Hybrid and Multi Cloud Connectivity with PAN-OS SD WAN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L3 Networker
100% helpful (1/1)

Title_Hybrid-Multi-Cloud-Connectivity_palo-alto-networks.jpg

 

Introduction 

 

Organizations today adopt hybrid cloud infrastructure to  provide a balanced approach, enabling them to combine the benefits of public and private clouds to meet their specific business needs, optimize costs, and ensure a secure and compliant IT environment.

 

At the same time, while adopting cloud, organizations also adopt a multi cloud strategy to solve different business use cases. 

This entire infrastructure is interconnected to provide communication between the environment. Hence it is important to perform careful planning, robust security measures, and the use of appropriate networking technologies to ensure efficient and secure communication between the resources.

 

This document describes different deployment options which can be used to connect an on-prem branch/datacenter to a cloud environment , and also connectivity between multi cloud infrastructure. This document captures the design options using PAN-OS SD WAN to provide the connectivity. SD WAN components and features are out of scope of this document.

 

Why PAN-OS SD WAN? 

 

Thick Branch: In a thick branch or datacenter environment, where applications are usually hosted in the on-prem environment, providing security at the perimeter is crucial. This is achieved by the PAN-OS SD WAN subscription on the NGFW 

 

Dynamic and best path selection: PAN OS SD-WAN solution is designed to be application-aware. They can identify and classify different types of traffic, allowing for granular control and prioritization based on the specific needs of each application. This includes mission-critical applications that require low latency and high reliability.

 

Dynamic path selection: allowing for real-time decision-making regarding the best path for traffic based on the current network conditions. It continuously monitors the performance of available network links and selects the most optimal path for specific applications or traffic types.

 

Need for control over the IPSec configuration: Often in a secure environment, like a Fintech organization, where strict compliance requirements exist, customers would want to mitigate the security risks with certain network connection encryption. The native SD WAN controls cannot provide much flexibility into the configuration

 

Zero touch provisioning with Panorama: With PAN-OS SD WAN, customers can take the benefit of ZTP (zero touch provisioning) that permits hands-off approach to SD WAN deployment,configuration and communication between hub and spokes. This capability enables the customer to deploy SD WAN effortlessly and establish connectivity. 

 

Cost Effective Approach- With the hub and spoke architecture of SD WAN, we can connect multiple branch data centers and remote users. When we compare it with native CSP solution with a private link, this only solves one part of connectivity. Customers end up investing more on other infrastructure elements, making it an expensive solution. 

 

Security Enforcement: Security policies can be configured in the edge firewall in branch/DC to inspect the traffic and provide enforcement. Any internet inbound/outbound  traffic can also be inspected and enforced in the edge firewall providing the internet access. 

 

Deployment Models:

 

In this document, we will take examples of connectivity with AWS. Every CSP has a different service and connectivity mechanism to deploy SD WAN architecture. 

 

Connectivity with Transit Gateway Attachment:

When talking about the connection of an SD-WAN network to AWS, AWS Transit Gateway provides a managed highly-available and scalable regional network transit hub to interconnect VPCs and your SD-WAN network. Transit Gateway connect attachments provide a native way to connect your SD-WAN infrastructure and appliances with AWS. This makes it easy to extend your SD-WAN into AWS without having to set up IPsec VPNs.

 

Here, VM series can be the (Hub or Spoke)  head-end deployed in a separate VPC. Traffic from branch/DC will terminate on the VM series. The Routes configured on VM series, will direct the traffic towards the transit gateway attachment. Once the traffic reaches the transit gateway, the traffic is forwarded based on the routes.

 

Similarly in the reverse direction, when the workloads in AWS want to communicate with workloads in DC, the TGW routes forward the traffic towards the VPC providing the SD WAN connectivity. VM series can be deployed in Active-Standby mode.

Fig 1_Hybrid-Multi-Cloud-Connectivity_palo-alto-networks.png

 

Traffic Flow:

 

  1. Traffic initiated from branch/DC  is  destined to the instances in App VPC1  within AWS
  2. Based on the route the traffic reaches the VM series in branch, which is the SD WAN device providing the edge connectivity 
  3. The traffic is forwarded to the SD WAN VPC via the SD WAN overlay
  4. The VM series route forwards the traffic towards the trust interface. 
  5. The traffic is forwarded to the TGW attachment based on the subnet route table in AWS
  6. Based on the TGW route table, the traffic is forwarded towards the destination VPC.
  7. Any internet traffic from the DC/Branch, takes the direct internet access from the edge firewall 

 

Connectivity with Transit Gateway Connect Attachments:

Many AWS customers are using AWS Transit Gateway at the network edge to connect their global network to the AWS backbone. Transit Gateway connect attachments provide native way to connect SD WAN infrastructure to the cloud. 

