Connect Your Remote Network in Mainland China to Prisma Access
Focus
Focus
Prisma Access

Connect Your Remote Network in Mainland China to Prisma Access

Table of Contents

Connect Your Remote Network in Mainland China to Prisma Access

Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Panorama)
There are two ways you can onboard a branch office in mainland China to Prisma Access. While the general topology of both onboarding methods are the same, one uses two Linux router instances and one uses a Palo Alto Networks VM-series firewall and one Linux router instance. This section provides you an overview and summary steps for both onboarding methods; the workflow after this section provides you with detailed configuration steps for the first deployment using two router instances.

Onboard Your Branch in Mainland China Using Two Linux Router Instances

To onboard a branch office using Prisma Access, you deploy two VPCs in Alibaba Cloud and you create an Alibaba Express Connect (CEN) to use for network communication between the two VPCs. The router instance in the VPC in mainland China connects to the branch office in mainland China using an IPSec tunnel, and the router instance in the VPC outside of mainland China connects to the remote network IPSec tunnel.
IPSec tunnel packets enter the Alibaba Cloud region in mainland China (VPC 1 in the following diagram) and then exit from a region located outside mainland China (VPC 2 in the diagram). This solution leverages Alibaba Cloud’s CEN feature that provides a dedicated link with guaranteed bandwidth between VPCs in different regions. When configuration is complete, an IPSec tunnel is formed between the branch office (China) and the Prisma Access remote network. The following figure provides an overview of the topology.
To connect a branch office in mainland China to a remote network in Prisma Access, complete the following tasks.
  • Open or use an existing account (either personal or enterprise) on Alibaba Cloud.
  • Deploy two VPCs in separate regions.
    Deploy one VPC in mainland China. Select an Alibaba Cloud region that is close to the office. Deploy another VPC in a region that is close to a Prisma Access location and near the headquarters or data center location outside of mainland China to which you want to provide access.
  • Purchase an Alibaba Cloud CEN to connect both VPCs and attach both VPCs to a CEN.
  • Onboard a Prisma Access remote network in a location that is close to VPC 2.
    You must use IKEv2 with NAT-T and dynamic IP addresses for the IPSec tunnel.
  • Acquire one elastic IP address in the mainland China VPC (VPC 1).
  • Deploy a Linux instance in each VPC in Alibaba Cloud and configure the instances to act as a routers (router 1 and router 2) with NAT capabilities.
  • Configure a customer premises equipment (CPE) router at the branch office to establish an IPSec tunnel to router 1.
  • Create routes at the branch office to send traffic destined for business applications to Prisma Access.
To connect a branch office in mainland China to Prisma Access, you need the following software and licensing requirements:
  • A Prisma Access subscription.
  • An account on Alibaba Cloud with Admin privileges and the ability to create a CEN and perform real-name registration.
  • A basic understanding of public cloud networking.

Onboard Your Branch in Mainland China Using a VM-Series Firewall With a Router Instance

If you do not have a security stack at the branch office, or if you are using SD-WAN and would prefer to use a Palo Alto Networks next-generation firewall to secure internet-bound traffic, you can deploy a VM-series firewall in mainland China and onboard it to Prisma Access. In this topology, the router in VPC 1 (Router 1) is a VM-series firewall configured as an internet gateway. Traffic destined for internal and business applications are forwarded over a site-to-site IPSec tunnel established between the VM-series firewall and Prisma Access.
With this deployment, you can use the VM-series firewall to create and enforce security policies on the internet-bound traffic that egresses from China. The IPSec tunnel from the branch office terminates at the VM-series firewall. After the traffic undergoes policy enforcement, internet-bound traffic exits from VPC 1. Traffic destined to business applications in the headquarters or data center location is forwarded over another site-to-site IPSec tunnel between the VM-series firewall and Prisma Access by way of router 2. This deployment causes the VM-series firewall to function as if it is directly onboarded to Prisma Access as a remote network, as shown in the following figure.
Use the following summary steps to understand this deployment and see how it differs from the deployment using two Linux router instances:
  • Open or use an existing account (either personal or enterprise) on Alibaba Cloud.
  • Deploy two VPCs in separate regions.
    Deploy one VPC in mainland China and another VPC in a region that is close to the headquarters or data center location outside of mainland China to which you want to provide access.
  • Purchase an Alibaba Cloud CEN to connect both VPCs.
    Purchase additional bandwidth for the CEN; the bandwidth that an Alibaba Cloud CEN provides you at no cost is insufficient to ensure a successful deployment.
  • Deploy one standard VM-series firewall instance in the VPC in mainland China (VPC 1).
  • Deploy one standard Ubuntu Linux instance in the VPC outside of mainland China (VPC 2) and configure the instance to act as a router with NAT capabilities.
  • Onboard the VM-series firewall (router 1) as a remote network.
    The IPSec tunnel for the remote network is between the VM-series next-generation firewall (Router 1) and Prisma Access. Router 2 facilitates the tunnel between the two devices by acting as a NAT device that forwards IKE and IPSec underlay packets to Prisma Access.
  • Configure the VM-series firewall to establish a site-to-site IPSec tunnel to the private IP address of router 2.
  • Configure router 2 to forward IPSec packets to the Prisma Access remote network IP address.
  • Create routes at the branch office to send traffic destined to business applications to Prisma Access.
To provide secure access for mobile users in mainland China using this deployment, you need the same software and licensing requirements as when you onboard your branch office using two Linux router instances, with the addition of a licensed VM-series firewall with a GlobalProtect subscription.