Deploy a Kubernetes Service Using a Sample Terraform Template

Deploy a community-supported Terraform template to expose services running in a Kubernetes cluster to the Google Cloud Platform plugin for Panorama.
To deploy an application, you need to build an infrastructure in GCP. You can create it manually with the Google Cloud Platform Console, use (or modify) an existing template, or create a new template. Then, continue to Configure Google Cloud Platform Plugin for Google Kubernetes Engine.
Please refer to the community-supported GKE-LB-Sandwich Terraform template at GitHub: https://github.com/PaloAltoNetworks/GCP-Terraform-Samples/tree/master/GKE-LB-Sandwich.
The following sections describe additional configuration tasks specifically for GKE.

Customize and Run the GKE LB Sandwich Terraform Template

The Palo Alto Networks GKE LB Sandwich Terraform template creates a sample GKE cluster deployment you can use to test the Google Cloud Platform plugin for Panorama. To use this community-supported sample template with GCP plugin for Panorama, you must make the following changes to ensure the integration is successful.
  1. Follow the steps in the template’s Deployment Guide instructions as written, except for the steps mentioned here.
  2. In Section 4.8 of the Deployment Guide, edit
    main.tf
    as follows.
    Change the trust interface priority for the GCP route from
    100
    to
    1001
    .
    Change the master_auth password.
  3. On pages 20 and 21, the template document refers to “Discovery & load balancing” in the Google Cloud Console. This node is named “Services” in the current release.
  4. On page 24, do
    not
    create the NAT rules. If the Google Cloud Platform plugin is correctly configured in Panorama, it learns about your GKE services and creates appropriate NAT rules for you.

Deploy an Application

To secure an application using Panorama, you must ensure there is an annotation and a
panw-named-port
label for every externally exposed GKE service you want to secure. You can edit the GKE YAML file directly, or from the Google Cloud Platform user interface, as described here.
One or more services can be exposed through an external load balancer (ELB). Sometimes the ELB port number is pre-assigned when the ELB is deployed. You must ensure that the port number assigned to the panw-named-port matches the port number assigned to the ELB.
  1. Edit the
    config.yaml
    file:
    1. Select
      Kubernetes Engine
      Services
      YAML
      to open the YAML file.
    2. Under labels, add
      panw-named-port:
      and specify a port number. For example,
      panw-named-port: "80"
      .
      You supply the panw-named-port when you configure the Google Cloud Platform plugin.
  2. Save the file.

Create an External Load Balancer Flow with Multiple URL Mappings

You can configure an external HTTP/S load balancer to service requests for multiple domains. Each service has been labeled panw-named-port so it can be accessed from the firewall’s untrust interface.
You must create a backend service for each service labeled panw-named-port, and configure the backend service in the load balancer. You must also configure the health check.
If you use the Google Cloud Platform console, the configuration does not work properly and the GCP plugin for Panorama cannot learn the service and port mappings. For a successful deployment, use one of the following methods:
In this command line interface sample, the gcloud commands create two services under a single load balancer, with the panw named ports 9000 and 8081 .
gcloud compute health-checks create http panw-lab-hc-1   --port 80 --check-interval 30
gcloud compute backend-services create panw-lab-bs-80 --protocol HTTP --port-name port80 --global --health-checks panw-lab-hc-1
gcloud compute backend-services create panw-lab-bs-608 --protocol HTTP --port-name port9000 --global --health-checks panw-lab-hc-1
gcloud compute backend-services create panw-lab-bs-81 --protocol HTTP --port-name port81 --global --health-checks panw-lab-hc-1
gcloud compute url-maps create panw-lab-url-map-1 --default-service panw-lab-bs-80
gcloud compute target-http-proxies create panw-lab-t-http-proxy-1 --url-map panw-lab-url-map-1
gcloud compute forwarding-rules create panw-lab-fe-1 --global --target-http-proxy panw-lab-t-http-proxy-1 --ports 88
gcloud compute instance-groups set-named-ports fw-ig --named-ports port80:80,port9000:9000,port81:81
gcloud compute backend-services add-backend panw-lab-bs-80 --global  --instance-group fw-ig --instance-group-zone us-west1-a
gcloud compute backend-services add-backend panw-lab-bs-9000—global  --instance-group fw-ig  --instance-group-zone us-west1-a
gcloud compute backend-services add-backend panw-lab-bs-81 --global  --instance-group fw-ig  --instance-group-zone us-west1-a
gcloud compute url-maps add-path-matcher panw-lab-url-map-1  --path-matcher-name host9000 --default-service panw-lab-bs-9000 --new-hosts=*  --path-rules="/*=panw-lab-bs-9000"
gcloud compute url-maps add-path-matcher panw-lab-url-map-1 --path-matcher-name host81 --default-service panw-lab-bs-81 --new-hosts=* --path-rules="/*=panw-lab-bs-81"

Recommended For You