Network Appliances are getting very popular in the cloud implementations. Customers are using Virtual and Physical Network appliances in their on-premise implementations and with time they are very familiar with the look and feel of the GUI and they want the same familiar look in the cloud.
Beside this, the cloud Network security doesn't provide the level of control that might be required if, for example, the customer is in financial business. They are constrained by the security audit to have connectivity logs. This is not easily achievable in the Cloud.
There are two main architectures in order to deploy an appliance in to the cloud:
Protect North-South traffic - you will require the appliance to have two data vNICs in two subnets: one Public and one Private. In this scenario the traffic from internal networks to a CIDR space other than the VCN CIDR can be protected. This topology can't protect East-West traffic, because this traffic will pass via the VCN and it will not be forced to go via the appliance;
Protect East-West traffic - you will require the appliance to have two "Inside" data vNICs in two VCNs with non-overlapping IP addresses and one "Outside" vNIC attached to a third VCN. The "Inside" networks will be forced to go via the appliance to communicate to each-other.
In the previous article I uploaded the Palo Alto VM image into OCI and created a Custom Image from it. This article will focus on the creation of a Palo Alto VM which will use a mix from the two architectures discussed above. We will have 3 vNICs: two data vNICs and one Management vNIC. They will be called: Management, Outside and Inside. Each vNIC will be in a separate VCN, one for each function:management, inside and outside. In each VCN there is a sunbet in which the VM has the vNICs attached: management - public subnet, outside - public subnet and inside - private subnet.
The management of the Palo alto can be done via CLI or via GUI. In this article i will use the GUI and i will connect to it via the public Management IP address. As a good security practice, i allowed the connectivity only from my public IP address that my internet Provider assigned.
The scenario is depicted in the diagram below:
The article has the following prerequisites:
A valid OCI account with enough resources to spin the VM and Object Storage for the PA image;
A valid support contract with Palo Alto in order to download the qcow2 image;
Creation of the Custom Image in OCI as the previous article describes.
Bellow i will enumerate the steps needed in order to create a Palo Alto VM on OCI:
At this step we need to create objects for the following ip addresses and after creation, commit changes:
After Committing Changes you will notice that the interfaces are in Down State:
Login to OCI and navigate to Compute > Instances > Create Instance and choose Change Image Source:
Navigate to Custom Images:
Select the PA Image:
Name your VM:
Change the shape of the VM in order to get a minimum of 3 vNICs:
Configure the networking so that the VM has vNIC in the management subnet:
Wait until the VM is in running state:
Under the details go to Attached vNICS and add two more vnics: first for Outside and the second for the Inside:
Open a browser and connect to the Management IP address:
Navigate to Network > Interfaces and observe the Interfaces:
Navigate to Object > Addresses and add new Objects:
Most of the modern firewalls are using objects in their configuration. This means that when we want, for example, to configure an IP address on an interface, we would need an object which will have that IP addresses and that object will be assigned to the interface. The Management interface is a special case, it will take by default a dynamic ip address and it doesn't need a route entry. Management is used only to connect to the firewall and it will not forward traffic. basically it is the Management plane and it will not carry Data plane.
Internal subnet: PA-VM-Inside_Net 172.31.0.0/24 - this object reflects the internal reachable subnets.
Next-hop for the internal subnet from the PA point of view (VCN Networking Service): nexthop_inside 172.31.0.1 - this object will instruct he firewall what is the next-hop in order to reach the internal network.
Next-hop for the external subnet from the PA point of view (VCN Networking Service): nexthop_outside 172.30.0.1- this object will instruct the firewall what is the next-hop in order to reach the external network.
External vnic ip address: PA-VM-eth1-1-outside 172.30.0.3/29
Internal vnic ip address: PA-VM-eth1-2-Inside 172.31.0.2/29
Default ip address: Default 0.0.0.0/0
Navigate to Network > Zones and add two Zones: Inside and Outside (Type: Layer3):
Navigate to Network > Virtual Routers and create a new VR:
After Committing the changes, Navigate to Network > Interfaces and click on ethernet1/1 interface. Edit it with the following configuration:
Configure the interface ethernet1/2 as follows:
Navigate to Device > Setup > Operations and reboot device:
After the device reboots, The interfaces will appear as UP:
With this final step, the PA VM is up and Operational.
I covered with this article the creation of a PA VM in OCI based on a custom image that was already uploaded in my previous article.