You can deploy the Barracuda CloudGen Firewall to the Google Cloud as a gateway or remote connectivity device. The firewall is deployed in a dedicated subnet (public subnet) in the Google Cloud network, and the instances for your cloud-based applications are deployed in backend or private subnets of the network. Each subnet is automatically assigned a dedicated gateway IP address and default route that allow the instances to connect to the Internet via the default Google Cloud gateway. An additional tag-based Google Cloud route is introduced to use the firewall as the default gateway. This route is applied automatically to all backend instances with this tag. Google Cloud firewall rules must be created to allow traffic between the firewall and the backend instances, as well as from the Internet to the firewall. By default, the Google Cloud firewall blocks all traffic, even between two instances in a subnet. The firewall has only a single DHCP network interface with a private IP address. Assign a static or ephemeral (dynamic) external IP address to your firewall to be able to connect to the Google Cloud network, even from outside the network.
Before You Begin
- A Google Cloud account is required.
- All Barracuda solutions for Google Cloud are listed here: https://console.cloud.google.com/launcher/partners/barracuda-release
Step 1. Create a Network in the Google Cloud
Create the virtual network you are deploying your firewall to.
- Go to https://console.cloud.google.com.
- Click the hamburger menu in the upper-left corner.
- In the Compute section, click Networking.
- In the main area, click Create Network.
- Enter the Name.
- In the Subnetworks section, click Custom.
- Create the public subnet:
- Name – Enter
public-subnet
- Region – Select your region.
- IP address range – Enter the network in CIDR format. If possible, do not use a network that overlaps with your on-premises network.
- Name – Enter
- Click Add subnetwork and create the private subnet:
- Name – Enter
private-subnet
- Region – Select your region.
- IP address range – Enter the network in CIDR format. If possible, do not use a network that overlaps with your on-premises network.
- Name – Enter
- Click Create.
The network is now listed.
Step 2. Create an External IP Address
Create a static external IP address for your firewall. You can also skip this step and use an ephemeral IP address when creating the firewall instance.
- Go to https://console.cloud.google.com.
- Click the hamburger menu in the upper-left corner.
- In the Compute section, click Networking.
- In the left menu, click External IP addresses.
- In the main area, click Reserve static address.
- Reserve a static address:
- Name – Enter a unique name for the external IP address.
- Type – Select Regional
- Region – Select the same region you selected for the public subnet of the network.
- Click Reserve.
Step 3. Create the Firewall Instance from Cloud Launcher
Deploy a new CloudGen Firewall instance from the Cloud Launcher image.
- Go to the CloudGen Firewall solution in Cloud Launcher: https://console.cloud.google.com/launcher/details/barracuda-release/barracuda-nextgen-firewall-f-series
- Click Launch on Compute Engine.
- Enter the Deployment name.
- From the Zone list, select the region for your new firewall instance.
- Select the Machine type with the number of vCPUs corresponding to your CloudGen Firewall license and performance needs. For more information, see Public Cloud.
- Change Disk type to SSD if you plan to use IO-intensive features like Malware Protection or HTTP Proxy. Otherwise, leave the default setting to Standard Persistent Disk.
- In Networking, choose network and sub-network names for the public subnet you created in Step 1.
- Leave all default firewall positions checked. You can add more ports, protocols, and IP addresses after deployment.
- (optional) If you want to use a reserved static address as created in Step 2:
- Click More to expand the advanced options.
- Select your External IP from the list.
- Click Deploy to start the deployment.
A window opens, displaying the details. The hostname must be used as a password for logging into the firewall.
Step 4. (optional) Create Instances in the Private Subnet
Deploy an instance into the private subnet. The backend instances must be tagged to be able to assign routes and firewall rules to them. Do not assign a public IP address to the backend instances.
Step 5. Create a Default Route for Backend Instances
A default route for each subnet with a metric of 1000 is created for each subnet. For the backend instances to use the firewall as the default gateway, create a default route with a metric lower than 1000. Configure the firewall instance as the next-hop, and add the tags identifying the backend instances. The route is automatically applied to all instances with the same tags as listed in the route.
- Go to https://console.cloud.google.com.
- Click the hamburger menu in the upper-left corner.
- In the Compute section, click Networking.
- In the left menu, click Routes.
- Click Create route to create the default route for the backend instances:
- Name – Enter a name for the route.
- Network – Select the network created in Step 1.
- Destination IP range – Enter
0.0.0.0/0
. - Priority – Enter a priority lower than 1000. If two routes for the same destination exist, the route with the lower priority is used.
- Instance tags – Enter the tags used for each instance that should be routed over the CloudGen Firewall.
- Next hop – Select Specify an instance.
- Next hop instance – Select the firewall instance created in Step 4 from the list.
- Click Create.
Step 6. Create Google Cloud Firewall Rules
Create firewall rules to allow traffic into your virtual network and from the firewall to the backend instances. By default, all traffic is blocked.
- Go to https://console.cloud.google.com.
- Click the hamburger menu in the upper-left corner.
- In the Compute section, click Networking.
- In the left menu, click Firewall rules.
- In the main area, click Create firewall rule.
- Create a firewall rule to allow incoming traffic to your firewall instances:
- Name – Enter the firewall rule name.
- Network – Select the network created in Step 1.
- Source filter – Select Allow from any source (0.0.0.0/0).
Allowed protocols and ports – Enter a semicolon-delimited, lower-case list of protocols and ports in the following format. tcp:807 is required to be able to connect via Barracuda Firewall Admin. E.g., Use
tcp:0-65535;udp:0-65535;icmp
to allow all TCP, UDP, and ICMP traffic to the firewall.Target tags – Enter the tag assigned to the firewall in Step 3.
- Create a firewall rule to allow all traffic from selected subnets to the firewall:
- Name – Enter the firewall rule name.
- Network – Select the network created in Step 1.
- Source filter – Select Subnetworks.
- Subnetworks – Select the public subnet and all private subnets with instances that are using the firewall as the default gateway.
- Allowed protocols and ports – Enter a semicolon-delimited, lower-case list of protocols and ports. E.g.,
tcp:0-65535;udp:0-65535;icmp
to allow all TCP, UDP, and ICMP traffic between instances in these subnets.
- Click Create.
Step 7. Log into Your Firewall Instance in the Google Cloud via Barracuda Firewall Admin
- Launch Barracuda Firewall Admin.
- Log into the firewall:
- Select Firewall.
- IP Address / Name – Enter the external IP address created in Step 2.
- Username – Enter
root
. - Password – Enter the hostname as a password.
- Click Sign in.
- Renew your password.
- The window for selecting how to manage the firewall is displayed.
- Click Manage via Barracuda Firewall Admin.
Serial Console
The Google Cloud Platform allows you to enable and connect to the serial port of your firewall instance. This feature allows you to troubleshoot your CloudGen Firewall in case of a misconfiguration in a web-based serial console.
For more information, see How to Access the Serial Console on the CloudGen Firewall in the Google Cloud.
Next Steps
- (BYOL only) License your firewall. For more information, see How to Activate and License a Stand-Alone Virtual or Public Cloud Firewall or Control Center.
- If DHCP is disabled on the CloudGen Firewall, you must also add network routes for the private IP address of the network interface with a /32 subnet mask and the default subnet gateway assigned by Google . For more information, see Step 2.2 in How to Deploy a CloudGen Firewall with Multiple NICs in Google Cloud Using the Command Line.