Connect Your Remote Network in Mainland China to Prisma Access
There are two ways you can onboard a branch office in
mainland China to Prisma Access. While the general topology of both
onboarding methods are the same, one uses two Linux router instances
and one uses a Palo Alto Networks VM-series firewall and one Linux
router instance. This section provides you an overview and summary
steps for both onboarding methods; the workflow after this section
provides you with detailed configuration steps for the first deployment
using two router instances.
Onboard Your Branch in Mainland China Using Two Linux Router
Instances
To onboard a branch office using Prisma
Access, you deploy two VPCs in Alibaba Cloud and you create an Alibaba
Express Connect (CEN) to use for network communication between the
two VPCs. The router instance in the VPC in mainland China connects
to the branch office in mainland China using an IPSec tunnel, and
the router instance in the VPC outside of mainland China connects
to the remote network IPSec tunnel.
IPSec tunnel packets enter the Alibaba Cloud region in mainland
China (VPC 1 in the following diagram) and then exit from a region
located outside mainland China (VPC 2 in the diagram). This solution
leverages Alibaba Cloud’s CEN feature that provides a dedicated
link with guaranteed bandwidth between VPCs in different regions.
When configuration is complete, an IPSec tunnel is formed between the
branch office (China) and the Prisma Access remote network. The
following figure provides an overview of the topology.
To connect a branch office in mainland China to a remote network
in Prisma Access, complete the following tasks.
- Open or use an existing account (either personal or enterprise) on Alibaba Cloud.
- Deploy two VPCs in separate regions.Deploy one VPC in mainland China. Select an Alibaba Cloud region that is close to the office. Deploy another VPC in a region that is close to a Prisma Access location and near the headquarters or data center location outside of mainland China to which you want to provide access.
- Purchase an Alibaba Cloud CEN to connect both VPCs and attach both VPCs to a CEN.
- Onboard a Prisma Access remote network in a location that is close to VPC 2.You must use IKEv2 with NAT-T and dynamic IP addresses for the IPSec tunnel.
- Acquire one elastic IP address in the mainland China VPC (VPC 1).
- Deploy a Linux instance in each VPC in Alibaba Cloud and configure the instances to act as a routers (router 1 and router 2) with NAT capabilities.
- Configure a customer premises equipment (CPE) router at the branch office to establish an IPSec tunnel to router 1.
- Create routes at the branch office to send traffic destined for business applications to Prisma Access.
To connect a branch office in mainland China to Prisma Access,
you need the following software and licensing requirements:
- A Prisma Access subscription.
- An account on Alibaba Cloud with Admin privileges and the ability to create a CEN and perform real-name registration.
- A basic understanding of public cloud networking.
Onboard Your Branch in Mainland China Using a VM-Series Firewall
With a Router Instance
If you do not have a security stack at the branch office,
or if you are using SD-WAN and would prefer to use a Palo Alto Networks
next-generation firewall to secure internet-bound traffic, you can
deploy a VM-series firewall in mainland China and onboard it to
Prisma Access. In this topology, the router in VPC 1 (Router 1)
is a VM-series firewall configured as an internet gateway. Traffic
destined for internal and business applications are forwarded over
a site-to-site IPSec tunnel established between the VM-series firewall
and Prisma Access.
With this deployment, you can use the VM-series firewall to create
and enforce security policies on the internet-bound traffic that
egresses from China. The IPSec tunnel from the branch office terminates at
the VM-series firewall. After the traffic undergoes policy enforcement,
internet-bound traffic exits from VPC 1. Traffic destined to business
applications in the headquarters or data center location is forwarded over
another site-to-site IPSec tunnel between the VM-series firewall
and Prisma Access by way of router 2. This deployment causes the
VM-series firewall to function as if it is directly onboarded to
Prisma Access as a remote network, as shown in the following figure.
Use the following summary steps to understand this deployment
and see how it differs from the deployment using two Linux router
instances:
- Open or use an existing account (either personal or enterprise) on Alibaba Cloud.
- Deploy two VPCs in separate regions.Deploy one VPC in mainland China and another VPC in a region that is close to the headquarters or data center location outside of mainland China to which you want to provide access.
- Purchase an Alibaba Cloud CEN to connect both VPCs.Purchase additional bandwidth for the CEN; the bandwidth that an Alibaba Cloud CEN provides you at no cost is insufficient to ensure a successful deployment.
- Deploy one standard VM-series firewall instance in the VPC in mainland China (VPC 1).
- Deploy one standard Ubuntu Linux instance in the VPC outside of mainland China (VPC 2) and configure the instance to act as a router with NAT capabilities.
- Onboard the VM-series firewall (router 1) as a remote network.The IPSec tunnel for the remote network is between the VM-series next-generation firewall (Router 1) and Prisma Access. Router 2 facilitates the tunnel between the two devices by acting as a NAT device that forwards IKE and IPSec underlay packets to Prisma Access. For the steps you perform to deploy the VM-series firewall in the VPC, see Create Linux Instances in the Alibaba Cloud VPCs.
- Configure the VM-series firewall to establish a site-to-site IPSec tunnel to the private IP address of router 2.For the steps you perform to configure the IPSec tunnel between the VM-series firewall and Prisma Access, see Configure the Router Instances.
- Configure router 2 to forward IPSec packets to the Prisma Access remote network IP address.
- Create routes at the branch office to send traffic destined to business applications to Prisma Access.
To provide secure access for mobile users in mainland China using
this deployment, you need the same software and licensing requirements
as when you onboard your branch
office using two Linux router instances, with the addition
of a licensed VM-series firewall with a GlobalProtect subscription.
