Focus
Focus
Table of Contents

Configure GCP

Lets see how to finalize the GCP deployment configuration in Prisma SD-WAN.
  1. Login to the GCP portal and navigate to VPC Network. First, peer the Prisma SD-WAN peering VPC to an App VPC.
  2. Enter the VPC Network Peerings configuration section to set up VPC peering between the Prisma SD-WAN VPC and each of your application VPCs.
  3. Create a VPC Connection from the Prisma SD-WAN VPC to the Application VPC.
    Specify the SD-WAN peering VPC and the remote VPC you wish to peer with from the provided list. Ensure that Export Custom Routes is selected on this peering.
  4. A second peering must be done in the opposite direction for the two VPCs to be fully peered.
    Ensure that Import Custom Routes is selected on this peering.
    When both the peerings are complete, the status will show as Active.
  5. In order for return traffic from the application back to the on-premise networks to be sent through the Prisma SD-WAN virtual appliance we need to add a static route in the peering VPC subnet route table pointing back to the ION device as the next-hop for corporate subnets.
    In the example shown, 10.0.3.2 is the IP address of the peering port of the Virtual ION device and 192.168.0.0/18 is the summary prefix of all remote sites that have Prisma SD-WAN ION devices deployed.
    The route is imported in your App VPC.
    By default VPCs have GCP Firewall enabled and incoming traffic from outside your network is blocked. You must enable inbound firewall rules in SD-WAN and App VPC to permit Branch to Application Traffic.
  6. From the Prisma SD-WAN web interface, go to Map GCP Site to bring up the menu and Add IP Prefixes.
    Advertise the GCP application VPC prefixes into the Prisma SD-WAN fabric by defining them on the GCP data center site.
    Traffic destined to the prefix (10.0.1000.0/24) is sent directly to GCP over one or more Prisma SD-WAN Internet VPN paths. This assumes that the traffic destined to these applications and prefixes match a path policy rule that allows VPN over a public path.