Co-authored by Travis Mitchell, principal solutions architect, and Tomasz Klimczyk, principal solutions architect

In this blog post, we deploy an Aviatrix Transit Firewall Network (FireNet) VCN in Oracle Cloud Infrastructure (OCI) with Aviatrix transit gateways and Palo Alto Networks VM Series Firewall. Aviatrix Transit FireNet pattern is widely adopted among the growing list of Fortune 500 customers. Enterprise customers place significant value on a consistent provisioning and Day 2 operating model that can be adopted at scale in multicloud environments.

OCI customers that need cloud networking expertise in-house or face resource constraints can easily provision the VM Series firewall in the cloud using the Aviatrix OCI Transit FireNet module, providing a mechanism to inspect traffic patterns. The complexity of a cloud networking deployment is abstracted, eliminating friction and simplifying the cloud journey.

Aviatrix FireNet and OCI

Aviatrix FireNet simplifies the deployment of the VM Series firewall and allows the firewall instances to inspect VCN to VCN (east-west) traffic, VCN to internet (egress) traffic, and VCN to on-premise (north-south) traffic. It also can inspect traffic going to any other cloud or external network.

Aviatrix FireNet is a turnkey network solution to deploy firewall instances in the cloud configured correctly, as shown in the following diagram.


Figure 1: Aviatrix Transit FireNet deployment detail

All the subnets, interfaces, route tables, and Compute instances are provisioned and configured with a single Terraform module. Both VM Series firewalls are deployed in active-active mode.


Figure 2: Deployed configuration with VCN and subnet details

The Aviatrix Controller builds the VM Series firewall instances, configures the routing toward the VM Series firewalls, and at the VM Series firewalls for the return traffic. It handles this process with to API-level integration that the Controller has with the VM Series firewalls and Panorama. The Aviatrix Transit gateways load balance the traffic to the available, healthy firewall instances. The Controller monitors the health of the VM Series firewall instances and does not send traffic to a failed VM Series firewall instance.

Demos

The following demos show a basic configuration and a more advanced configuration. With either example, you can easily extend to a multicloud posture, based on business priorities. You can run them from an Aviatrix Controller running in any cloud. You only need to onboard an OCI account to the Controller.

Basic demo

A graphic depicting a basic configuration of the Aviatrix FireNet running on OCI.

For details, see the GitHub repository.

Advanced demo

A graphic depicting a more advanced example for a dual FireNet deployment on OCI.

For details, see the GitHub repository.

Aviatrix FireNet has the following benefits and features:

  • Automated deployment of the VM Series Firewalls on OCI with UI, API, and TF support

  • Automated configuration of the interfaces and routing entries at the firewalls

  • Centralized management of multiple VM Series firewalls in multiple VCNs, regions, and clouds

  • Active-active deployment of the firewalls

  • Load balancing of the traffic to all the healthy firewalls with session-awareness

  • Health checks for firewalls

  • Easy selection of the traffic flows to be inspected, such as selected VCNs and IPsec connections

  • Repeatable architecture that you can use in any region and cloud

Conclusion

This blog explained how you can use Aviatrix FireNet module to automate deploying Palo Alto Networks VM Series firewalls in OCI with all the infrastructure and configuration included in a single Terraform module. VM Series firewall deployments in the cloud are a common use case for OCI customers, and Aviatrix makes it easy.

To learn more about Oracle Cloud Shell, Oracle Cloud Marketplace, and more, see the following resources: