Planning Your Palo Alto Networks Prisma MVE Deployment
This topic provides an overview of the provisioning process and describes deployment considerations for the Megaport Virtual Edge (MVE).
Palo Alto Networks Prisma SD-WAN
Palo Alto Networks Prisma SD-WAN is the next-generation SD-WAN solution that is autonomous, application-defined, and cloud-delivered. Prisma SD-WAN helps you secure and connect your branch offices and data centers without increasing cost and complexity.
Palo Alto Networks Prisma focuses on these key capabilities:
-
Enhanced network flexibility and scalability – Scale network capacity up or down based on real-time business demands without requiring physical infrastructure changes.
-
Optimized cloud connectivity – Simplify access to multiple cloud providers while ensuring the most efficient path for data and network traffic to reduce latency and improve app performance.
-
Robust security – Ensure that your critical data and devices—including IoT devices—are protected with end-to-end encryption and advanced threat prevention.
-
Streamlined network management – Gain visibility across the entire network while reducing complexity with Strata Cloud Manager for Prisma SD-WAN.
-
Intelligent bandwidth management – Reduce costs with flexible bandwidth allocation that optimizes resources efficiently and avoids unnecessary expenditures or unused capacities.
Megaport supports these Prisma SD-WAN software models:
-
310xv (including 3108v, 3104v, and 3102v) (For remote branches)
-
7108v (For data centers)
Deployment considerations
This section provides an overview of the MVE deployment options and features.
For information on the Palo Alto Networks Prisma-specific settings, see Prisma SD-WAN and Megaport Virtual Edge Solution Guide.
SD-WAN vendors
MVE is integrated with Palo Alto Networks, which uses Strata Cloud Manager console (Prisma SD-WAN) to create the private overlay network.
For information about all supported NFVsThe MVE is an on-demand, vendor-neutral Network Function Virtualization (NFV) platform that provides virtual infrastructure for network services at the edge of Megaport’s global software-defined network (SDN). Network technologies such as SD-WAN and NGFW are hosted directly on Megaport’s global network via Megaport Virtual Edge.
on the MVE platform, see the Megaport Virtual Edge (MVE) product page.
MVE locations
For a list of global locations where you can connect to an MVE, see Megaport Virtual Edge Locations.
Sizing your MVE instance
The instance size determines the MVE capabilities, such as how many concurrent connections it can support.
When choosing an MVE instance size, keep in mind these items:
-
Any increase on the network data stream load can degrade performance. For example, establishing secure tunnels with IPsec, adding traffic path steering, or using deep packet inspection (DPI) can impact the maximum throughput speed.
-
Future plans to scale the network.
To check which MVE instance sizes are available for your deployment, use the Megaport Portal during the MVE setup process. Instance size availability depends on both the selected vendor and the deployment location, and might vary accordingly. The Megaport Portal displays the sizes that are available for your selected vendor and location.
To check the MVE instance sizes in the Megaport Portal
- In the Megaport Portal, go to the Services page.
-
Click Create MVE.
-
Select the required Palo Alto Prisma SD-WAN product.
-
Select the software version.
-
Click Next.
-
Select an MVE location.
Select a location geographically close to your target branch and/or on-premises locations.
You can use the Search field to find the Port name, Country, Metro City, or address of your destination Port. You can also filter by diversity zone.
-
A list of available instance sizes appear based on the selected location. Available sizes are highlighted in green and labeled Available. The sizes support varying numbers of concurrent connections, and individual partner product metrics vary slightly.
Note
If the MVE size you want is not in the list, then there is not enough capacity at the selected location. You can either select another location with enough capacity or contact your Account Manager to discuss requirements.
What if I need more MVE capacity in the future?
You have these options:
-
You can provision another MVE instance, add it to your overlay network, and split the workload between the two MVEs.
-
You can provision a larger MVE instance, add it to your overlay network, migrate connections from the old MVE to the new larger MVE, and then retire the old MVE.
If you need more cores (vCPUs), you can either:
- Create a new MVE with more cores and terminate the old one (this option will require you to reconfigure your firewall).
- Create a new MVE as a second firewall to offload the capacity from the first firewall.
You can adjust the Megaport Internet bandwidth at any time without having to tear down the virtual machine.
Security
MVE provides secure capacity to and from your internet-enabled branch locations, to any endpoint or service provider on the Megaport SDN. CSP-hosted instances of partner SD-WAN products route critical traffic across the Megaport SDN, reducing internet dependence. Traffic remains encrypted and under your policy control while traveling across the Megaport SDN, to or from, MVE.
Licensing
You bring your own Prisma license for the model that you want to deploy with MVE. It is your responsibility to have the appropriate licenses for the endpoints created on the Megaport network.
To create a Palo Alto Networks Prisma MVE in the Megaport Portal, you also need a valid ION Key and Secret Key (Authorization token) from Palo Alto Networks. Tokens are generated through the Strata Cloud Manager console by a Palo Alto Networks customer administrator. Tokens can be single use or multi use, are valid for 96 hours, and will be assigned to the virtual appliance during deployment.
For more information, see the Prisma SD-WAN Administrator’s Guide.
VLAN tagging
Megaport uses Q-in-Q802.1Q tunneling (also known as Q-in-Q or 802.1ad) is a technique used by OSI Layer 2 providers for customers. 802.1ad provides for both an inner and an outer tag whereby the outer (sometimes called S-tag for service provider) can be removed to expose the inner (C-tag or customer) tags that segment the data.
to differentiate VXCs and MVEs on a host hardware system. The tenant MVE receives untagged traffic for the internet-facing link, and single-tagged 802.1Q traffic for VXCs toward other destinations on the Megaport network (such as CSP on-ramps or other MVEs). For more information, see Configuring Q-in-Q.
vNICs
Each MVE can have up to five vNICs. Prisma SD-WAN 3108v, 3104v, and 3102v MVEs are created with four vNICs, while a 7108v MVE is created with three vNICs.
Before specifying the number of vNICs on your MVE:
-
Be aware that the number of vNICs can’t be changed after an MVE has been ordered. Decide in advance how many vNICs to specify when you create the MVE.
-
Consult your service provider to make sure that functionality won’t be affected if you add a vNIC.
Note
If you need to change the number of vNICs after an MVE has been ordered, you will have to cancel and re-order the MVE.
For more information, see Types of vNIC Connections.