: Auto Scaling Components for Google Cloud Platform
Focus
Focus

Auto Scaling Components for Google Cloud Platform

Table of Contents

Auto Scaling Components for Google Cloud Platform

Prepare to deploy a VM-Series firewall on a Google® Compute Engine instance.
Typical GCP auto scaling deployments use a host project and a service project and form a common VPC network between the two. The Panorama plugin for GCP can secure an auto scaling deployment in a single project with host and service VPCs, or host and service projects in a shared VPC or peered VPC network configuration, where the host project contains the VM-Series firewalls and the shared VPC networks, and the service project contains your application deployment. If your application is deployed in a Kubernetes cluster, a peered VPC is required.

Auto Scaling Requirements

Ensure that you meet the software version requirements for auto scaling on Google Cloud Platform (GCP).
  • General Requirements—Ensure your environment meets the basic requirements.
  • Panorama Plugin for GCP—If you have not done so, Install the Panorama Plugin for GCP.
    If you previously installed the Panorama plugin for GCP version 1.0.0, remove it before you install 2.0.X. You cannot upgrade.
  • Palo Alto Networks Auto Scale templates version 1.0—Palo Alto Networks provides the templates to deploy VM-Series firewall instances in the host project and configure and deploy a sample application in a service project. See About the Auto Scaling Templates for more about the templates.
    Download the templates from GitHub. The zip file contains separate zip files for the firewall and application templates.

Prepare to Deploy the Auto Scaling Templates

Complete the following tasks before you deploy the auto scaling templates.

Prepare a Host Project and Required Service Accounts

You need a host project and a service project to form the shared VPC topology that supports the firewall and application templates. You can create a new host project or prepare an existing project to act as your host.
To set up the Shared VPC an organization administrator must grant the host project administrator the Shared VPC Admin role. The Shared VPC Admin can enable a project to act as a host, and grant the Service Project Admin role to the service project administrator. Review the GCP documentation on Administrators and IAM roles.
  1. In the GCP console, create a GCP project to act as the host. If you want to use an existing project, skip to the next step.
    To create a new project, select your organization or No organization, click New Project and fill in your project information. Note, this is your only chance to EDIT the project ID.
    The Google Cloud SDK must be installed and configured so that you can authenticate with your host project from the CLI. You will use the command line interface to deploy the firewall template and the application template, and to attach the service project to the host project.
  2. Enable APIs and services required for auto scaling. The required APIs are:
    • Cloud Pub/Sub API
    • Cloud Deployment Manager API
    • Cloud Storage API
    • Compute Engine API
    • Google Compute Engine Instance Group Manager API
    • Google Compute Engine Instance Group Updater API
    • Google Compute Engine Instance Groups API
    • Kubernetes Engine API
    • Stackdriver API
    • Stackdriver Logging API
    • Stackdriver Monitoring API
    You can enable APIs from the GCP console or the GCP CLI, as shown below.
    Enable APIs from the GCP console
    1. Select the host project, and from the Navigation menu, select APIs & Services.
    2. Search for and view each required API.
    3. ENABLE any APIs that do not display the “API enabled” status.
    Enable APIs from the CLI
