action.skip

Planning Your Palo Alto Networks VM-Series MVE Deployment

This topic provides an overview of the provisioning process and describes deployment considerations for the Megaport Virtual Edge (MVE).

Palo Alto Networks VM-Series Firewall

You will need a VM-Series license from Palo Alto Networks to use on the Megaport software-defined network (SDN). For more information, see Licensing.

Megaport provides you with:

  • A Virtual Machine to host the Next Generation Firewall (NGFW) image
  • A Megaport Internet connection to terminate the tunnel between MVE and CPE at branch via internet
  • Access to the Megaport ecosystem.

VM-Series features

VM-Series delivers NGFW services on a virtual machine. Hosting VM-Series on MVE not only optimizes edge-to-cloud network connectivity, but also enforces advanced security services and policies across the Megaport backbone segments.

The Palo Alto Networks Secure Access Service Edge (SASE) offering is for customers that are adopting the SASE architecture and need additional security for their network at the edge.

Embedding VM-Series into Megaport’s NaaS platform extends the following core SASE elements between the edge and cloud network fabric:

  • Next-generation firewall, including stateful corporate firewall policies, network address translation (NAT), intrusion protection services, Secure Sockets Layer (SSL) inspection, and threat intelligence.

  • Secure web gateway (SWG) services protect devices from malicious internet destinations using web content filtering and malware scanning.

  • Zero trust network access (ZTNA), which controls access to applications by verifying users and devices before every application session and confirms that they meet the organization’s policy to access that application.

  • Segmentation and whitelisting control applications communicating across different subnets, block lateral threat movement, and assist in achieving regulatory compliance.

  • Threat Prevention, DNS Security, and WildFire services that apply application-specific policies that prevent malware and stop previously unknown threats from infecting the cloud.

VM-Series also supports remote user integration with Palo Alto Networks SASE solutions with Prisma Access. Prisma Access provides two remote user access connection methods:

  • GlobalProtect – Extends Prisma Access’ visibility and control of all network traffic, applications, ports, and protocols to the user for secure access to internet or data center-based applications.
  • Explicit proxy – Allows SWG access to internet-based SaaS applications using HTTP and HTTPS.

For more information on these features, see the VM-Series Tech Docs.

Note

If you have already deployed a VM-Series firewall, you can connect it to an MVE so that your headquarters or branches can access cloud services over private interconnects.

Deployment considerations

Palo Alto Networks uses virtual or physical appliances much like many other platforms. However, with Palo Alto Networks, you can configure the appliances for several different uses. For example, you can configure a Palo Alto Networks appliance for use:

  • Strictly as a next-generation firewall (NGFW) for remote offices with local configuration and local logging only.

  • As central management with central logging, or as central management without central logging.

SD-WAN vendors

MVE is integrated with Palo Alto Networks, which uses Palo Alto network orchestrator Panorama (VM-Series) to create the private overlay network.

For information about all supported NFVsThe MVE is an on-demand, vendor-neutral Network Function Virtualization (NFV) platform that provides virtual infrastructure for network services at the edge of Megaport’s global software-defined network (SDN). Network technologies such as SD-WAN and NGFW are hosted directly on Megaport’s global network via Megaport Virtual Edge.
on the MVE platform, see the Megaport Virtual Edge (MVE) product page.

MVE locations

For a list of global locations where you can connect to an MVE, see Megaport Virtual Edge Locations.

Sizing your MVE instance

The instance size determines the MVE capabilities, such as how many concurrent connections it can support. The MVE instances are consolidated into these sizes:

Palo Alto Networks VM-Series Firewall

Package Size vCPUs DRAM Storage Megaport Internet Speed *
MVE 2/8 2 8 GB 60 GB Adjustable from 20 Mbps to 10 Gbps
MVE 4/16 4 16 GB 60 GB Adjustable from 20 Mbps to 10 Gbps
MVE 8/32 8 32 GB 60 GB Adjustable from 20 Mbps to 10 Gbps
MVE 12/48 12 48 GB 60 GB Adjustable from 20 Mbps to 10 Gbps

* The Megaport Internet access is symmetric, redundant, and diverse. Megaport Internet access is adjustable through the Megaport Internet connection that you attach to the MVE.

When choosing an MVE instance size, keep in mind these items:

  • Any increase on the network data stream load can degrade performance. For example, establishing secure tunnels with IPsec, adding traffic path steering, or using deep packet inspection (DPI) can impact the maximum throughput speed.

  • Future plans to scale the network.

What if I need more MVE capacity in the future?

You have a couple of options:

  • You can provision another MVE instance, add it to your SD-WAN overlay network, and split the workload between the two MVEs.

  • You can provision a larger MVE instance, add it to your SD-WAN overlay network, migrate connections from the old MVE to the new larger MVE, and then retire the old MVE.

If you need more cores (vCPUs), you can either:

  • Create a new MVE with more cores and terminate the old one (this option will require you to reconfigure your firewall).
  • Create a new MVE as a second firewall to offload the capacity from the first firewall.

You can adjust the Megaport Internet bandwidth at any time without having to tear down the virtual machine.

Security

MVE provides capacity to and from your internet-enabled branch locations securely, to any endpoint or service provider on the Megaport SDN. CSP-hosted instances of partner SD-WAN products route critical traffic across the Megaport SDN, reducing internet dependence. Traffic remains encrypted and under your policy control while traveling across the Megaport SDN, to or from, MVE.

Licensing

You bring your own VM-Series license for use with MVE. It is your responsibility to have the appropriate licenses for the endpoints created on the Megaport network.

To acquire a VM-Series license, we recommend that you start with Palo Alto Networks’ credit estimator tool.

Recommendations:

  • Ensure that the number of vCPUs you select suits your requirements.
  • Choose Kernel-based Virtual Machine (KVM) as the Environment.
  • For the best performance, we recommend that you match the number of vCPUs from your VM-Series license with the number of vCPUs on your MVE.

VLAN tagging

Megaport uses Q-in-Q to differentiate VXCs and MVEs on a host hardware system. The tenant MVE receives untagged traffic for the internet-facing link, and single-tagged 802.1Q traffic for VXCs toward other destinations on the Megaport network (such as CSP on-ramps or other MVEs).

vNICs

Each MVE can have up to five vNICs. A VM-Series MVE is created with two vNICs by default. You can add up to three more, making a total of five.

Before specifying the number of vNICs on your MVE:

  • Be aware that the number of vNICs can’t be changed after an MVE has been ordered. Decide in advance how many vNICs to specify when you create the MVE.

  • Consult your service provider to make sure that functionality won’t be affected if you add a vNIC.

Note

If you need to change the number of vNICs after an MVE has been ordered, you will have to cancel and re-order the MVE.