Palo Alto VM-Series Design and Deployment in Google Cloud

Cloud Security – Service Insertion and Chaining

Automated and Policy-based service insertion and chaining have always been a real pain point for enterprise GCP customers. Native solutions are not adequate and 3rd party vendors’ solutions leave it up to the enterprise architect to figure out the end-to-end solution architecture.

Aviatrix GCP FireNet GCP solves all those challenges and limitations and provides a best practice way to Service Chain NGFW and other services into a cohesive architecture.

Aviatrix Solution Advantages

  • Policy-Based Inspection – decide what traffic is being inspected
  • Traffic Engineering – customize traffic flow
  • NGFW Life Cycle management – deployment of VMs
  • Automated Route Propagation – the controller manages the firewall’s route table
  • HA with Automated Failover
  • Flexible Design Options
    • Single Centralized Security VPC
    • Dual Centralized Security VPCs with Dedicated E/W + N/S VPC and Dedicated Egress VPC
  • Full visibility on E-W/on-prem to cloud traffic flows
    • No BGP/ECMP
    • No SNAT required when Symmetric Hashing is enabled

Aviatrix Solution Advantages

  • Policy-Based Inspection – decide what traffic is being inspected
  • Traffic Engineering – customize traffic flow
  • NGFW Life Cycle management – deployment of VMs
  • Automated Route Propagation – the controller manages the firewall’s route table
  • HA with Automated Failover
  • Flexible Design Options
    • Single Centralized Security VPC
    • Dual Centralized Security VPCs with Dedicated E/W + N/S VPC and Dedicated Egress VPC
  • Full visibility on E-W/on-prem to cloud traffic flows
    • No BGP/ECMP
    • No SNAT required when Symmetric Hashing is enabled

More design and deployment details here

We want to highlight two large enterprises utilizing Aviatrix FireNet to solve NGFW service insertion pain points.

1- Hospitality Chain: Ingress Traffic Inspection for GKE Workload

For this customer inspecting ingress traffic for GKE ingress controller traffic was a challenge for GKE workload based on their compliance policies. Following explains their ingress web traffic requirement

  • Route ingress traffic to a dedicated Ingress Spoke VPC first
  • Ingress VPC has an Nginx LB that would receive the traffic.
  • Then application LB policies were looked into and then based on the ingress service, the traffic must be routed to a centralized VPC where NGFW were deployed

Without Aviatrix, they were forced to terminate the ingress traffic directly to the NGFW which was not abiding by their Ingress traffic requirement. Also without Aviatrix, they were forced to figure out the routing and manually adjust the route based on a new service they would spin up.

Aviatrix FireNet policy-based and flexible model allows them to achieve the requirement with the traffic engineering demanded by the GKE workload

2- HealthCare Provider: Highly Available and Policy-Based Egress Traffic Inspection  

This provider processes a large number of image and video scans for their clients. The egress traffic sent to the clients after image/video processing was done must be secure and inspected by NGFW due to HIPPA compliance needs. They were forced to use Active/Standby NGFW due to various limitations.

Aviatrix FireNet solution allowed them to deploy the NGFW in an Active/Active fashion without involving any manual route updates or GCP network tag management. In case of failure Aviatrix FireNet automatically redirected traffic to the available NGFW. This reduced deployment complexity and manual intervention.

Leave a Reply

Your email address will not be published. Required fields are marked *