    1. In the CLI, view your configuration to ensure that you are in the correct project.
      gcloud config list
      If not, set the project as follows:
      gcloud config set project <project-name>
    2. Issue the following commands to enable the required APIs.
      gcloud services enable pubsub.googleapis.com
      gcloud services enable deploymentmanager.googleapis.com
      gcloud services enable storage-component.googleapis.com
      gcloud services enable compute.googleapis.com
      gcloud services enable replicapool.googleapis.com
      gcloud services enable replicapoolupdater.googleapis.com
      gcloud services enable resourceviews.googleapis.com
      gcloud services enable container.googleapis.com
      gcloud services enable stackdriver.googleapis.com
      gcloud services enable logging.googleapis.com
      gcloud services enable monitoring.googleapis.com
    3. Confirm that the required APIs are enabled.
      gcloud services list --enabled
  3. Create a service account for deploying the VM-Series firewall, and assign the IAM roles required for auto scaling a service or a Kubernetes cluster.
    When you configure the firewall templates you add the email address for this service account to the VM-Series firewall .yaml file. Within the host project, the template uses credentials from this service account to create a host VPC with subnets, deploy VM-Series firewalls in the VPC, configure Stackdriver custom metrics, create a Pub/Sub topic, and more.
    1. In the GCP console select IAM & AdminService accounts and select +CREATE SERVICE ACCOUNT.
      Fill in the service account details and click CREATE.
    2. Give the service account permission to auto-scale resources in this project.
      Select a role type from the drop menu, and on the right, select an appropriate access level. For example, select Project > Editor. You can select multiple roles for a service account.
      • Compute Engine > Compute Admin
      • Compute Engine > Compute Network User
      • Pub/Sub > Admin
      • Monitoring > Monitoring Metric Writer
      • Stackdriver > Stackdriver Accounts Editor
      • Storage > Storage Admin
      • (GKE only) Kubernetes > Kubernetes Engine Cluster Admin
      • (GKE only) Kubernetes > Kubernetes Engine Viewer
      Continue when you are finished adding roles.
    3. Click +CREATE KEY to create a key for the host service account.
      • (Optional) Add email addresses to grant other users or administrators access to this service account.
      • Click JSON to download the private key in JSON form.
      • Store the key in a safe location. You will need this key when you Deploy GCP Auto Scaling Templates.
    4. Click DONE.
  4. Create a service account that a Panorama administrator can use to interact with this host project.
    1. In the GCP console select IAM & AdminService accounts and select +CREATE SERVICE ACCOUNT.
    2. Fill in the service account details and click CREATE.
    3. Grant service account access.
      Select a role type from the drop menu, and on the right, select an appropriate access level. For example, select Project > Editor. You can select multiple roles for a service account.
      • Compute Engine > Compute Viewer
      • Deployment Manager > Viewer
      • Pub/Sub > Admin
      Click CONTINUE.
    4. Click +CREATE KEY to create a key for the host service account.
  5. (optional) In the CLI, ensure you can communicate with your new host project.
    1. Set your project to the host project you just created.
      gcloud set project <your-autoscale-host-project-name>
    2. Create a configuration for auto scaling. Your new configuration is automatically activated unless you disable activation.
      gcloud config configurations create <CONFIGURATION_NAME> gcloud config list

