Deploy the Instance Group in GCP Using an Instance Template

Deploy the instance group in GCP using an instance template.

Before you begin

  • Use Google Cloud Shell for deployment. Alternatively, you can use Google SDK on any macOS/Linux/Windows machine.

  • To allow the cluster to auto-register with the Management Center, you need to create a user with administrative privileges on the Management Center that can use the REST API. See the Cisco Secure Firewall Management Center Administration Guide.

  • Add an access policy in the Management Center that matches the name of the policy that you specified in cluster_function_infra.yaml.

Procedure

Step 1

Download the templates from GitHub to your local folder.

Step 2

Edit infrastructure.yaml , cluster_function_infra.yaml and deploy_ngfw_cluster.yaml with the required resourceNamePrefix parameter (for example, ngfwvcls) and other required user inputs.

Note that there is a deploy_ngfw_cluster.yaml file in both the east-west and north-south folders in GitHub. Download the appropriate template as per your traffic flow requirement.

Step 3

Create a bucket using Google Cloud Shell to upload the Google cloud function source archive file ftdv_cluster_function.zip.

gsutil mb --pap enforced gs://resourceNamePrefix-ftdv-cluster-bucket/

Ensure that the resourceNamePrefix variable here matches the resourceNamePrefix variable that you specified in cluster_function_infra.yaml.

Step 4

Create an archive file for the cluster infrastructure.

Example:


zip -j ftdv_cluster_function.zip ./cluster-function/*

Step 5

Upload the Google source archive that you created earlier.

gsutil cp ftdv_cluster_function.zip gs://resourceNamePrefix-ftdv-cluster-bucket/

Step 6

Deploy infrastructure for the cluster.

gcloud deployment-manager deployments create cluster_name --config infrastructure.yaml

Step 7

If you are using private IP addresses, perform the steps given below:

  1. Launch and set up the Management Center Virtual with a Threat Defense Virtual management VPC.

  2. Create a VPC connector to connect the Google Cloud functions with the Threat Defense Virtual management VPC.

    gcloud compute networks vpc-access connectors create vpc-connector-name --region us-central1 --subnet resourceNamePrefix-ftdv-mgmt-subnet28

Step 8

If the Management Center is remote from the Threat Defense Virtual, and the Threat Defense Virtual needs an external IP address, ensure that you set deployWithExternalIP to True in cluster_function_infra.yaml.

Step 9

Deploy the cluster function infrastructure.

gcloud deployment-manager deployments create cluster_name --config cluster_function_infra.yaml

Step 10

Deploy the cluster.

  1. For North-South topology deployment:

    gcloud deployment-manager deployments create cluster_name --config north-south/deploy_ngfw_cluster.yaml

  2. For East-West topology deployment:

    gcloud deployment-manager deployments create cluster_name --config east-west/deploy_ngfw_cluster.yaml