Palo Alto as a NAT Gateway
Use the instructions below to work with a Private Node group through Palo Alto.
Prerequisites
To be able to use Palo Alto as NAT Gateway for Cluster on VKS system, you need:
A Windows server (VM) has been initialized on the vServer system with the following configuration:
Item
Configuration
Flavor
2x4
Volume
20GB
VPC
10.76.0.0/16
Subnet
10.76.0.4/24
Network Interface 1
10.76.0.3
A Palo Alto server (VM) is initialized on the vMarketPlace system according to the instructions below with the following configuration:
Item
Configuration
Flavor
2x8
Volume
60GB
VPC
10.76.0.0/16
Network Interface 1
10.76.255.4
Network Interface 2
10.76.0.4
Initialize Palo Alto
Step 1: Visit https://marketplace.console.vngcloud.vn/
Step 2: At the main screen, search for Palo Alto , at Palo Alto services , select Launch .
Step 3: Now, you need to configure Palo Alto. Specifically, you can select the desired Volume, IOPS, Network, Security Group . You need to choose the same VPC and Subnet as the VPC and Subnet you choose to use for your Cluster. In addition, you also need to select an existing Server Group or select Dedicated SOFT ANTI AFFINITY group so we can automatically create a new server group.
Step 4: Proceed to pay like normal resources on VNG Cloud.
Configure parameters for Palo Alto
Step 1: After initializing Palo Alto from vMarketPlace according to the instructions above, you can access the vServer interface here to check if the server running Palo Alto has been initialized. Next, open the Any rule on the Security Group for the Palo Alto server you just created. Opening the Any rule on the Security Group will allow all traffic to the Palo Alto server.
Step 2: After the server running Palo Alto is successfully initialized . To access the Palo Alto GUI you need a vServer running Windows. Then you access it using IP Internal Interface with the default login name and password: admin/admin
Note: Go to the Network section of vServer Windows to access the Palo Alto GUI. You need to create the same VPC and use a different subnet than the subnet with priority 1 when initializing Palo Alto
Step 3 : After logging in, you need to change your password for the first time. Please enter a new password according to your wishes.
Step 4: You need to create 1 Zone Inside and 1 Zone Outside according to the instructions below:
Select Add pen
Name the Zone : Inside then select OK
Do the same for Zone Outside
Step 5 : Configure External Interface
Interface Type: Layer 3
Virtual Router: default
Security Zone: Outside
Switch to IPv4 Tab and select Add to enter Static IP for External Interface
To get this IP information, go to Palo Alto 's Network Interface section to view the information
Switch to the Advanced tab , in the MTU section you need to set it to 1400
Step 6: Perform similar configuration for Internal Interfaces
At the IPv4 tab: you proceed to set up Static IP
Switch to the Advanced tab , in the MTU section , set it to 1400
Step 7: Create static route
Go to Network -> Virtual Routers -> Select default -> Switch to Static Routes
Create a route as shown below
Step 8: Create Security Policy Rule
Go to Policies -> Security -> Add
On the General tab , you need to name the rule
At the Source tab , set information such as Source Zone , Source Address , Source User, Source Device
At the Destination tab , set information such as Destination Zone, Destination Address, Destination Device
At the Application tab , set information such as Application, Depend On
At the Service/URL Category tab , set information such as Service, URL Category
At the Actions tab , set information such as Action, Log, Profile, Other Settings
Step 9 : Create a NAT rule so that VMs can go out to the Internet
Go to Policies -> NAT -> Add
On the General tab , name the NAT rule
At the Original Packet tab, select Source Zone, Destination Zone, Destination Interface, Service, Source Address, Destination Address
Create the Translated Packet tab and perform configuration as shown below
Note: Need to change the IP Address to the Static IP address that you configured in step 6
Step 10 : Proceed to Commit
Initialize Route Table
After Palo Alto is successfully initialized and configured, you need to create a Route table to connect to different networks. Specifically, follow these steps to create a Route table:
Step 1: Visit https://hcm-3.console.vngcloud.vn/vserver/network/route-table
Step 2: In the navigation menu bar, select Network Tab/ Route table.
Step 3: Select Create Route table.
Step 4: Enter a descriptive name for the Route table. Route table names can include letters (az, AZ, 0-9, '_', '-'). The input data length is between 5 and 50. It must not include leading or trailing spaces.
Step 5: Select VPC for your Route table. If you do not have a VPC, you need to create a new VPC according to the instructions on the VPC Page . The VPC used to set up the Route table must be the VPC selected for your Palo Alto and Cluster.
Step 6 : Select Create to create a new Route table.
Step 7: Select the newly created Route table then select Edit Routes.
Step 8: In the add new Route section , enter the following information:
For Destination, enter Destination CIDR as 0.0.0.0/0
For Target, enter Target CIDR as the Palo Alto Network Interface 2 IP address.
For example:
Checking connection
Proceed to ping 8.8.8.8 or google.com
Last updated