Management Interface Swap for Google Cloud Platform Load Balancing

Learn about management interface swap for Google Compute Engine.
Because internal load balancing can send traffic only to the primary interface of the next hop load-balanced Google Compute Engine instance, the VM-Series firewall must be able to use eth0 for dataplane traffic.
The firewall can receive dataplane traffic on eth0 if the VM-Series firewall is behind the Google Cloud Platform internal load balancing interface.
  • The VM-Series firewalls secure traffic outbound directly to the internet without requiring a VPN link or a Direct Connect link back to the corporate network.
  • The VM-Series firewall secures an internet-facing application when there is exactly one back-end server, such as a web server, for each firewall. The VM-Series firewalls and web servers can scale linearly, in pairs, behind the Google internal load balancing address.
To allow the firewall to send and receive dataplane traffic on eth0 instead of eth1, you must swap the mapping of the internal load balancing network interface within the firewall so that eth0 maps to ethernet 1/1, and eth1 maps to the MGT interface on the firewall.
Swap the management interface mapping before you configure the firewall and define policy rules.
Swapping how the interfaces are mapped allows Google Cloud Platform to distribute and route traffic to healthy instances of the VM-Series firewall located in the same or different zones.

Swap the Management Interface

Understand Google Cloud Platform methods for swapping the instance at creation time, or ways to deploy the firewall.
You can swap the interfaces when you Deploy the VM-Series Firewall from Google Cloud Platform Marketplace, or you can configure the firewall after it is created.
At creation
— When you deploy the VM-Series firewall, you can enable interface swap in two ways.
  • Google Cloud Console — In the Create Instance form, enter a key-value pair in the
    Metadata
    field, where
    mgmt-interface-swap
    is the key, and
    enable
    is the value.
  • Bootstrap File — Create a bootstrap file the includes the
    mgmt-interface-swap
    operational command in the bootstrap configuration, as described in Bootstrap the VM-Series Firewall on Google Cloud Platform. In the Create Instance form, enter a key-value pair in the
    Metadata
    field to enable the bootstrap option.
From the VM-Series firewall
—Log in to the firewall, and Use the VM-Series Firewall CLI to Swap the Management Interface. In operational mode, issue the following command:
set system setting mgmt-interface-swap enable yes
  • Pick one method to specify the interface swap setting— the bootstrap configuration file, the firewall CLI, or the Google Compute Engine instance
    Metadata
    field (accessed from the Google Cloud Console). Using one method ensures predictable behavior on the firewall.
  • If you configured the VM-Series firewall before swapping, check whether any IP address changes for eth0 and eth1 impact policy rules.
From the Google Cloud Console you cannot confirm whether you have swapped eth0 and eth1. After swapping, you must remember that load balancing is on eth0 and the firewall management interface is eth1 so that you can properly configure Google Cloud Platform load balancing, and create security policy rules to secure load balancing to one or more VM-Series firewalls.

Recommended For You