Lets see how to finalize the GCP deployment configuration
in Prisma SD-WAN Cloudbaldes.
Login to the GCP portal and navigate
to
VPC Network
. First, peer the Prisma SD-WAN
peering VPC to an App VPC.
Enter the
VPC Network Peerings
configuration
section to set up VPC peering between the Prisma SD-WAN VPC and
each of your application VPCs.
Create a VPC Connection from the Prisma SD-WAN VPC to
the Application VPC.
Specify the SD-WAN peering VPC and the remote VPC you wish
to peer with from the provided list. Ensure that
Export
Custom Routes
is selected on this peering.
A second peering must be done in the opposite direction
for the two VPCs to be fully peered.
Ensure that
Import Custom Routes
is
selected on this peering.
When both peerings are complete the status will show as
Active
.
In order for return traffic from the application back
to the on-premise networks to be sent through the Prisma SD-WAN
virtual appliance we need to add a static route in the peering VPC
subnet route table pointing back to the ION device as the next-hop
for corporate subnets.
In the example shown, 10.0.3.2 is the IP address of the
peering port of the Virtual ION device and 192.168.0.0/18 is the
summary prefix of all remote sites that have Prisma SD-WAN ION devices
deployed.
The route
is imported in your App VPC.
By default VPCs have GCP
Firewall enabled and incoming traffic from outside your network
is blocked. You must enable inbound firewall rules in SD-WAN and
App VPC to permit Branch to Application Traffic.
From the Prisma SD-WAN web interface, go to
Map
GCP Site
to
bring up the menu and
Add IP Prefixes
.
Advertise the GCP application VPC prefixes into the Prisma
SD-WAN fabric by defining them on the GCP data center site.
Traffic
destined to the prefix (10.0.1000.0/24) is sent directly to GCP
over one or more Prisma SD-WAN Internet VPN paths. This assumes
that the traffic destined to these applications and prefixes match
a path policy rule that allows VPN over a public path.