Obtain a Licensing API Key

You need a Licensing API key so Panorama can license and de-license managed assets in GCP.
  1. Log in to the Support portal and selectAssetsLicensing API and click Enable. The key is displayed.
    Only a Super User can view the Enable link to generate this key. See How to Enable, Regenerate, Extend the Licensing API Key.
  2. Select the key and copy it.
  3. From the CLI, SSH in to Panorama and issue the following command, replacing <key> with the API key you copied from the support portal:
    request license api-key set key <key>
    API Key is successfully set

Configure the Panorama Plugin for GCP to Secure an Auto Scaling Deployment

In Panorama, create assets to support the auto scaling firewall deployment.
  1. Create a template, and a template stack that includes the template, and Commit the changes.
  2. In the Network context, select either the template or the template stack. Select Virtual Routers and Add a virtual router.
    When the firewall template creates static routes, they are added to this virtual router.
    Define only one router for the auto scale deployment.
  3. In the Network context, select the template you created, select Interfaces and Add Interface.
    • On the Config tab, select a slot, select the Interface name and select the Layer3 Interface Type. From the Security Zone menu, select New Zone, name the zone Untrust and click OK.
    • On the IPv4 tab enable DHCP Client and Automatically create default route pointing to default gateway provided by server (enabled by default) and click OK.
  4. Add the ethernet1/2 (Trust) Layer 3 interface.
    • On the Config tab, chose the same slot as the previous step, select the Interface name (ethernet1/2), and select the Layer3 Interface Type. From the Security Zone menu, select New Zone name the zone Trust and click OK.
    • On the IPv4 tab enable DHCP Client, disable Automatically create default route pointing to default gateway provided by server and click OK.
  5. Return to your template stack and the virtual router you created earlier. Place the untrust and trust interfaces (ethernet1/1 and ethernet1/2) in the virtual router, and click OK.
  6. Configure Stackdriver for your auto scaling deployment.
    You must have the VM-Series plugin on Panorama to configure Stackdriver.
    1. In the Device context, select the template stack you created earlier from the Template drop menu.
    2. Select DeviceVM-SeriesGoogle and click the Edit cog (
      ). Enable Publish PAN-OS metrics to Stackdriver.
    3. Commit your changes.
  7. Create a Device Group that references the template or template stack you created in step 1.
    This Device Group will contain the VM-Series firewalls you create with the firewall template.
    1. Add a security policy that allows web-browsing traffic from Untrust to Trust.
      In the Policies context, select the Device Group you just created. Select SecurityPre Rules and Add the following security policy.
  8. Set up the GCP service account for the host project.
    1. In the Panorama context, expand Google Cloud Platform, select Setup, and click Add.
    2. Supply a name and description for the host service account you created in Step 4.
    3. Upload the JSON credentials file you created in Step 4.4.
      After you add a service account credential, you can validate the credential from your Panorama command line (you cannot validate from the web interface):
      request plugins gcp validate-service-account gcp_service_account <svc-acct-credential-name>
  9. Set up auto scaling on the Panorama plugin for GCP.
    1. In the Panorama context, expand Google Cloud Platform, select AutoScaling, and click Add.
    2. Supply the Firewall Deployment Name and an optional description for the deployment.
    3. For the GCP Service Account Credential, supply the GCP service account name from Step 8.
    4. Chose the Device Group you created in Step 7, and the Template Stack you created in Step 1.
    5. Disable License Management Only to ensure traffic is secured.
  10. Commit your changes.

Prepare a VM-Series Firewall Bootstrap Package for Auto Scaling

During bootstrap, the initial request from the firewall provides the host IP address and serial number, and the VM auth key so Panorama can validate the VM auth key and add the firewall as a managed device. Panorama can then assign the firewall to the appropriate device group and template so that you can centrally configure and administer the firewall using Panorama.
In this case, you must generate a VM auth key on Panorama and include the key in the init-cfg.txt file that you use for bootstrapping. The VM auth key allows Panorama to authenticate the newly bootstrapped VM-Series firewall. The bootstrap package must include.
  • In the /config directory, an init-cfg.txt file that includes the Panorama IP address
  • In the /license directory, the VM authentication key in a file named authcodes.
    The lifetime of the key can vary between 1 hour and 8760 hours (1 year). After the specified time, the key expires and Panorama will not register VM-Series firewalls without a valid auth-key in this connection request.
  1. Set up a Google storage bucket with the folders required to Bootstrap the VM-Series Firewall on Google Cloud Platform. You can use an existing bootstrap package or create a new bootstrap package, for these folders.
  2. Edit the values in the sample init-cfg.txt file to customize the file for your environment.
    The firewall templates include a sample init-cfg.txt file.
    ParameterValueComment
    typedhcp-client 
    hostname<pa-vm>Optional name you assigned when you prepared the host project. Only required if a specific host is necessary, and dhcp-send-hostname is no.
    vm-auth-key<vmauthkey>A key that Panorama must validate before adding a firewall as a managed device. See Generate the VM Auth Key On Panorama.
    panorama-server<panorama-ip>The IP address of the Panorama management device you configured in Configure the Panorama Plugin for GCP to Secure an Auto Scaling Deployment
    tplname<template-stack-name>The template stack you created in Configure the Panorama Plugin for GCP to Secure an Auto Scaling Deployment.
    dgname<dg-name>The name of the Device Group you created in the Panorama Plugin for GCP.
    dns-primaryYour primary DNS server.
    dns-secondaryYour secondary DNS server.
    dhcp-send-hostnameyesLeave as is.
    dhcp-send-client-idyesLeave as is.
    dhcp-accept-server-hostnameyesLeave as is.
    dhcp-accept-server-domainyesLeave as is.
  3. Upload your edited init-cfg.txt file to the /config folder in your bootstrap package.
  4. If you are using BYOL, create a text file named authcodes (no extension), add your auth code, and upload the file to the /license folder.