Management Interface Swap for Google Cloud Platform Load Balancing
Learn about management interface swap for Google Compute Engine.
Because internal load balancing can send traffic only to the primary interface of the next hop load-balanced Google Compute Engine instance, the VM-Series firewall must be able to use eth0 for dataplane traffic.
The firewall can receive dataplane traffic on eth0 if the VM-Series firewall is behind the Google Cloud Platform internal load balancing interface.
- The VM-Series firewalls secure traffic outbound directly to the internet without requiring a VPN link or a Direct Connect link back to the corporate network.
- The VM-Series firewall secures an internet-facing application when there is exactly one back-end server, such as a web server, for each firewall. The VM-Series firewalls and web servers can scale linearly, in pairs, behind the Google internal load balancing address.
To allow the firewall to send and receive dataplane traffic on eth0 instead of eth1, you must swap the mapping of the internal load balancing network interface within the firewall so that eth0 maps to ethernet 1/1, and eth1 maps to the MGT interface on the firewall.
If possible, swap the management interface mapping before you configure the firewall and define policy rules.
Swapping how the interfaces are mapped allows Google Cloud Platform to distribute and route traffic to healthy instances of the VM-Series firewall located in the same or different zones.
Swap the Management Interface
Understand Google Cloud Platform methods for swapping the instance at creation time, or ways to deploy the firewall.
You can swap the interfaces when you Deploy the VM-Series Firewall from Google Cloud Platform Marketplace, or you can configure the firewall after it is created.
When you deploy the VM-Series firewall, you can enable interface swap in two ways.
- Google Cloud Console— In the Create Instance form, enter a key-value pair in theMetadatafield, wheremgmt-interface-swapis the key, andenableis the value.
- Bootstrap File— Create a bootstrap file the includes themgmt-interface-swapoperational command in the bootstrap configuration, as described in Bootstrap the VM-Series Firewall on Google Cloud Platform. In the Create Instance form, enter a key-value pair in theMetadatafield to enable the bootstrap option.
After DeploymentLog in to the firewall,
the VM-Series Firewall CLI to Swap the Management Interface.
In operational mode, issue the following command:
set system setting mgmt-interface-swap enable yes
- If you configured the VM-Series firewall before swapping, check whether any IP address changes for eth0 and eth1 impact policy rules.From the Google Cloud Console you cannot confirm whether you have swapped eth0 and eth1. After swapping, you must remember that load balancing is on eth0 and the firewall management interface is eth1 so that you can properly configure Google Cloud Platform load balancing, and create security policy rules to secure load balancing to one or more VM-Series firewalls.
- Ensure that you can access the Google Cloud console from the management console or the CLI so you can view the IP address of the eth1 interface. Also, verify that you can make HTTPS or SSH connections to the new management interface.
Recommended For You
Recommended videos not found.