{"id":19925693,"url":"https://github.com/paloaltonetworks/google-cloud-vmseries-ncc-tutorial","last_synced_at":"2025-03-01T10:30:08.968Z","repository":{"id":246911809,"uuid":"824252668","full_name":"PaloAltoNetworks/google-cloud-vmseries-ncc-tutorial","owner":"PaloAltoNetworks","description":"A brief tutorial showing how to use Google Cloud Network Connectivity Center with VM-Series.","archived":false,"fork":false,"pushed_at":"2024-11-27T17:44:17.000Z","size":3860,"stargazers_count":1,"open_issues_count":2,"forks_count":0,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-01-12T00:29:14.032Z","etag":null,"topics":["gcp","google-cloud","google-cloud-platform","highavailability","ncc","network-connectivity-center","pan-os","terraform","vm-series","vmseries"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/PaloAltoNetworks.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-07-04T17:30:30.000Z","updated_at":"2024-11-27T17:44:21.000Z","dependencies_parsed_at":"2024-07-05T21:30:20.610Z","dependency_job_id":"ce1b6037-c2c9-4ab9-8d9c-6e8a94d4cdde","html_url":"https://github.com/PaloAltoNetworks/google-cloud-vmseries-ncc-tutorial","commit_stats":null,"previous_names":["paloaltonetworks/google-cloud-vmseries-ncc-tutorial"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PaloAltoNetworks%2Fgoogle-cloud-vmseries-ncc-tutorial","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PaloAltoNetworks%2Fgoogle-cloud-vmseries-ncc-tutorial/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PaloAltoNetworks%2Fgoogle-cloud-vmseries-ncc-tutorial/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PaloAltoNetworks%2Fgoogle-cloud-vmseries-ncc-tutorial/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/PaloAltoNetworks","download_url":"https://codeload.github.com/PaloAltoNetworks/google-cloud-vmseries-ncc-tutorial/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241352920,"owners_count":19948942,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gcp","google-cloud","google-cloud-platform","highavailability","ncc","network-connectivity-center","pan-os","terraform","vm-series","vmseries"],"created_at":"2024-11-12T22:23:46.340Z","updated_at":"2025-03-01T10:30:08.929Z","avatar_url":"https://github.com/PaloAltoNetworks.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Google Cloud NCC \u0026 VM-Series Tutorial\n\nThis tutorial shows how to perform cross-region failover by connecting VM-Series as a [router appliance](https://cloud.google.com/network-connectivity/docs/network-connectivity-center/concepts/ra-overview) to a [Network Connectivity Center](https://cloud.google.com/network-connectivity/docs/network-connectivity-center/concepts/overview) (NCC) hub. \n\nBeyond cross-region failover, using the VM-Series as a router appliance with NCC supports other use cases, including:\n\n* Connecting remote networks to Google Cloud while providing full BGP route exchange.\n* Creating a global WAN network secured with VM-Series deployed in Google Cloud.\n* Facilitating disaster recovery network operations with regionally distributed VM-Series.\n\nThis tutorial is intended for network administrators, solution architects, and security professionals who are familiar with [Compute Engine](https://cloud.google.com/compute) and [Virtual Private Cloud (VPC) networking](https://cloud.google.com/vpc).\n\n\n\n## Architecture\n\nBelow is a diagram of the tutorial.  \n\n\u003cimg src=\"images/diagram.png\"\u003e\n\n* 3 x VPCs are created (`mgmt`, `untrust`, \u0026 `vpc1`), each containing a subnets in `us-east1` \u0026 `us-west1`. \n* 1 x VM-Series is created in each region (`us-east1-vmseries` \u0026 `us-west1-vmseries`) with a NIC in each VPC. \n* The firewall's NIC in `vpc1` is connected as a router appliance to a NCC hub.\n* In each region, the firewalls are BGP neighbors with Cloud Routers enabling end-to-end route propagation.\n* In the event of a regional failure, egress traffic from the affected region in `vpc1` is automatically rerouted to the firewall in the healthy region through dynamic route propagation.