>
    Strata Copilot
    Deployment Models for VM-Series on GCP
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on Google Cloud Platform
    4. Deployment Models for VM-Series on GCP
    Download PDF
    VM-Series

    Deployment Models for VM-Series on GCP

    Table of Contents

    Deployment Models for VM-Series on GCP

    Deploy your VM-Series firewall on Google Cloud platform (GCP) using the autoscale or active/passive models.
    Deploy your VM-Series firewall on Google Cloud platform (GCP) using any one of the following deployment models:

    VPC Networks

    At a minimum, the VM-Series requires 3 network interfaces with each belonging to separate VPC networks: untrust (NIC0), management (NIC1), and trust (NIC2), with the ability to add up to 5 additional dataplane interfaces.
    Google Cloud’s external load balancers can only distribute traffic to the primary interface of a virtual machine. Therefore, when deploying the VM-Series, it is important to attach the instance’s primary interface, NIC0, to the untrusted VPC, attach NIC1 to the management VPC, and perform a management interface swap. This enables the untrust dataplane interface to receive traffic from external load balancers.

    Untrust VPC

    The VM-Series untrust interface (NIC0) acts as the internet gateway for cloud resources within the trust VPC, including as well as for cloud resources in networks connected to the trust VPC.
    For outbound internet traffic, you can attach an External IP address to the untrust interface, or deploy a Cloud NAT to an untrust VPC. For inbound internet traffic, you can use any of Google’s external load balancers to distribute traffic to the VM-Series untrust interfaces for inspection.
    Note: In the active/passive model, an external pass-through load balancer must be used for both internet inbound and internet outbound traffic. This is because only the external pass-through load balancer supports connection tracking.

    Management VPC

    The VM-Series management interface (NIC1), which is connected to the management VPC, provides access to the VM-Series user interface and connects to Panorama or Strata Cloud Manager for centralized management.

    Trust VPC

    The VM-Series trust interface (NIC2) is connected to a trust VPC network. It is recommended to configure the trust interface as the backend service of an internal passthrough network load balancer. Internal TCP/UDP Load Balancer. This setup facilitates traffic distribution for egress traffic originating from the trust VPC or for workload VPCs linked to the trust VPC network.
    It is common to use the trust VPC in the following ways:
    • A shared VPC network that shares its subnets to various service projects within the Google Cloud organization.
    • A hub VPC network that provides transitive routing and inspection for multiple workload VPC networks (spokes).

    Workload VPCs

    If you need to secure multiple VPC networks (workload VPCs), you can use either the VPC peering architecture, the multiple network interface architecture, or a combination of both. In all scenarios, routes in the workload VPCs must be configured to direct traffic to the internal load balancer in the trust VPC.
    To inspect inter-VPC traffic (i.e. VPC-to-VPC, VPC-to-on-premises, or VPC-to-internet traffic), you can create custom static routes in the workload VPCs, using the internal load balancer in the trust VPC as the next hop.
    To inspect intra-VPC traffic (i.e. subnet-to-subnet within a VPC, or traffic within a subnet), you can create policy based routes, using the internal load balancer in the trust VPC as the next hop.

    © 2026 Palo Alto Networks, Inc. All rights reserved.