action.skip
Megaport Documentation
Planning Your Deployment
PDF

Planning Your Palo Alto Networks Prisma MVE Deployment

This topic provides an overview of the provisioning process and describes deployment considerations for the Megaport Virtual Edge (MVE).

Palo Alto Networks Prisma SD-WAN

Palo Alto Networks Prisma SD-WAN is the next-generation SD-WAN solution that is autonomous, application-defined, and cloud-delivered. Prisma SD-WAN helps you secure and connect your branch offices and data centers without increasing cost and complexity.

Palo Alto Networks Prisma focuses on these key capabilities:

  • Enhanced network flexibility and scalability – Scale network capacity up or down based on real-time business demands without requiring physical infrastructure changes.

  • Optimized cloud connectivity – Simplify access to multiple cloud providers while ensuring the most efficient path for data and network traffic to reduce latency and improve app performance.

  • Robust security – Ensure that your critical data and devices—including IoT devices—are protected with end-to-end encryption and advanced threat prevention.

  • Streamlined network management – Gain visibility across the entire network while reducing complexity with Strata Cloud Manager for Prisma SD-WAN.

  • Intelligent bandwidth management – Reduce costs with flexible bandwidth allocation that optimizes resources efficiently and avoids unnecessary expenditures or unused capacities.

Megaport supports these Prisma SD-WAN software models:

  • 310xv (including 3108v, 3104v, and 3102v) (For remote branches)

  • 7108v (For data centers)

Deployment considerations

This section provides an overview of the MVE deployment options and features.

For information on the Palo Alto Networks Prisma-specific settings, see Prisma SD-WAN and Megaport Virtual Edge Solution Guide.

SD-WAN vendors

MVE is integrated with Palo Alto Networks, which uses Strata Cloud Manager console (Prisma SD-WAN) to create the private overlay network.

For information about all supported NFVsThe MVE is an on-demand, vendor-neutral Network Function Virtualization (NFV) platform that provides virtual infrastructure for network services at the edge of Megaport’s global software-defined network (SDN). Network technologies such as SD-WAN and NGFW are hosted directly on Megaport’s global network via Megaport Virtual Edge.
 on the MVE platform, see the Megaport Virtual Edge (MVE) product page.

MVE locations

For a list of global locations where you can connect to an MVE, see Megaport Virtual Edge Locations.

Sizing your MVE instance

The instance size determines the MVE capabilities, such as how many concurrent connections it can support. The MVE instances are consolidated into these sizes:

Palo Alto Networks Prisma SD-WAN

Remote Offices Data Centers *
ION 3102V ION 3104V ION 3108V ION 7108V
Throughput Up to 100 Mbps Up to 200 Mbps Up to 350 Mbps Up to 3 Gbps
vCPU 2 4 8 8
RAM GB 8 8 8 32
Disk GB 40 40 40 100

* The Data Center 7108V model is relevant to most MVE use cases and is the highest bandwidth supported.

Note

Prisma SD-WAN 6.4 supports Branch Gateway mode.

When choosing an MVE instance size, keep in mind these items:

  • Any increase on the network data stream load can degrade performance. For example, establishing secure tunnels with IPsec, adding traffic path steering, or using deep packet inspection (DPI) can impact the maximum throughput speed.

  • Future plans to scale the network.

What if I need more MVE capacity in the future?

You have a couple of options:

  • You can provision another MVE instance, add it to your SD-WAN overlay network, and split the workload between the two MVEs.

  • You can provision a larger MVE instance, add it to your SD-WAN overlay network, migrate connections from the old MVE to the new larger MVE, and then retire the old MVE.

You can adjust the Megaport Internet bandwidth at any time without having to tear down the virtual machine.

Security

MVE provides capacity to and from your internet-enabled branch locations securely, to any endpoint or service provider on the Megaport SDN. CSP-hosted instances of partner SD-WAN products route critical traffic across the Megaport SDN, reducing internet dependence. Traffic remains encrypted and under your policy control while traveling across the Megaport SDN, to or from, MVE.

Licensing

You bring your own Prisma license for the model that you want to deploy with MVE. It is your responsibility to have the appropriate licenses for the endpoints created on the Megaport network.

To create a Palo Alto Networks Prisma MVE in the Megaport Portal, you also need a valid ION Key and Secret Key (Authorization token) from Palo Alto Networks. Tokens are generated through the Strata Cloud Manager console by a Palo Alto Networks customer administrator. Tokens can be single use or multi use, are valid for 96 hours, and will be assigned to the virtual appliance during deployment.

For more information, see the Prisma SD-WAN Administrator’s Guide.

VLAN tagging

Megaport uses Q-in-Q to differentiate VXCs and MVEs on a host hardware system. The tenant MVE receives untagged traffic for the internet-facing link, and single-tagged 802.1Q traffic for VXCs toward other destinations on the Megaport network (such as CSP on-ramps or other MVEs).

vNICs

Each MVE can have up to five vNICs. Prisma SD-WAN 3108v, 3104v, and 3102v MVEs are created with four vNICs, while a 7108v MVE is created with three vNICs.

Before specifying the number of vNICs on your MVE:

  • Be aware that the number of vNICs can’t be changed after an MVE has been ordered. Decide in advance how many vNICs to specify when you create the MVE.

  • Consult your service provider to make sure that functionality won’t be affected if you add a vNIC.

Note

If you need to change the number of vNICs after an MVE has been ordered, you will have to cancel and re-order the MVE.