\n\n## Requirements\n\nThe following is required for this tutorial:\n\n1. A Google Cloud project. \n2. A machine with Terraform version:`\" \"\u003e= 0.15.3, \u003c 2.0\"\"`\n\n\u003e [!NOTE]\n\u003e This tutorial assumes you are using Google Cloud Shell. \n\n\n## Prepare for Deployment\n\n1. Enable the required APIs and clone the repository. \n\n    ```\n    gcloud services enable compute.googleapis.com\n    git clone https://github.com/PaloAltoNetworks/google-cloud-vmseries-ncc-tutorial\n    cd google-cloud-vmseries-ncc-tutorial\n    ```\n\n2. Generate an SSH key.\n\n    ```\n    ssh-keygen -f ~/.ssh/vmseries-tutorial -t rsa\n    ```\n\n3. Create a `terraform.tfvars` file.\n\n    ```\n    cp terraform.tfvars.example terraform.tfvars\n    ```\n\n4. Edit the `terraform.tfvars` file and set values for the following variables:\n\n    | Key                         | Value                                                                                | \n    | --------------------------- | ------------------------------------------------------------------------------------ |\n    | `project_id`                | The Project ID within Google Cloud.                                                  |\n    | `public_key_path`           | The local path of the public key you previously created                              |\n    | `mgmt_allow_ips`            | A list of IPv4 addresses which require access to the VM-Series MGT NIC.              |\n    | `vmseries_image_name`       | The VM-Series image to deploy.                                                       |\n\n\u003e [!TIP]\n\u003e For `vmseries_image_name`, a full list of public images can be found using `gcloud`:\n\u003e ```\n\u003e gcloud compute images list --project paloaltonetworksgcp-public --filter='name ~ .*vmseries-flex.*'\n\u003e ```\n\n\u003e [!NOTE]\n\u003e If you are using BYOL image (i.e. `vmseries-flex-byol-*`), the license can be applied during or after deployment.  To license during deployment, add your VM-Series Authcodes to `bootstrap_files/authcodes`. \u003cbr\u003e\u003cbr\u003eSee [VM-Series Bootstrap Methods](https://docs.paloaltonetworks.com/vm-series/11-1/vm-series-deployment/bootstrap-the-vm-series-firewall) for more information.\n\n\n### Deploy\n\nWhen no further changes are necessary in the configuration, deploy the resources.\n\n1. Initialize and apply the Terraform plan.  \n\n    ```\n    terraform init\n    terraform apply\n    ```\n\n    Enter `yes` to create the resources.\n\n2. After all the resources are created, Terraform displays the following message:\n\n    ```\n    Apply complete!\n\n    Outputs:\n\n    SSH_VMSERIES_REGION1 = \"ssh admin@\u003cEXTERNAL_IP\u003e -i ~/.ssh/vmseries-tutorial\"\n    SSH_VMSERIES_REGION2 = \"ssh admin@\u003cEXTERNAL_IP\u003e -i ~/.ssh/vmseries-tutorial\"\n    SSH_VM_REGION1       = \"gcloud compute ssh paloalto@us-central1-vm --zone=us-central1-a\"\n    SSH_VM_REGION2       = \"gcloud compute ssh paloalto@us-east4-vm --zone=us-east4-a\"\n    ```\n\n\u003e [!CAUTION]\n\u003e It may take an additional 10 minutes for the firewalls to become fully available. \n\n## Access the VM-Series firewall\n\nTo access the VM-Series user interface, a password must be set for the `admin` user on each firewall.\n\n1. Use the `SSH_VMSERIES_REGION1` output to SSH to the mgmt NIC on `us-east1-vmseries`.\n\n2. On the VM-Series, set a password for the `admin` username. \n\n    ```\n    configure\n    set mgt-config users admin password\n    ```\n\n4. Commit the changes.\n\n    ```\n    commit\n    ```\n\n5. Enter `exit` twice to terminate the session.\n\n6. Log in to the VM-Series web interface using the username `admin` and your password.\n\n    ```\n    https://\u003cEXTERNAL_IP\u003e\n    ```\n\n7. Repeat the process for `us-west1-vmseries` by using the `SSH_VMSERIES_REGION2` output. \n\n\n## Review Configuration\n\nConfirm BGP has been established between the VM-Series \u0026 Cloud Routers in each region.  Then, verify routes are exchanged between the peers.\n\n\u003e[!NOTE]\n\u003e The Terraform plan creates the Cloud Routers for each region within `vpc1`.  It also bootstraps the VM-Series with a configuration to automatically establish BGP with the cloud routers. \n\n### VM-Series BGP Configuration\n\n1. On each VM-Series, go to **Network → Virtual Routers**. \n\n2. Next to `gcp-vr`, select **More Runtime Stats**.