Transit Gateway connect attachments support Generic Routing Encapsulation (GRE) for higher bandwidth performance compared to a VPN connection. It supports Border Gateway Protocol (BGP) for dynamic routing, and removes the need to configure static routes. This simplifies network design and reduces the associated operational costs.

 

When integrating SD-WAN network to Transit Gateway using connect attachments, you have two common patterns. The first one is placing VM Series  in a VPC within AWS. Then, you use a VPC attachment as underlying transport for the Transit Gateway connect attachment between the virtual appliances and the Transit Gateway, as can be seen in the figure below.

VM series can be deployed in Active-Standby mode.

 

Fig 2_Hybrid-Multi-Cloud-Connectivity_palo-alto-networks.png

 

Traffic Flow:

 

  1. Traffic initiated from branch and destined to the instances in App VPC1  within AWS
  2. Based on the route, the traffic reaches the VM series in the branch. 
  3. The traffic is forwarded to the VM Series in the  SD WAN VPC via the SD WAN overlay
  4. The VM series route forwards the traffic towards the trust interface. 
  5. The Transit Gateway connect attachment uses the VPC attachment as transport, and connects Transit Gateway to the VM Series  in the SD WAN VPC using GRE tunneling and BGP.
  6. Based on the TGW route table, the traffic is forwarded towards the destination VPC.
  7. Any internet traffic from the DC/Branch, takes the direct internet access from the edge firewall 

 

Connectivity with Site to Site VPN:

Another way to integrate your SD-WAN network to AWS Transit Gateway is by creating an AWS Site-to-Site VPN connection, peering the SD-WAN headend on VM Series, with the Transit Gateway using IPSec tunnels. The VM Series in the SD WAN VPC can use BGP to peer with the Transit Gateway to exchange route prefixes. If you want to increase the bandwidth, additional IPSec VPN connections can be used with Transit Gateway’s support for Equal-Cost Multi-Path (ECMP). VM series can be deployed in Active-Standby mode.

 

Fig 3_Hybrid-Multi-Cloud-Connectivity_palo-alto-networks.png

 

Traffic Flow:

 

  1. Traffic initiated from branch and destined to the instances in App VPC1  within AWS
  2. Based on the route the traffic reaches the VM series in branch. 
  3. The traffic is forwarded to the SD WAN VPC via the SD WAN overlay
  4. The VM Series  in the SD WAN VPC forwards the traffic to the Transit Gateway via the Site-to-Site VPN connection.
  5. Based on the TGW route table, the traffic is forwarded towards the destination VPC.
  6. Any internet traffic from the DC/Branch, takes the direct internet access from the edge firewall 

 

Multi Cloud Connectivity with SD WAN Hub and Spoke:

You can connect your multi cloud deployment using PAN-OS SD WAN using hub and spoke or full mesh architecture. The VM series acting as hub can be in AWS DC or in the on-prem DC. Other environments, in cloud or other branch locations can host a VM series for providing spokes connectivity to the hub firewall. In the example below, we have the VM series on AWS and Azure acting as hub and VM series in the branch provides spokes connectivity. 

VM series can be deployed in Active-Standby mode.

Fig 4_Hybrid-Multi-Cloud-Connectivity_palo-alto-networks.png

 

Traffic Flow:

 

  1. Traffic is destined towards applications hosted in cloud.
  2. Traffic reaches the hub firewall in AWS or Azure over SD WAN Overlay
  3. Based on the routing in VM series , the traffic gets forwarded towards the destination.
  4. The reverse traffic follows the same path. 

 

Connectivity with SD WAN Hub in Prisma Access

Prisma Access can also provide connectivity for your SD WAN overlay. Here Prisma Access acts as a hub for the SD WAN overlay. SD-WAN Plugin 2.2 provides Prisma Access hub support, in which PAN-OS firewalls connecting to Prisma Access compute nodes (CNs) achieve cloud-based security in an SD-WAN hub-and-spoke topology. In this topology, the SD-WAN hubs are Prisma Access CNs (IPSec Termination Nodes) and the SD-WAN branches are PAN-OS firewalls(VM Series/Hardware). A maximum of four hubs (any combination of PAN-OS hubs participating in DIA AnyPath and Prisma Access hubs) are supported. SD-WAN automatically creates IKE and IPSec tunnels that connect the branch to the hub. VM series can be deployed in Active-Standby mode.



Fig 5_Hybrid-Multi-Cloud-Connectivity_palo-alto-networks.png

References:

 

  • PAN-OS SD-WAN Routing Considerations for Multiple VPN Clusters: Link
  • PAN-OS SD-WAN Brownfield Deployment Considerations: Link
  • PAN-OS SD-WAN Policy Best Practice: Link
  • PAN-OS SD-WAN Implementing QOS: Link
  • Document for Step Wise Deployment: Link
  • Full Mesh Configuration - Link
Rate this article:
  • 3661 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎02-07-2024 11:01 AM
Updated by: