Management Interface Swap for Google Cloud Platform Load Balancing
Learn about management interface swap for Google Compute
Because internal load balancing can send traffic only
to the primary interface of the next hop load-balanced Google Compute
Engine instance, the VM-Series firewall must be able to use eth0
for dataplane traffic.
The firewall can receive dataplane traffic on eth0 if the VM-Series
firewall is behind the Google Cloud Platform internal load balancing
The VM-Series firewalls secure traffic outbound directly
to the internet without requiring a VPN link or a Direct Connect
link back to the corporate network.
The VM-Series firewall secures an internet-facing application
when there is exactly one back-end server, such as a web server,
for each firewall. The VM-Series firewalls and web servers can scale
linearly, in pairs, behind the Google internal load balancing address.
To allow the firewall to send and receive dataplane traffic on
eth0 instead of eth1, you must swap the mapping of the internal
load balancing network interface within the firewall so that eth0
maps to ethernet 1/1, and eth1 maps to the MGT interface on the
If possible, swap the management interface
mapping before you configure the firewall and define policy rules.
Swapping how the interfaces are mapped allows Google Cloud Platform
to distribute and route traffic to healthy instances of the VM-Series
firewall located in the same or different zones.
Swap the Management Interface
Understand Google Cloud Platform methods for swapping
the instance at creation time, or ways to deploy the firewall.
If you configured the VM-Series
firewall before swapping, check whether any IP address changes for
eth0 and eth1 impact policy rules.
From the Google Cloud Console
you cannot confirm whether you have swapped eth0 and eth1. After
swapping, you must remember that load balancing is on eth0 and the
firewall management interface is eth1 so that you can properly configure
Google Cloud Platform load balancing, and create security policy
rules to secure load balancing to one or more VM-Series firewalls.
Ensure that you can access the Google Cloud console from
the management console or the CLI so you can view the IP address
of the eth1 interface. Also, verify that you can make HTTPS or SSH
connections to the new management interface.