\n\n    \u003cimg src=\"images/image01.png\" width=75%\u003e\n\n    \u003e :bulb: **Information** \u003cbr\u003e \n    \u003e The virtual router contains all of routing configurations on the VM-Series. To view the BGP configuration, open `gcp-vr` and select the **BGP** tab.\n    \u003cbr\u003e\n\n3. Click **BGP → Peer** to view the status of the BGP peering sessions with each region's cloud router.\n\n    **us-east1**\n    \u003cbr\u003e\n    \u003cimg src=\"images/image02.png\" width=75%\u003e\n\n    **us-west1**\n    \u003cbr\u003e\n    \u003cimg src=\"images/image03.png\" width=75%\u003e\n\n    \u003e :bulb: **Information** \u003cbr\u003e \n    \u003e Both connections should be listed as `Established`.\n    \u003cbr\u003e\n\n4. Click **Local RIB** to view the routing information the firewall has learned and selected for use.\n    \n    **us-east1**\n    \u003cbr\u003e\n    \u003cimg src=\"images/image04.png\" width=75%\u003e\n\n    **us-west1**\n    \u003cbr\u003e\n    \u003cimg src=\"images/image05.png\" width=75%\u003e\n\n    \u003e :bulb: **Information** \u003cbr\u003e \n    \u003e Routes with the `*` flag are preferred routes. \n    \u003cbr\u003e\n\n4. Click **RIB Out** to view the routes exported by the VM-Series to the Cloud Routers.\n\n    **us-east1**\n    \u003cbr\u003e\n    \u003cimg src=\"images/image06.png\" width=75%\u003e\n\n    **us-west1**\n    \u003cbr\u003e\n    \u003cimg src=\"images/image07.png\" width=75%\u003e\n\n    \u003e :bulb: **Information** \u003cbr\u003e \n    \u003e A default route is exported for each Cloud Router's peering interface.\n\n### Network Connectivity Center Configuration\n\n1. In Google Cloud, go to **Network Connectivity → Network Connectivity Center**. \n\n2. Click **Spokes** and select the `vmseries-us-east1-spoke` router appliance.\n\n    \u003cimg src=\"images/image08.png\" width=90%\u003e\n\n2. Within each spoke, open `peer0` \u0026 `peer1` to view the peering status along with any advertised routes. \n\n    \u003cimg src=\"images/image09.png\"\u003e\n\n    \u003e :bulb: **Information** \u003cbr\u003e \n    \u003e The Cloud Router in each region automatically propagates subnet routes to the VM-Series firewalls.\n\n3. Repeat the process for the `vmseries-us-west1-spoke` router appliance.\n\n\n\n### Review VPC Route Table\n\n1. In Google Cloud, go to **VPC Network → Routes → Effective Routes**.\n    \u003e :bulb: **Information** \u003cbr\u003e\n    \u003e This window shows the effective routes for a given VPC, including the propagated routeds. propagated by the VM-Series and Cloud Routers.\n    \u003cbr\u003e\n\n2. Set **VPC** to `vpc1` \u0026 **Region** to `us-west1` to view the effective routes for `us-east1` traffic.\n    \n    \u003cimg src=\"images/image10.png\" width=80%\u003e\n    \n    \u003e :bulb: **Information** \u003cbr\u003e \n    \u003e The preferred default route (priority `0`) for `us-east1` uses the `us-east1-vmseries` as the next hop.\n    \u003cbr\u003e\n\n3. Set **Region** to `us-west1` to view the effective routes for `us-west1` traffic.\n\n    \u003cimg src=\"images/image11.png\" width=80%\u003e\n\n    \u003e :bulb: **Information** \u003cbr\u003e \n    \u003e The preferred default route (priority `0`) for `us-west1` uses the `us-west1-vmseries` as the next hop.\n    \u003cbr\u003e\n\n## Generate Outbound Traffic\nAccess the workload VMs in each region to initiate egress internet traffic.  Then, verify traffic sourced from `us-east1` travereses the `us-east1-vmseries` and traffic sourced from `us-west1` traverses the `us-west1-vmseries`. \n\n\u003cimg src=\"images/diagram_egress.png\"\u003e\n\n\u003e [!NOTE]\n\u003e You can redisplay the Terraform output values at anytime by running `terraform output` from the `google-cloud-vmseries-ncc-tutorial` directory. \n\n1. In Cloud Shell, open two additional tabs :heavy_plus_sign:. \n\n2. In the 1st tab, paste the `SSH_VM_REGION1` output to SSH to `us-east1-vm` (`10.1.0.5`).\n\n2. In the 2nd tab, paste the `SSH_VM_REGION2` output to SSH to `us-west1-vm` (`10.1.0.21`).