Introducing New Design Blueprint Using Third Parties - Stage 1 Networking #2159
Replies: 9 comments 9 replies
-
@sruffilli can you chime in here? |
Beta Was this translation helpful? Give feedback.
-
Appreciate your thoughts, @sruffilli |
Beta Was this translation helpful? Give feedback.
-
A gentle reminder |
Beta Was this translation helpful? Give feedback.
-
Will TAL by EOD :) |
Beta Was this translation helpful? Give feedback.
-
Hey @hassannmoussaa, thanks for kicking off the discussion.
A low hanging fruit could be adding additional VPCs (at least one for management and one for heartbeat, which is pretty common across vendors) to the existing Something that could be done on top of that would be re-architecting (as/if required) the current |
Beta Was this translation helpful? Give feedback.
-
Thank you for your insightful response. While i totally agree with your mention, allow me to suggest some potential workaround from my side.
I would love to hear from all of you your thoughts while really intersted to contribute to what we could agree on. 🚀 |
Beta Was this translation helpful? Give feedback.
-
Plus one on the proposal to add the missing bits to the current nva stages, this is painless and actually pretty useful. Encapsulating functionality specific to network stages is something we will never do, as we always strived very hard to reduce the number of layers. |
Beta Was this translation helpful? Give feedback.
-
@ludoo Thank you for your clarification So one thing is we can proceed to edit the current nva stage to include 4 VPCs and almost peering with shared VPCs , while we can make the number of NVA dynamic for dedicated inboud/outbound and HA options ( if you agree on this proposal ) Can you provide your thoughts on having a 3-plugin folder for deploying vendor specific NVA along with their basic configuration (HA , interfaces ,... ) , do you see that a good addition ? And how shall we consider it on this change Thank you for your time |
Beta Was this translation helpful? Give feedback.
-
PR Opened |
Beta Was this translation helpful? Give feedback.
-
Idea Proposal
As the need for landing zone deployment on GCP is growing, and automation is always needed, and from the fact the using third parties from Google Partners are a must to fulfil the customer needs, new blueprint from the recommended designs by third parties become needed. From my experience at a Professional Services engineer at Google Premier Partner, we are requested every day to deploy hub-spoke models using third parties tools such as Palo Alto VM_Series , fortigate , f5 , ....
Based on the above mentioning, i would like to suggest ( and would love to work on this as contribution) to have new blueprint on the networking stage that introduce more dynamic and production-ready terraform templates and i'm listing down one of the suggestion that we can work om
Dedicated NVA - Third Party Hub & Spoke Model
As per palo alto and google official documentation which you can refer to using the links in the references, the recommended design for palo alto on gcp now become either having dedicated pair of VMs for inbound and outbound, or single pair of VMs for both direction, in my today issue im suggesting having a terraform ready blueprint that deploy the following production-ready hub-spoke dynamic model in the following design.
Architecture Explanation
The above design is a hub and spoke design based on a hub project that include a trusted and untrusted zone where traffic flow move from untrusted to trusted passing by load balancer with the first set of VM-Series ( Palo Alto) backend for inspection and threat detection.
Because hybrid connectivity is always a need, a VPC for VPN is needed, where this VPC is peered to the trusted and because transitive peering is not allowed this traffic will pass by the second set of vm-series for inspection
Outbound traffic initiating from the VMs are inspected by another set of palo alto to eliminate bandwidth issue and for better visibility.
Trusted VPC is peered with a set of prod and non prod shared VPCs that share their network with service project that contain the actual workload.
Proposed Work
I would like to contribute and to split the following issue and feature into multiple issues to make easier for maintainer to conduct the code review and validation.
In my proposal , i would suggest to work on something similar to the available blueprint in stage 2, where we can have a fully dynamic terraform model that deploy this well needed architecture on GCP following the design principles followed by fabric fast modules and following the same structure.
Next Steps
i would like to hear from this repository maintainer about this idea in order to agree on it, thus i have some ready modules that i can work on to match fabric fast design principles and contribute to the repository with this new design in order to have it ready in the next releases .
Moreover from the fact that issues are a way to introduce feature and issues should be simple and direct, i would like to split this feature into multiple smaller issues in next work in order to merge this change step by step
As a next step , I'm planning to involve other recommended designs such as :
And other recommended design that we feel they are very requested nowadays in order to enrich current fabric fast foundation modules with more production-ready and user-needed designs and architecture
Conclusion
i would like to know more from this page maintainer about my thoughts and im always ready to help and contribute
Beta Was this translation helpful? Give feedback.
All reactions