The VM-Series will inspect the packet and send it back to the destination Local Peering Gateway (LPG).
Outbound Traffic Security:Traffic originating within the application VCNs and destined to external resources on the Internet will also hit the VM-Series firewall first. Using the Local peering Gateways (LPG), the traffic from Application or Database VCN will hit the internal OCI Flexible Network Load Balancer first, which will forward the traffic to the VM-Series firewall. The firewall will inspect the packet and send it to the External NLB.