This document explains how to create a Secure Access Connect realm. A Secure Access Connect realm establishes a connection between your Google Cloud project and an SSE service.
Before you begin
Before you begin, do the following:
-
Set up one of the following SSE partner services:
Required roles
To get the permissions that
you need to create realms,
ask your administrator to grant you the Compute Network Admin
( roles/compute.networkAdmin
)
IAM role on the project.
For more information about granting roles, see Manage access to projects, folders, and organizations
.
You might also be able to get the required permissions through custom roles or other predefined roles .
Create a Secure Access Connect realm
Create a Secure Access Connect realm by following the instructions that correspond with your SSE provider.
Palo Alto Networks Prisma Access
Create a realm by doing the following.
gcloud
-
Create a realm by running the
gcloud beta network-security secure-access-connect realms createcommand :gcloud beta network-security secure-access-connect realms create REALM_ID \ --security-service=prisma-accessReplace
REALM_IDwith a name for your realm. -
Identify the pairing key for the realm by running the
gcloud beta network-security secure-access-connect realms describecommand :gcloud beta network-security secure-access-connect realms describe REALM_ID \ --project= PROJECT_IDReplace the following:
-
REALM_ID: the name of your realm -
PROJECT_ID: your project ID
The output is similar to the following:
createTime: '...' name: ... pairingKey: expireTime: '...' key: 12345678-0000-4321-1234-abcdefghijkl securityService: PALO_ALTO_PRISMA_ACCESS state: UNATTACHED updateTime: '...'The
keyfield contains the pairing key. -
-
Use the pairing key to set up a Managed Cloud WAN in Prisma Access.
API
Use the projects.locations.sacRealms.create
method
.
POST https://networksecurity.googleapis.com/v1beta1/project/ PROJECT_ID
/locations/global/sacRealms
{
"name": " REALM_ID
",
"securityService": "PALO_ALTO_PRISMA_ACCESS"
}
Replace the following:
-
PROJECT_ID: your project ID -
REALM_ID: the name of your realm
Symantec Cloud SWG
Create a realm by doing the following.
gcloud
-
If you haven't already done so, provide the Symantec API key to Secure Access Connect by doing the following:
-
In Symantec Cloud SWG, create an API key and set Accessto Location Management.
-
Store the API key in Secret Manager by doing the following:
-
Create a secret in the same project that you want to create the realm in.
-
Add a secret version that contains the API key. There must not be any extra blank spaces in the contents of the secret. Use the following format:
USERNAME : PASSWORDReplace the following:
-
USERNAME: the username from the API key -
PASSWORD: the password from the API key
-
-
-
-
Create a realm by running the
gcloud beta network-security secure-access-connect realms createcommand :gcloud beta network-security secure-access-connect realms create REALM_ID \ --security-service=symantec-cloud-swg \ --project= PROJECT_ID \ --symantec-secret= SECRET_IDReplace the following:
-
REALM_ID: a name for your realm -
PROJECT_ID: your project ID -
SECRET_ID: the ID of the secret that contains the API key
-
-
Grant the network security service account access to the API key by running the
gcloud secrets add-iam-policy-bindingcommand :gcloud secrets add-iam-policy-binding SECRET_ID \ --member=serviceAccount:service- PROJECT_NUMBER @gcp-sa-networksecurity.iam.gserviceaccount.com \ --role roles/secretmanager.secretAccessorReplace the following:
-
SECRET_ID: the ID of the secret that contains the API key -
PROJECT_NUMBER: your project number
-
API
Use the projects.locations.sacRealms.create
method
.
POST https://networksecurity.googleapis.com/v1beta1/projects/ PROJECT_ID
/locations/global/sacRealms
{
"name": " REALM_ID
",
"securityService": "SYMANTEC_CLOUD_SWG",
"symantecOptions": {
"secretPath": " SECRET_ID
"
}
}
Replace the following:
-
PROJECT_ID: your project ID -
REALM_ID: a name for your realm -
SECRET_ID: the ID of the secret that contains the API key
