Earlier this month, I had the pleasure to attend the annual Palo Alto Networks’ Ignite ‘19 conference held in Austin from June 3rd to June 6th, 2019. It was a busy week for us with lots of interest in how VMware SD-WAN™ by VeloCloud® provides security benefits for cloud architecture. VeloCloud, now part of VMware, was invited by Palo Alto Networks to attend the cybersecurity conference to showcase our partnerships with Intel and Palo Alto Networks through a breakout session and booth demos.
Major Keynote Announcements and Common Themes
Cloud security with better automation was a major topic discussed at this conference. This is because a platform refresh of legacy security hardware can take months for an enterprise with a sizable deployment. The need for a zero-trust policy within security architecture was also emphasized.
I led a breakout session with representatives from Intel and Palo Alto Networks on the topic shown below.
The room was filled to capacity with 220 attendees, which reinforces how hot this topic is right now. The main focus of the session was to highlight benefits of VMware SD-WAN™ by VeloCloud® and how security at the branches is baked in using a Palo Alto Networks VM series VNF. From a customer perspective, the security VNF is already included on the SD-WAN device when shipped, thus reducing the time to deploy.
The majority of SD-WAN vendors are selling SD-WAN with a security-oriented design; some have even pivoted into the SD-WAN space from security after looking at the SD-WAN market potential. VMware SD-WAN has always believed in a best-of-breed approach and this is where our partnership with Palo Alto Networks becomes critical.
Why is Security Important at the Branch Today?
Legacy WAN architecture was designed for hub and spoke architecture since the applications were located at the data center (hub) and the Internet-bound traffic would always go through the hub. Traditionally, the hub was the place where the security perimeter resided. Why would this hub and spoke architecture not be suitable today? Enterprises are adopting a cloud-first approach and there is an increased uptick in the usage of IaaS/SaaS applications.
One major hindrance of this approach is latency, since the data center was designed to be best suited for branch connectivity to local applications residing at the data center itself, rather than SaaS/IaaS connectivity. Thus, the need arose to send the cloud-destined traffic directly over the Internet from the branches. This approach makes branches vulnerable from a security standpoint, since the traffic is broken out directly. Hence, branches would need some kind of distributed security perimeter.
In an ideal world, all branches would have dedicated security appliances, but this is not cost-effective and is a burden to manage—that’s why data centers were designed in the first place! Enterprises would have the option to either consume security as a service from secure web gateway (SWG) providers or use lightweight firewall option at the branches.
The second deployment option using a virtual network function (VNF) was explained in detail during the Ignite breakout session.
Palo Alto Networks VM-Series VNF Integration with VMware SD-WAN
VMware SD-WAN has partnered with Palo Alto Networks to integrate the VM-series firewall natively within the VMware SD-WAN Edge appliances. There has been a substantial amount of engineering work between the VeloCloud and Palo Alto Networks teams to automate the bring-up of the PAN VM-Series VNF, thus reducing the number of manual steps.
The deployment workflow with a step-by-step description is shown below:
The deployment workflow involves the following steps:
- The VMware SD-WAN customer receives an auth-code for the licenses purchased for Palo Alto Networks VM-series firewall. This auth-code is added under the VMware SD-WAN Orchestrator, which is the single pane of glass for the entire VMware SD-WAN. The VMware SD-WAN Orchestrator will initiate API calls to Palo Alto Network’s licensed server when this auth-code is inserted for validity.
- The Palo Alto Networks VM-series VNF is already prepackaged on the VMware SD-WAN Edge appliance, so the customer doesn’t have to download the image exclusively. Again, from the VMware SD-WAN Orchestrator, the user would instantiate the VM-series VNF. The VNF’s life cycle management is handled by the VMware SD-WAN Orchestrator, which can be thought of as a VNF Manager (VNFM) for the NFV-aware readers.
- The final step involves communicating with a Panorama server, which can be installed anywhere (i.e. in the private data center or in the cloud). The VM-series VNF’s configurations are pushed from the Panorama server.
Note: Edges 520v and Edge 840 are supported today as part of this integration.
Security Options with VMware SD-WAN and Palo Alto Networks
For a customer who is interested in utilizing security from Palo Alto Networks and VMware SD-WAN, the following options are available:
- VMware SD-WAN with Palo Alto Networks Prisma Access
- VMware SD-WAN with Palo Alto Networks VM-series VNF running natively on VMware SD-WAN Edges
- VMware SD-WAN with Palo Alto Networks physical firewalls
Overall, our experience at Ignite ‘19 was a highly positive one and we plan to attend again next year. We look forward to a continued relationship with Palo Alto Networks.
For more details, check out our solution brief and deployments guides:
VMware SD-WAN by VeloCloud with Palo Alto Networks security solution brief
Palo Alto Networks VM-Series and VMware SD-WAN Deployment on SD-WAN Edge
Palo Alto Networks GlobalProtect Cloud Service and VMware SD-WAN integration guide