Palo Alto Networks VM-Series Next-Generation Firewall for Google Cloud is the industry-leading virtualized firewall to protect applications and data with next-generation security features that deliver superior visibility, precise control, and threat prevention at the application level. The VM-Series capabilities to secure globally connected networks are further enhanced by its integration with Network Connectivity Center by Google Cloud.
There are several components used to integrate the VM-Series with Network Connectivity Center.
Network Connectivity Center – Hubs and Spokes
Network Connectivity Center leverages a hub-and-spoke model to provide end-users a single place to manage global connectivity across various networks. The hub is a global resource that connects attached spokes with a simple and singular connectivity model. The Network Connectivity Center hub creates a full mesh networking model between the VM-Series and all other connected spokes. The VM-Series connects to the hub as a router appliance spoke.
Google Cloud Router
The VM-Series integrates with Network Connectivity Center by establishing BGP peering relationships with a VPC’s Cloud Router. This relationship enables full route propagation between remote networks and the Google Cloud VPC fabric routes.
Once the peering relationship is established between the Cloud Router and the VM-Series, routes from remote networks, Google Cloud VPCs, and the VM-Series are exchanged. If the VM-Series firewalls are deployed within the same spoke, the hub advertises the same prefixes to all of the firewalls. This behavior enables equal-cost multipath (ECMP) for hub to firewall traffic. If you prefer to isolate traffic flows to dedicated firewalls, the VM-Series should be placed in separate spokes with different ASNs.
Multiple VM-Series Firewalls can be deployed to provide horizontal scale, cross-region redundancy, and high-availability. The VM-Series 2.0.5 plugin (or greater) brings session synchronization to VM-Series deployed on Google Cloud. Firewall HA pairs can be deployed in Active/Active to provide load distribution. The dynamic routing behavior with Network Connectivity Center provides fast and reliable route failover among the firewall appliances.
There are a number of topologies that can be built with the VM-Series and Network Connectivity Center. Below are several examples.
The VM-Series can be used to secure traffic from remote networks to Google Cloud VPCs. The following outcomes are achieved through the integration with Network Connectivity Center:
In this topology, VM-Series firewalls are deployed across different zones within the same region. The firewalls are connected as a single spoke to the Network Connectivity Center hub and have a BGP session established with the VPC’s Cloud Router. From on-premises, IPsec tunnels are created and terminated on each firewall. Routes to and from the remote network and the VPC are exchanged through the VM-Series and Cloud Router. The VM-Series firewalls are advertising the same prefixes and MED values to take advantage of Google Cloud’s ECMP functionality. The use of ECMP provides redundancy and load distribution among the zonally distributed firewalls.
The architecture shows two Active/Active VM-Series pairs (within the same VPC) distributed across two Google Cloud regions. Each firewall pair shares session state information and each pair is a separate spoke connected to the Network Connectivity Center hub. The Cloud Router BGP peers with its respective regional firewall pair. Routes from the remote sites are advertised to the VM-Series firewalls via the Cloud Router. The Cloud Routers themselves exchange routes to provide full mesh connectivity.
The integration with Network Connectivity Center can be used to direct VPC traffic to the VM-Series firewalls deployed in an Active/Active high availability pair. In the topologies below, the VM-Series firewalls are sharing session state information so in the event of a failure in a zone or of the instance itself, sessions are carried over to the healthy firewall. The VPC routes are automatically updated through the Cloud Router to steer traffic to the active firewall. This can be a preferred topology for deployments that require session state failover for egress traffic.
In this example, VM-Series firewalls are serving as highly available internet gateways to protect workloads deployed within a Google VPC. The Cloud Router in the trust VPC has established BGP sessions to the firewall’s trust interfaces. The VM-Series advertises routes to the Cloud Router, and the Cloud Router propagates the routes to the trust VPC.
You can use VPC Network Peering to onboard additional spoke VPCs to a hub VPC. The topology is the same as the Single VPC architecture but import and export custom routes must be enabled on the hub VPC and spoke VPCs.
To support Network Connectivity Center, VM-Series deployed in Google Cloud must meet the following system requirements: