Announcing VM-Series Integration with Google Cloud Network Connectivity Center

cancel
Showing results for 
Search instead for 
Did you mean: 
L1 Bithead
Did you find this article helpful? Yes No
100% helpful (4/4)

VM-GCNCC_blog.png

 

Introduction

Palo Alto Networks VM-Series Next-Generation Firewall for Google Cloud is the industry-leading virtualized firewall to protect applications and data with next-generation security features that deliver superior visibility, precise control, and threat prevention at the application level. The VM-Series capabilities to secure globally connected networks are further enhanced by its integration with Network Connectivity Center by Google Cloud.

 

How VM-Series Works

There are several components used to integrate the VM-Series with Network Connectivity Center.  

 

Network Connectivity Center – Hubs and Spokes

Network Connectivity Center leverages a hub-and-spoke model to provide end-users a single place to manage global connectivity across various networks. The hub is a global resource that connects attached spokes with a simple and singular connectivity model. The Network Connectivity Center hub creates a full mesh networking model between the VM-Series and all other connected spokes. The VM-Series connects to the hub as a router appliance spoke.

 

Google Cloud Router

The VM-Series integrates with Network Connectivity Center by establishing BGP peering relationships with a VPC’s Cloud Router. This relationship enables full route propagation between remote networks and the Google Cloud VPC fabric routes. 

Once the peering relationship is established between the Cloud Router and the VM-Series, routes from remote networks, Google Cloud VPCs, and the VM-Series are exchanged. If the VM-Series firewalls are deployed within the same spoke, the hub advertises the same prefixes to all of the firewalls. This behavior enables equal-cost multipath (ECMP) for hub to firewall traffic. If you prefer to isolate traffic flows to dedicated firewalls, the VM-Series should be placed in separate spokes with different ASNs.

 

High Availability

Multiple VM-Series Firewalls can be deployed to provide horizontal scale, cross-region redundancy, and high-availability. The VM-Series 2.0.5 plugin (or greater) brings session synchronization to VM-Series deployed on Google Cloud. Firewall HA pairs can be deployed in Active/Active to provide load distribution. The dynamic routing behavior with Network Connectivity Center provides fast and reliable route failover among the firewall appliances. 

 

Example Topologies

There are a number of topologies that can be built with the VM-Series and Network Connectivity Center.  Below are several examples.

 

Topology 1: Remote Network to Google Cloud

The VM-Series can be used to secure traffic from remote networks to Google Cloud VPCs.  The following outcomes are achieved through the integration with Network Connectivity Center:

 

  • Secure remote traffic to Google Cloud with optimal route selection
  • Active/Active High Availability with dynamic route failover
  • Encryption for data in transit

 

Topology 1a: Regional VPC

In this topology, VM-Series firewalls are deployed across different zones within the same region.  The firewalls are connected as a single spoke to the Network Connectivity Center hub and have a BGP session established with the VPC’s Cloud Router.  From on-premises, IPsec tunnels are created and terminated on each firewall.  Routes to and from the remote network and the VPC are exchanged through the VM-Series and Cloud Router. The VM-Series firewalls are advertising the same prefixes and MED values to take advantage of Google Cloud’s ECMP functionality.  The use of ECMP provides redundancy and load distribution among the zonally distributed firewalls. 



mmclimans_0-1621883256786.png

 



Topology 1b: Global VPC

The architecture shows two Active/Active VM-Series pairs (within the same VPC) distributed across two Google Cloud regions. Each firewall pair shares session state information and each pair is a separate spoke connected to the Network Connectivity Center hub. The Cloud Router BGP peers with its respective regional firewall pair.  Routes from the remote sites are advertised to the VM-Series firewalls via the Cloud Router. The Cloud Routers themselves exchange routes to provide full mesh connectivity. 

mmclimans_1-1621883256757.png

 



Topology 2: Active/Active High Availability with Dynamic Route Failover

The integration with Network Connectivity Center can be used to direct VPC traffic to the VM-Series firewalls deployed in an Active/Active high availability pair.  In the topologies below, the VM-Series firewalls are sharing session state information so in the event of a failure in a zone or of the instance itself, sessions are carried over to the healthy firewall.  The VPC routes are automatically updated through the Cloud Router to steer traffic to the active firewall.  This can be a preferred topology for deployments that require session state failover for egress traffic.

 

Topology 2a: Single VPC

In this example, VM-Series firewalls are serving as highly available internet gateways to protect workloads deployed within a Google VPC.  The Cloud Router in the trust VPC has established BGP sessions to the firewall’s trust interfaces. The VM-Series advertises routes to the Cloud Router, and the Cloud Router propagates the routes to the trust VPC.  

mmclimans_2-1621883256752.png
 

Topology 2b: VPC Peering

You can use VPC Network Peering to onboard additional spoke VPCs to a hub VPC. The topology is the same as the Single VPC architecture but import and export custom routes must be enabled on the hub VPC and spoke VPCs.



Minimum System Requirements

To support Network Connectivity Center, VM-Series deployed in Google Cloud must meet the following system requirements:

 

  • Active/Active with Session Sync
    • PAN-OS 10.0 or greater
    • VM-Series plugin 2.0.5 or greater

 

Additional Resources

Rate this article:
(1)
Comments
L0 Member

Nice addition gives a lot of flexibility in GCP, 

I have a customer who I have helped deploying firewalls behind GCP iLB (internal LB) and set the next hop to the iLB. They are using Interconnect (Dedicated) no the IPsec tunnel for accessing on-prem.

 

Would you consider another topology where iLB as the next-hop is used as an extension of 1a and 2a as a supported method?

L2 Linker

Is there already some documentation about how to set this up, especially topology 2(b) ?

L2 Linker

Unfortunately I wasn't able (anymore?) to edit the above comment.

 

However I managed to setup the BGP peering, but GCP won't redistribute imported VPC peering routes automatically.

Is this something that can be changed, without the need to add them as custom routes to the redistribute profile of the cloud router ?

Register or Sign-in
Contributors
Article Dashboard
Version history
Last update:
‎07-08-2021 05:24 PM
Updated by: