This tutorial shows how to use the Network Connectivity Center star topology with Palo Alto Networks VM-Series firewalls. This solution supports the following use-cases:
- Secure internet inbound and outbound traffic to edge VPC networks.
- Secure east-west traffic between edge VPC networks.
- Secure Cloud VPN traffic to edge VPC networks.
Note
Please see comparison to VPC Network Peering for a comparison to VPC Network Peering.
Important
To connect the VM-Series as a Router Appliance using BGP, see VM-Series as a Router Appliance (BGP).
This tutorial is intended for network administrators, solution architects, and security professionals who are familiar with Compute Engine and Virtual Private Cloud (VPC) networking.
The star topology uses two spoke groups with separate route tables to enforce segmentation. All networks belonging to a spoke group are connected to an NCC hub.
- Center group: Allows traffic between center spokes and between center and edge spokes.
- Edge group: Allows traffic only to center spokes; direct edge-to-edge communication is blocked.
The VM-Series trust-vpc belongs to the center group, while the protected networks, spoke1-vpc and spoke2-vpc belong to the edge group. All ingress and egress traffic from edge networks is routed through the center group, where it is inspected by the VM-Series firewall.
For more information please see Network Connectivity Center Star Topology.
The following is required for this tutorial:
- A Google Cloud project.
- A machine with Terraform version:
>= 1.6.0
Note
This tutorial assumes you are using Google Cloud Shell.
-
Enable the required APIs and clone the repository.
gcloud services enable compute.googleapis.com git clone https://github.com/PaloAltoNetworks/google-cloud-ncc-tutorial cd google-cloud-ncc-tutorial -
Generate an SSH key.
ssh-keygen -f ~/.ssh/vmseries-tutorial -t rsa -
Create a
terraform.tfvarsfile.cp terraform.tfvars.example terraform.tfvars -
Edit the
terraform.tfvarsfile and set values for the following variables:Key Value project_idThe Project ID within Google Cloud. public_key_pathThe local path of the public key you previously created vmseries_mgmt_ipsA list of IPv4 addresses which require access to the VM-Series MGT NIC. vmseries_imageThe VM-Series image to deploy. configure_nccIf true, create the NCC hub, center, and edge groups.
Tip
For vmseries_image_name, a full list of public images can be found using gcloud:
gcloud compute images list --project paloaltonetworksgcp-public --filter='name ~ .*vmseries-flex.*'
Note
If you are using BYOL image (i.e. vmseries-flex-byol-*), the license can be applied during or after deployment. To license during deployment, add your VM-Series Authcodes to bootstrap_files/authcodes.
See VM-Series Bootstrap Methods for more information.
When no further changes are necessary in the configuration, deploy the resources.
-
Initialize and apply the Terraform plan.
terraform init terraform applyEnter
yesto create the resources. -
After all the resources are created, Terraform displays the following message:
Apply complete! Outputs: EXTERNAL_LB_IP = "35.192.118.173"
-
In Cloud Shell, create an environment variable to represent your Project ID.
export PROJECT_ID=YOUR_PROJECT_ID
-
Retrieve the name of your NCC hub.
export HUB_NAME=$(gcloud network-connectivity hubs list \ --project=$PROJECT_ID \ --format="value(name)") -
list the spokes and verify that
spoke1-vpc,spoke2-vpc, and thetrust-vpcare onboarded to the NCC hub.gcloud network-connectivity hubs list-spokes $HUB_NAME \ --project=$PROJECT_ID \ --format='table(name,group,spokeType,state)'(output)
NAME GROUP TYPE STATE spoke1 edge VPC_NETWORK ACTIVE spoke2 edge VPC_NETWORK ACTIVE trust center VPC_NETWORK ACTIVE
Important
Ensure that both spoke1-vpc and spoke2-vpc are assigned to the EDGE group, and the trust-vpc is assigned to the CENTER group. All spokes must show state=ACTIVE.
