Management Interface Swap for Google Cloud Platform Load Balancing
Learn about management interface swap for Google Compute
Because internal load balancing can send traffic only
to the primary interface of the next hop load-balanced Google Compute
Engine instance, the VM-Series firewall must be able to use eth0
for dataplane traffic.
The firewall can receive dataplane traffic on eth0 if the VM-Series
firewall is behind the Google Cloud Platform internal load balancing
The VM-Series firewalls secure traffic outbound directly
to the internet without requiring a VPN link or a Direct Connect
link back to the corporate network.
The VM-Series firewall secures an internet-facing application
when there is exactly one back-end server, such as a web server,
for each firewall. The VM-Series firewalls and web servers can scale
linearly, in pairs, behind the Google internal load balancing address.
To allow the firewall to send and receive dataplane traffic on
eth0 instead of eth1, you must swap the mapping of the internal
load balancing network interface within the firewall so that eth0
maps to ethernet 1/1, and eth1 maps to the MGT interface on the
Swap the management interface mapping before you configure
the firewall and define policy rules.
Swapping how the interfaces are mapped allows Google Cloud Platform
to distribute and route traffic to healthy instances of the VM-Series
firewall located in the same or different zones.
Swap the Management Interface
Understand Google Cloud Platform methods for swapping
the instance at creation time, or ways to deploy the firewall.
Pick one method to specify the interface
swap setting— the bootstrap configuration file, the firewall CLI,
or the Google Compute Engine instance
(accessed from the Google Cloud Console). Using one method ensures predictable
behavior on the firewall.
If you configured the VM-Series firewall before swapping, check
whether any IP address changes for eth0 and eth1 impact policy rules.
From the Google Cloud Console you cannot confirm whether you
have swapped eth0 and eth1. After swapping, you must remember that
load balancing is on eth0 and the firewall management interface
is eth1 so that you can properly configure Google Cloud Platform
load balancing, and create security policy rules to secure load balancing
to one or more VM-Series firewalls.