VM-Series Sizing Guide for Google Cloud

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L1 Bithead
No ratings

Title_VM-Sizing-Guide-GC_palo-alto-networks.png

 

This article describes the best practices for sizing Palo Alto Networks' VM-Series Next Generation Firewalls deployed on Google Cloud. Proper sizing of the deployment is very important because it provides an fairly accurate picture of how many firewalls would be needed to handle the customer’s traffic. This directly impacts the number of credits that must be purchased to license the firewalls. This document is intended for network administrators, solution architects, and security professionals who are familiar with Compute EngineLoad Balancing and Virtual Private Cloud (VPC) networking on Google Cloud.

 

Questions to ask the Customer

Before we get down to the sizing part, it is absolutely important to understand what the customer needs and so, here are some important questions that we must get answers for, before we get down to sizing.

 

  • What are the minimum and/or maximum bandwidth requirements from the firewalls?
  • Which traffic use-cases does the customer want to secure? Inbound, Outbound, East-West, Remote connectivity?
    • Most cases, there are multiple use-cases to secure.
  • Does the customer expect the traffic to scale up and down a lot?
  • Do they need session resiliency?

 

The answers to these questions will help us understand the exact use-cases to be implemented, bandwidth and performance requirements of the customer.

 

VM-Series on Google Cloud - Performance & Capacity

You will find the official numbers for Performance and Capacity of VM-Series on Google Cloud at the link provided below.

https://docs.paloaltonetworks.com/vm-series/11-0/vm-series-performance-capacity/vm-series-performanc...

 

The numbers presented in the below image are for PAN-OS v 11.0. For the numbers required for a specific version, please check the link provided above.

 

Fig1_VM-Sizing-Guide-GC_palo-alto-networks.png

 

Choosing the right Machine Type and Family

Consider when choosing the machine type for VM-Series:

 

  • VM-Series needs a minimum of 3 interfaces – one each for Public, Private and Mgmt.
  • Number of vCPUs on Compute Instances scale at 2n.
  • Minimum number of vCPUs required for VM-Series is 4.
  • The recommended Machine Family for VM-Series is N2-Standard family.
  • For specific traffic parameters like Active Connections per second, etc., consider how much memory you allocate to your VM-Series instance. Refer this page for more details.


Bonus – You can choose a higher machine type (higher vCPU and memory) and yet license a lower number of vCPUs, if required. Refer this page for more details.

 

Best Practices for Sizing

Load Balancing with Active-Active design

Consider before choosing the machine type:

 

  • Use an instance template with a Managed Instance Group (MIG).
  • For resiliency, use the same instance template with MIGs across at least 2 zones.
  • Choose the machine type based on the maximum bandwidth required divided by the number of firewalls. Consider dividing that for firewalls across zones for resiliency.
    • For example, if the traffic bandwidth is 10Gbps, you can choose the n2-standard-8 machine type to deploy 3 (TP enabled) firewalls with MIGs across 2 zones.
  • If you are considering autoscaling, remember that autoscaling is a MIG feature, so you can choose to use a different instance template with a lower vCPU machine type for the MIG that you want to configure for autoscaling.

 

Load Balancing with Active-Passive design

Consider before choosing the machine type:

 

  • Two VM Instances (one each for Active and Standby) will be deployed.
  • Even though traffic will be passing through only one instance, both firewalls will need to be licensed.
  • Make sure to determine peak bandwidth requirements before deploying.
  • Choose machine type that will support bandwidth requirements from a single VM-Series instance.
    • For example, if the traffic bandwidth is 10Gbps, you would need to choose n2-standard-32 machine type to deploy 2 (TP enabled) firewalls across 2 zones.

 

Overall

Consider splitting the firewalls to physically segment the security posture for Inbound, Outbound, East-West and Remote Connections as required:

 

  • While this does mean more firewalls to manage, you will have much granular control over the security applied for each use-case.
  • This design also provides the flexibility scale out per use-case, rather than the entire set.
  • If managed by separate Device Groups for each use-case, the firewalls and the security applied are easier to manage through Panorama as well.

 

Conclusion

As mentioned before, sizing is an important step in the path to security deployment and proper sizing can be accomplished if we know to ask the right questions and refer the right content to help us along the way. This document hopes to answer some of the questions that folks might have related to sizing. For more information, please reach out to the Palo Alto Networks Software Firewalls PM-TME team.

 

Resources

 

Rate this article:
(1)
  • 4878 Views
  • 0 comments
  • 1 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎09-06-2023 11:24 AM
Updated by: