Stay organized with collectionsSave and categorize content based on your preferences.
This document explains how to create a Secure Access Connect realm. A
Secure Access Connect realm establishes a connection between your
Google Cloud project and an SSE service.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Create a realm\n\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nThis document explains how to create a Secure Access Connect realm. A\nSecure Access Connect realm establishes a connection between your\nGoogle Cloud project and an SSE service.\n\nBefore you begin\n----------------\n\nBefore you begin, do the following:\n\n- Set up one of the following SSE partner services:\n\n - [Palo Alto Networks Prisma Access](https://docs.paloaltonetworks.com/prisma-access/integration/ncc-gateway-integration-in-prisma-access)\n - [Symantec Cloud Secure Web Gateway (Cloud SWG)](https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/cloud-swg/help/conn-matrix/adm_addlocation_st/express-connect.html)\n- [Set up NCC Gateway](/network-connectivity/docs/network-connectivity-center/how-to/ncc-gateway/setup-overview)\n and [create a global hub](/network-connectivity/docs/network-connectivity-center/how-to/ncc-gateway/create-hub-and-vpc)\n\n### Required roles\n\n\nTo get the permissions that\nyou need to create realms,\n\nask your administrator to grant you the\n\n\n[Compute Network Admin](/iam/docs/roles-permissions/compute#compute.networkAdmin) (`roles/compute.networkAdmin`)\nIAM role on the project.\n\n\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\nYou might also be able to get\nthe required permissions through [custom\nroles](/iam/docs/creating-custom-roles) or other [predefined\nroles](/iam/docs/roles-overview#predefined).\n\nCreate a Secure Access Connect realm\n------------------------------------\n\nCreate a Secure Access Connect realm by following the\ninstructions that correspond with your SSE provider.\n\n### Palo Alto Networks Prisma Access\n\nCreate a realm by doing the following. \n\n### gcloud\n\n1. Create a realm by running the\n [`gcloud beta network-security secure-access-connect realms create`\n command](/sdk/gcloud/reference/beta/network-security/secure-access-connect/realms/create):\n\n gcloud beta network-security secure-access-connect realms create \u003cvar translate=\"no\"\u003eREALM_ID\u003c/var\u003e \\\n --security-service=prisma-access\n\n Replace \u003cvar translate=\"no\"\u003eREALM_ID\u003c/var\u003e with a name for your realm.\n2. Identify the pairing key for the realm by running the\n [`gcloud beta network-security secure-access-connect realms describe` command](/sdk/gcloud/reference/beta/network-security/secure-access-connect/realms/describe):\n\n gcloud beta network-security secure-access-connect realms describe \u003cvar translate=\"no\"\u003eREALM_ID\u003c/var\u003e \\\n --project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eREALM_ID\u003c/var\u003e: the name of your realm\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: your project ID\n\n The output is similar to the following: \n\n createTime: '...'\n name: ...\n pairingKey:\n expireTime: '...'\n key: 12345678-0000-4321-1234-abcdefghijkl\n securityService: PALO_ALTO_PRISMA_ACCESS\n state: UNATTACHED\n updateTime: '...'\n\n The `key` field contains the pairing key.\n3. Use the pairing key to set up a Managed Cloud WAN in Prisma Access.\n\n### API\n\nUse the [`projects.locations.sacRealms.create` method](/secure-access-connect/docs/reference/network-security/rest/v1beta1/projects.locations.sacRealms/create). \n\n POST https://networksecurity.googleapis.com/v1beta1/project/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/global/sacRealms\n {\n \"name\": \"\u003cvar translate=\"no\"\u003eREALM_ID\u003c/var\u003e\",\n \"securityService\": \"PALO_ALTO_PRISMA_ACCESS\"\n }\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: your project ID\n- \u003cvar translate=\"no\"\u003eREALM_ID\u003c/var\u003e: the name of your realm\n\n### Symantec Cloud SWG\n\nCreate a realm by doing the following. \n\n### gcloud\n\n1. If you haven't already done so, provide the Symantec API key to\n Secure Access Connect by doing the following:\n\n 1. In Symantec Cloud SWG,\n [create an API key](https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/cloud-swg/help/cloudswg-api-reference/api-keys.html)\n and set **Access** to **Location Management**.\n\n 2. Store the API key in Secret Manager by doing the following:\n\n | **Note:** Secret Manager is a separate Google Cloud product that has its own [pricing](/secret-manager/pricing).\n 1. [Create a secret](/secret-manager/docs/creating-and-accessing-secrets)\n in the same project that you want to create the realm in.\n\n 2. [Add a secret version](/secret-manager/docs/add-secret-version)\n that contains the API key. There must not be any extra blank spaces\n in the contents of the secret. Use the following format:\n\n \u003cvar translate=\"no\"\u003eUSERNAME\u003c/var\u003e:\u003cvar translate=\"no\"\u003ePASSWORD\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eUSERNAME\u003c/var\u003e: the username from the API key\n - \u003cvar translate=\"no\"\u003ePASSWORD\u003c/var\u003e: the password from the API key\n2. Create a realm by running the\n [`gcloud beta network-security secure-access-connect realms create` command](/sdk/gcloud/reference/beta/network-security/secure-access-connect/realms/create):\n\n gcloud beta network-security secure-access-connect realms create \u003cvar translate=\"no\"\u003eREALM_ID\u003c/var\u003e \\\n --security-service=symantec-cloud-swg \\\n --project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --symantec-secret=\u003cvar translate=\"no\"\u003eSECRET_ID\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eREALM_ID\u003c/var\u003e: a name for your realm\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: [your project ID](/resource-manager/docs/creating-managing-projects#identifying_projects)\n - \u003cvar translate=\"no\"\u003eSECRET_ID\u003c/var\u003e: the ID of the secret that contains the API key\n3. Grant the network security service account access to the API key by\n running the\n [`gcloud secrets add-iam-policy-binding` command](/sdk/gcloud/reference/secrets/add-iam-policy-binding):\n\n gcloud secrets add-iam-policy-binding \u003cvar translate=\"no\"\u003eSECRET_ID\u003c/var\u003e \\\n --member=serviceAccount:service-\u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e@gcp-sa-networksecurity.iam.gserviceaccount.com \\\n --role roles/secretmanager.secretAccessor\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eSECRET_ID\u003c/var\u003e: the ID of the secret that contains the API key\n - \u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e: [your project number](/resource-manager/docs/creating-managing-projects#identifying_projects)\n\n### API\n\nUse the [`projects.locations.sacRealms.create` method](/secure-access-connect/docs/reference/network-security/rest/v1beta1/projects.locations.sacRealms/create). \n\n POST https://networksecurity.googleapis.com/v1beta1/projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/global/sacRealms\n {\n \"name\": \"\u003cvar translate=\"no\"\u003eREALM_ID\u003c/var\u003e\",\n \"securityService\": \"SYMANTEC_CLOUD_SWG\",\n \"symantecOptions\": {\n \"secretPath\": \"\u003cvar translate=\"no\"\u003eSECRET_ID\u003c/var\u003e\"\n }\n }\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: [your project ID](/resource-manager/docs/creating-managing-projects#identifying_projects)\n- \u003cvar translate=\"no\"\u003eREALM_ID\u003c/var\u003e: a name for your realm\n- \u003cvar translate=\"no\"\u003eSECRET_ID\u003c/var\u003e: the ID of the secret that contains the API key\n\nWhat's next\n-----------\n\n- [Configure an NCC Gateway](/network-connectivity/docs/network-connectivity-center/how-to/ncc-gateway/setup-overview)\n- [Create Secure Access Connect attachments](/secure-access-connect/docs/create-attachments)"]]
