Management Interface Swap for Google Cloud Platform Load
Balancing
Learn about management interface swap for Google Compute
Engine.
| Where Can I Use This? | What Do I Need? |
|---|
- Google Cloud Platform (GCP)
|
- VM-Series License (PAYG or BYOL)
- VM-Series plugin
- Panorama
- Panorama plugin for GCP
|
Because internal load balancing can send traffic only
to the primary interface of the next hop load-balanced Google Compute Engine
instance, the VM-Series firewall must be able to use eth0 for dataplane
traffic.
All VM-Series firewall interfaces must be assigned an IPv4 address when deployed in a
public cloud environment. IPv6 addresses are not supported.
The firewall can receive dataplane traffic on eth0 if the VM-Series
firewall is behind the Google Cloud Platform internal load balancing
interface.
The VM-Series firewalls secure traffic outbound directly
to the internet without requiring a VPN link or a Direct Connect link
back to the corporate network.
The VM-Series firewall secures an internet-facing application
when there is exactly one back-end server, such as a web server,
for each firewall. The VM-Series firewalls and web servers can scale
linearly, in pairs, behind the Google internal load balancing address.
To allow the firewall to send and receive dataplane traffic on
eth0 instead of eth1, you must swap the mapping of the internal load
balancing network interface within the firewall so that eth0 maps
to ethernet 1/1, and eth1 maps to the MGT interface on the firewall.
If possible, swap the management interface mapping before
you configure the firewall and define policy rules.
Swapping how the interfaces are mapped allows Google Cloud Platform
to distribute and route traffic to healthy instances of the VM-Series
firewall located in the same or different zones.
Swap the Management Interface
Understand Google Cloud Platform methods for swapping
the instance at creation time, or ways to deploy the firewall.
You can swap the interfaces when you configure the firewall after it is created.
At creation— When you deploy the VM-Series firewall, you
can enable interface swap in two ways.
Google Cloud Console — In the Create Instance form, enter
a key-value pair in the Metadata field, where mgmt-interface-swap is
the key, and enable is the value.
Bootstrap File — Create a bootstrap file the includes the
mgmt-interface-swap operational command in the
bootstrap configuration, as described in
Bootstrap the VM-Series Firewall on
Google Cloud Platform. In the Create Instance form, enter a
key-value pair in the
Metadata field to enable the
bootstrap option.
set system setting mgmt-interface-swap enable yes
- Pick one method to specify the interface swap setting— the bootstrap configuration file, the
firewall CLI, or the Google Compute Engine instance
Metadata field (accessed from the Google Cloud
Console). Using one method ensures predictable behavior on the
firewall.
From the Google Cloud Console you can't confirm whether you
have swapped eth0 and eth1. After swapping, you must remember that load
balancing is on eth0 and the firewall management interface is eth1 so
that you can properly configure Google Cloud Platform load balancing,
and create security policy rules to secure load balancing to one or more
VM-Series firewalls.
If you configured the VM-Series firewall before swapping,
check whether any IP address changes for eth0 and eth1 impact policy
rules.
