Deploy the Instance Group in GCP Using an Instance Template

Deploy the instance group in GCP using an instance template.

Before you begin

  • Use Google Cloud Shell for deployment. Alternatively, you can use Google SDK on any macOS/Linux/Windows machine.

  • To allow the cluster to auto-register with the Management Center, you need to create a user with administrative privileges on the Management Center that can use the REST API. See the Cisco Secure Firewall Management Center Administration Guide.

  • Add an access policy in the Management Center that matches the name of the policy that you specified in cluster_function_infra.yaml.

Procedure

Step 1

Download the templates from GitHub to your local folder.

Step 2

Edit infrastructure.yaml , cluster_function_infra.yaml and deploy_ngfw_cluster.yaml with the required resourceNamePrefix parameter (for example, ngfwvcls) and other required user inputs.

From Secure Firewall version 7.4.1, you can deploy the cluster without the diagnostic interface. To deploy the cluster with only the Outside, Inside, Management, and CCL interfaces, set the withDiagnostic variable to False in both the infrastructure.yaml and the deploy_ngfw_cluster.yaml files.

Note that there is a deploy_ngfw_cluster.yaml file in both the east-west and north-south folders in GitHub. Download the appropriate template as per your traffic flow requirement.

Step 3

Create a bucket using Google Cloud Shell to upload the Google cloud function source archive file ftdv_cluster_function.zip.

gsutil mb --pap enforced gs://resourceNamePrefix-ftdv-cluster-bucket/

Ensure that the resourceNamePrefix variable here matches the resourceNamePrefix variable that you specified in cluster_function_infra.yaml.

Step 4

Create an archive file for the cluster infrastructure.

Example:


zip -j ftdv_cluster_function.zip ./cluster-function/*

Step 5

Upload the Google source archive that you created earlier.

gsutil cp ftdv_cluster_function.zip gs://resourceNamePrefix-ftdv-cluster-bucket/

Step 6

Deploy infrastructure for the cluster.

gcloud deployment-manager deployments create cluster_name --config infrastructure.yaml

Step 7

If you are using private IP addresses, perform the steps given below:

  1. Launch and set up the Management Center Virtual with a Threat Defense Virtual management VPC.

  2. Create a VPC connector to connect the Google Cloud functions with the Threat Defense Virtual management VPC.

    gcloud compute networks vpc-access connectors create vpc-connector-name --region us-central1 --subnet resourceNamePrefix-ftdv-mgmt-subnet28

Step 8

If the Management Center is remote from the Threat Defense Virtual, and the Threat Defense Virtual needs an external IP address, ensure that you set deployWithExternalIP to True in cluster_function_infra.yaml.

Step 9

Deploy the cluster function infrastructure.

gcloud deployment-manager deployments create cluster_name --config cluster_function_infra.yaml

Step 10

Deploy the cluster.

  1. For North-South topology deployment:

    gcloud deployment-manager deployments create cluster_name --config north-south/deploy_ngfw_cluster.yaml

  2. For East-West topology deployment:

    gcloud deployment-manager deployments create cluster_name --config east-west/deploy_ngfw_cluster.yaml