Palo Alto as a NAT Gateway

Use the instructions below to work with a Private Node group through Palo Alto.

Prerequisites

To be able to use Palo Alto as NAT Gateway for Cluster on VKS system, you need:

  • A Windows server (VM) has been initialized on the vServer system with the following configuration:

Item

Configuration

Flavor

2x4

Volume

20GB

VPC

10.76.0.0/16

Subnet

10.76.0.4/24

Network Interface 1

10.76.0.3

  • A Palo Alto server (VM) is initialized on the vMarketPlace system according to the instructions below with the following configuration:

Item

Configuration

Flavor

2x8

Volume

60GB

VPC

10.76.0.0/16

Network Interface 1

10.76.255.4

Network Interface 2

10.76.0.4

Initialize Palo Alto

Step 1: Visit https://marketplace.console.vngcloud.vn/

Step 2: At the main screen, search for Palo Alto , at Palo Alto services , select Launch .

Step 3: Now, you need to configure Palo Alto. Specifically, you can select the desired Volume, IOPS, Network, Security Group . You need to choose the same VPC and Subnet as the VPC and Subnet you choose to use for your Cluster. In addition, you also need to select an existing Server Group or select Dedicated SOFT ANTI AFFINITY group so we can automatically create a new server group.

Step 4: Proceed to pay like normal resources on VNG Cloud.


Configure parameters for Palo Alto

Step 1: After initializing Palo Alto from vMarketPlace according to the instructions above, you can access the vServer interface here to check if the server running Palo Alto has been initialized. Next, open the Any rule on the Security Group for the Palo Alto server you just created. Opening the Any rule on the Security Group will allow all traffic to the Palo Alto server.

Step 2: After the server running Palo Alto is successfully initialized . To access the Palo Alto GUI you need a vServer running Windows. Then you access it using IP Internal Interface with the default login name and password: admin/admin

Note: Go to the Network section of vServer Windows to access the Palo Alto GUI. You need to create the same VPC and use a different subnet than the subnet with priority 1 when initializing Palo Alto

Step 3 : After logging in, you need to change your password for the first time. Please enter a new password according to your wishes.

Step 4: You need to create 1 Zone Inside and 1 Zone Outside according to the instructions below:

  • Select Add pen

  • Name the Zone : Inside then select OK

  • Do the same for Zone Outside

Step 5 : Configure External Interface

  • Interface Type: Layer 3

  • Virtual Router: default

  • Security Zone: Outside

  • Switch to IPv4 Tab and select Add to enter Static IP for External Interface

  • To get this IP information, go to Palo Alto 's Network Interface section to view the information

  • Switch to the Advanced tab , in the MTU section you need to set it to 1400

Step 6: Perform similar configuration for Internal Interfaces

  • At the IPv4 tab: you proceed to set up Static IP

  • Switch to the Advanced tab , in the MTU section , set it to 1400

Step 7: Create static route

  • Go to Network -> Virtual Routers -> Select default -> Switch to Static Routes

  • Create a route as shown below

Step 8: Create Security Policy Rule

  • Go to Policies -> Security -> Add

  • On the General tab , you need to name the rule

  • At the Source tab , set information such as Source Zone , Source Address , Source User, Source Device

  • At the Destination tab , set information such as Destination Zone, Destination Address, Destination Device

  • At the Application tab , set information such as Application, Depend On

  • At the Service/URL Category tab , set information such as Service, URL Category

  • At the Actions tab , set information such as Action, Log, Profile, Other Settings

Step 9 : Create a NAT rule so that VMs can go out to the Internet

  • Go to Policies -> NAT -> Add

  • On the General tab , name the NAT rule

  • At the Original Packet tab, select Source Zone, Destination Zone, Destination Interface, Service, Source Address, Destination Address

  • Create the Translated Packet tab and perform configuration as shown below

Note: Need to change the IP Address to the Static IP address that you configured in step 6

Step 10 : Proceed to Commit


Initialize Route Table

After Palo Alto is successfully initialized and configured, you need to create a Route table to connect to different networks. Specifically, follow these steps to create a Route table:

Step 1: Visit https://hcm-3.console.vngcloud.vn/vserver/network/route-table

Step 2: In the navigation menu bar, select Network Tab/ Route table.

Step 3: Select Create Route table.

Step 4: Enter a descriptive name for the Route table. Route table names can include letters (az, AZ, 0-9, '_', '-'). The input data length is between 5 and 50. It must not include leading or trailing spaces.

Step 5: Select VPC for your Route table. If you do not have a VPC, you need to create a new VPC according to the instructions on the VPC Page . The VPC used to set up the Route table must be the VPC selected for your Palo Alto and Cluster.

Step 6 : Select Create to create a new Route table.

Step 7: Select the newly created Route table then select Edit Routes.

Step 8: In the add new Route section , enter the following information:

  • For Destination, enter Destination CIDR as 0.0.0.0/0

  • For Target, enter Target CIDR as the Palo Alto Network Interface 2 IP address.

For example:


Checking connection

  • Proceed to ping 8.8.8.8 or google.com

Last updated