\n\n4. On each VM, run a continuous ping to an internet address.\n\n    ```\n    ping 4.2.2.2\n    ```\n    \u003e **Keep the pings running.**\n    \u003cbr\u003e\n\n5. On each VM-Series, go to **Monitor → Traffic** and enter the following traffic filter.\n\n    ```\n    ( zone.src eq 'vpc1' ) and ( addr.dst in '4.2.2.2' )\n    ```\n\n    **us-east1**\n    \u003cbr\u003e\n    \u003cimg src=\"images/image12.png\" width=75%\u003e\n\n    **us-west1**\n    \u003cbr\u003e\n    \u003cimg src=\"images/image13.png\" width=75%\u003e\n\n    \u003e :bulb: **Information** \u003cbr\u003e \n    \u003e You should see traffic from `us-east1-vm` (`10.1.0.5`) uses the preferred route to  `us-east1-vmseries` \u0026 traffic from `us-west1-vm` (`10.1.0.21`) uses the preferred route to `us-west1-vmseries`. \n    \u003cbr\u003e\n\n\n## Simulate Cross-Region Failover\nSimulate a regional failure event for `us-east1` by terminating the BGP connectivity on the `us-east1-vmseries`.  After failover, the dynamic routes using `us-east1-vmseries` will coverge to use to `us-west1-vmseries`.\n\n\u003cimg src=\"images/diagram_failover.png\"\u003e\n\n\n### Disable BGP on us-east1-vmseries\n\n1. On `us-east1-vmseries`, go to **Network → Virtual Routers** and select `gcp-vr`.\n\n2. Click **BGP** → uncheck **Enable** → click **OK**.\n\n    \u003cimg src=\"images/image14.png\" width=70%\u003e\n\n3. In the top-right corner, click **Commit → Commit** to apply the changes. \n\n4. Wait for the commit to complete.\n\n\n### Review VPC Route Table \u0026 VM-Series Traffic Logs\n\n1. In Google Cloud, go to **VPC Network → Routes → Effective Routes**.\n\n2. Set **Network** to `vpc1` and **Region** to `us-east1`.\n    \n    \u003cimg src=\"images/image15.png\" width=75%\u003e\n\n    \u003e :bulb: **Information** \u003cbr\u003e\n    \u003e The default route for `us-east1` traffic should use `us-west1-vmseries` as the next hop. \n    \u003cbr\u003e\n\n3. On `us-west1-vmseries`, go to **Monitor → Traffic**. \n\n    \u003cimg src=\"images/image16.png\" width=75%\u003e\n\n    \u003e :bulb: **Information** \u003cbr\u003e\n    \u003e Pings from `us-east1-vm` (`10.1.0.5`) should now appear within the `us-west1-vmseries` traffic logs indicating a successful failover. \n    \u003cbr\u003e\n\n\u003e [!IMPORTANT]\n\u003e In production environments, it is recommended to have multiple firewalls deployed across different zones in each region.  This approach offers higher redundancy for intra-region failure events.\n\n\n\n## Clean up\nDelete all the resources when you no longer need them.\n\n1. In Cloud Shell,change directories to the Terraform build.\n\n    ```\n    cd google-cloud-vmseries-ncc-tutorial\n    ```\n\n2. run the following to delete all the created resources.\n\n    ```\n    terraform destroy\n    ```\n    \n    Enter `yes` to delete all resources created by the Terraform plan. \n    \n    \n3.  After all the resources are deleted, Terraform displays the following message:\n\n    ```\n    Destroy complete!\n    ```\n\n## Additional information\n* Learn about the[ VM-Series on Google Cloud](https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/set-up-the-vm-series-firewall-on-google-cloud-platform/about-the-vm-series-firewall-on-google-cloud-platform).\n* Getting started with [Palo Alto Networks PAN-OS](https://docs.paloaltonetworks.com/pan-os). \n* Read about [securing Google Cloud Networks with the VM-Series](https://cloud.google.com/architecture/partners/palo-alto-networks-ngfw).\n* Learn about [VM-Series licensing on all platforms](https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/license-the-vm-series-firewall/vm-series-firewall-licensing.html#id8fea514c-0d85-457f-b53c-d6d6193df07c).\n* Use the [VM-Series Terraform modules for Google Cloud](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/google/latest). ","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpaloaltonetworks%2Fgoogle-cloud-vmseries-ncc-tutorial","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpaloaltonetworks%2Fgoogle-cloud-vmseries-ncc-tutorial","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpaloaltonetworks%2Fgoogle-cloud-vmseries-ncc-tutorial/lists"}