To access the VM-Series's user interface, a password must be set for the admin user.
Caution
It may take an additional 10 minutes for the firewalls to become fully available.
-
Retrieve the
EXTERNAL_IPattached to the VM-Series MGT interface (NIC1).gcloud compute instances list \ --filter='tags.items=(vmseries-tutorial)' \ --format='value(EXTERNAL_IP)' -
SSH to the VM-Series using the
EXTERNAL_IPwith your private SSH key.ssh admin@EXTERNAL_IP -i ~/.ssh/vmseries-tutorial
-
On the VM-Series, set a password for the
adminusername.configure set mgt-config users admin password -
Commit the changes.
commit -
Enter
exittwice to terminate the session. -
Access the VM-Series web interface using a web browser. Login with the
adminuser and password.https://EXTERNAL_IP
Test inbound internet traffic by accessing the forwarding rule on the external load balancer. Traffic received by the load balancer is forwarded to the VM-Seriess for inspection. If the VM-Series permits the traffic, it performs source NAT to its trust interface (for synchronous response) and destination NAT to the target application in the spoke VPC network.
Important
The spoke VMs in this tutorial are configured with Jenkins and a generic web service.
-
Open a HTTP connection to the web service on
spoke1-vm1by copying theEXTERNAL_LB_IPoutput value into a web browser.You can retrieve the
EXTERNAL_LB_IPby enteringterraform outputin Cloud Shell.http://EXTERNAL_LB_IP
-
Open an SSH session with
spoke2-vm1using theEXTERNAL_LB_IPoutput value.ssh paloalto@EXTERNAL_LB_IP -i ~/.ssh/vmseries-tutorial
-
On the VM-Series, go to Monitor → Traffic.
-
Enter the following into the log filter to view your internet inbound traffic.
(( port.dst eq '80' ) or ( port.dst eq '22' )) and (( app eq 'ssh' ) or ( app eq 'web-browsing' ))
![NOTE] The external load balancer distributes the HTTP & SSH request to the VM-Series. The VM-Series inspects and translates HTTP traffic to
spoke1-vm1and SSH traffic tospoke2-vm1.
In an NCC star topology, protected workloads reside in edge VPCs, and the VM-Series is deployed in the center VPC, which serves as its trust-vpc. The NCC hub shares routes with the edge spokes so they forward all traffic to the center for inspection, using the VM-Series internal load balancer as the next hop.
-
From
spoke2-vm1, test outbound internet inspection by generating pseudo malicious traffic to the internet.curl -s -o /dev/null -w "%{http_code}\n" http://www.eicar.org/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh --data "echo Content-Type: text/plain; echo; uname -a" --max-time 2 curl -s -o /dev/null -w "%{http_code}\n" http://www.eicar.org/cgi-bin/user.sh -H "FakeHeader:() { :; }; echo Content-Type: text/html; echo ; /bin/uname -a" --max-time 2 -
Test east-west inspection by generating pseudo malicious traffic between
spoke2-vm1andspoke1-vm1.curl http://10.1.0.10/cgi-bin/../../../..//bin/cat%20/etc/passwd -
On the VM-Series, go to Monitor → Threat to view the threat logs.
Tip
The security policies enable you to allow or block traffic based on the user, application, and device. When traffic matches an allow rule, the security profiles that are attached to the rule provide further content inspection. See Cloud-Delivered Security Services for more information.
Delete all the resources when you no longer need them.
-
Run the following command
terraform destroy -
At the prompt to perform the actions, enter
yes.After all the resources are deleted, Terraform displays the following message:
Destroy complete!
- Learn about the VM-Series on Google Cloud.
- Getting started with Palo Alto Networks PAN-OS.
- Read about securing Google Cloud Networks with the VM-Series.
- Learn about VM-Series licensing on all platforms.
- Use the VM-Series Terraform modules for Google Cloud.