There are two ways you can onboard a branch office in
mainland China to Prisma Access. While the general topology of both
onboarding methods are the same, one uses two Linux router instances
and one uses a Palo Alto Networks VM-series firewall and one Linux
router instance. This section provides you an overview and summary
steps for both onboarding methods; the workflow after this section
provides you with detailed configuration steps for the first deployment
using two router instances.
Onboard Your Branch in Mainland China Using Two Linux Router
Instances
To onboard a branch office using Prisma
Access, you deploy two VPCs in Alibaba Cloud and you create an Alibaba
Express Connect (CEN) to use for network communication between the
two VPCs. The router instance in the VPC in mainland China connects
to the branch office in mainland China using an IPSec tunnel, and
the router instance in the VPC outside of mainland China connects
to the remote network IPSec tunnel.
IPSec tunnel packets enter the Alibaba Cloud region in mainland
China (VPC 1 in the following diagram) and then exit from a region
located outside mainland China (VPC 2 in the diagram). This solution
leverages Alibaba Cloud’s CEN feature that provides a dedicated
link with guaranteed bandwidth between VPCs in different regions.
When configuration is complete, an IPSec tunnel is formed between the
branch office (China) and the Prisma Access remote network. The
following figure provides an overview of the topology.
To connect a branch office in mainland China to a remote network
in Prisma Access, complete the following tasks.
Open or use an existing account (either personal or enterprise)
on Alibaba Cloud.
Deploy two VPCs in separate regions.
Deploy one VPC
in mainland China. Select an Alibaba Cloud region that is close
to the office. Deploy another VPC in a region that is close to a Prisma Access location and
near the headquarters or data center location outside of mainland
China to which you want to provide access.
Purchase an Alibaba Cloud CEN to connect both VPCs and attach
both VPCs to a CEN.
Onboard a Prisma Access remote network in a location
that is close to VPC 2.
You must use IKEv2 with NAT-T and
dynamic IP addresses for the IPSec tunnel.
Acquire one elastic IP address in the mainland China VPC
(VPC 1).
Deploy a Linux instance in each VPC in Alibaba Cloud and
configure the instances to act as a routers (router 1 and router
2) with NAT capabilities.
Configure a customer premises equipment (CPE) router at the
branch office to establish an IPSec tunnel to router 1.
Create routes at the branch office to send traffic destined
for business applications to Prisma Access.
To connect a branch office in mainland China to Prisma Access,
you need the following software and licensing requirements:
A Prisma Access subscription.
An account on Alibaba Cloud with Admin privileges and the
ability to create a CEN and perform real-name registration.
A basic understanding of public cloud networking.
Onboard Your Branch in Mainland China Using a VM-Series Firewall
With a Router Instance
If you do not have a security stack at the branch office,
or if you are using SD-WAN and would prefer to use a Palo Alto Networks
next-generation firewall to secure internet-bound traffic, you can
deploy a VM-series firewall in mainland China and onboard it to
Prisma Access. In this topology, the router in VPC 1 (Router 1)
is a VM-series firewall configured as an internet gateway. Traffic
destined for internal and business applications are forwarded over
a site-to-site IPSec tunnel established between the VM-series firewall
and Prisma Access.
With this deployment, you can use the VM-series firewall to create
and enforce security policies on the internet-bound traffic that
egresses from China. The IPSec tunnel from the branch office terminates at
the VM-series firewall. After the traffic undergoes policy enforcement,
internet-bound traffic exits from VPC 1. Traffic destined to business
applications in the headquarters or data center location is forwarded over
another site-to-site IPSec tunnel between the VM-series firewall
and Prisma Access by way of router 2. This deployment causes the
VM-series firewall to function as if it is directly onboarded to
Prisma Access as a remote network, as shown in the following figure.
Use the following summary steps to understand this deployment
and see how it differs from the deployment using two Linux router
instances:
Open or use an existing account (either personal or enterprise)
on Alibaba Cloud.
Deploy two VPCs in separate regions.
Deploy one VPC
in mainland China and another VPC in a region that is close to the
headquarters or data center location outside of mainland China to
which you want to provide access.
Purchase an Alibaba Cloud CEN to connect both VPCs.
Purchase
additional bandwidth for the CEN; the bandwidth that an Alibaba
Cloud CEN provides you at no cost is insufficient to ensure a successful
deployment.
Deploy one standard VM-series firewall instance in the VPC
in mainland China (VPC 1).
Deploy one standard Ubuntu Linux instance in the VPC outside
of mainland China (VPC 2) and configure the instance to act as a
router with NAT capabilities.
Onboard the VM-series firewall (router 1) as a remote network.
The IPSec tunnel for the remote network is between the VM-series next-generation firewall (Router
1) and Prisma Access. Router 2 facilitates the tunnel between the two
devices by acting as a NAT device that forwards IKE and IPSec underlay
packets to Prisma Access.
Configure the VM-series firewall to establish a site-to-site
IPSec tunnel to the private IP address of router 2.
Configure router 2 to forward IPSec packets to the Prisma
Access remote network IP address.
Create routes at the branch office to send traffic destined
to business applications to Prisma Access.
To provide secure access for mobile users in mainland China using this deployment, you need the
same software and licensing requirements as when you onboard your branch office
using two Linux router instances, with the addition of a licensed VM-series firewall
with a GlobalProtect subscription.