Create attachments

This document explains how to create Secure Access Connect attachments. A Secure Access Connect attachment enables NCC Gateway to process traffic with an SSE product.

Before you begin

Before you begin, do the following:

Required roles

To get the permissions that you need to create attachments, ask your administrator to grant you the Compute Network Admin (roles/compute.networkAdmin) IAM role on the project. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Create a Secure Access Connect attachment

Create a Secure Access Connect attachment by following the instructions that correspond with your SSE provider.

Palo Alto Networks Prisma Access

gcloud

Create an attachment by running the gcloud beta network-security secure-access-connect attachments create command:

  gcloud beta network-security secure-access-connect attachments create ATTACHMENT_ID \
      --project=PROJECT_ID \
      --location=REGION \
      --realm=REALM_ID \
      --gateway=NCC_GATEWAY_SPOKE_ID

Replace the following:

ATTACHMENT_ID: the name for the attachment
PROJECT_ID: your project ID
REGION: the region for the attachment
REALM_ID: the ID of your realm
NCC_GATEWAY_SPOKE_ID: the ID of your NCC Gateway spoke

API

To create an attachment in a given project and location, use the projects.locations.sacAttachments.create method.

POST https://networksecurity.googleapis.com/v1beta1/{parent=project/PROJECT_ID/locations/REGION}/sacAttachments
{
  "sacRealm": "REALM_ID",
  "nccGateway": "NCC_GATEWAY_SPOKE_ID"
}

Replace the following:

PROJECT_ID: your project ID
REGION: the region for the attachment
REALM_ID: the ID of your realm
NCC_GATEWAY_SPOKE_ID: the ID of your NCC Gateway spoke

Symantec Cloud SWG

gcloud

Create an attachment by doing the following:

Identify the Symantec site that you want to connect your attachment to by running the gcloud beta network-security secure-access-connect realms describe command:

  gcloud beta network-security secure-access-connect realms describe REALM_ID \
      --project=PROJECT_ID

Replace the following:

REALM_ID: the name of your realm
PROJECT_ID: your project ID

The output is similar to the following:

name: projects/project-id/locations/global/sacRealms/realm-id
createTime: '...'
updateTime: '...'
securityService: SYMANTEC_CLOUD_SWG
state: PARTNER_ATTACHED
symantecOptions:
  availableSymantecSites:
               SYMANTEC_SITE_1
               SYMANTEC_SITE_2
  secretPath:SECRET_PATH
 symantecConnectionState: SUCCEEDED

The availableSymantecSites field contains the Symantec Cloud SWG sites that are available for you to connect to.

Create an attachment by running the gcloud beta network-security secure-access-connect attachments create command:
```
  gcloud beta network-security secure-access-connect attachments create ATTACHMENT_ID \
      --project=PROJECT_ID \
      --location=REGION \
      --realm=REALM_ID \
      --gateway=NCC_GATEWAY_SPOKE_ID \
      --symantec-site=SYMANTEC_SITE \
      --symantec-location-name=SYMANTEC_LOCATION_NAME
      --country=COUNTRY \
      --timezone=TIMEZONE
```
Replace the following:
- ATTACHMENT_ID: the name for the attachment
- PROJECT_ID: your project ID
- REALM_ID: the ID of your realm
- NCC_GATEWAY_SPOKE_ID: the ID of your NCC Gateway spoke
- SYMANTEC_SITE: the Symantec site that you want to connect the attachment to
  
  Must be one of the availableSymantecSites from the previous step.
- SYMANTEC_LOCATION_NAME: the name to give to the Symantec location
  
  For more information about naming requirements, see the Location schema in the Symantec Location Management API documentation.
- COUNTRY: an optional country code in the ISO 3166 alpha-2 country code format
- TIMEZONE: an optional timezone in the IANA timezone format

API

To create an attachment in a given project and location, use the projects.locations.sacAttachments.create method.

POST https://networksecurity.googleapis.com/v1beta1/projects/PROJECT_ID/locations/REGION/sacAttachments
{
  "name": "ATTACHMENT_ID",
  "sacRealm": "REALM_ID",
  "nccGateway": "NCC_GATEWAY_SPOKE_ID",
  "country": "COUNTRY",
  "timeZone": "TIMEZONE",
  "symantecOptions": {
    "symantecLocationName": "SYMANTEC_LOCATION_NAME",
    "symantecSite": "SYMANTEC_SITE"
  }
}

Replace the following:

PROJECT_ID: your project ID
REGION: the region for the attachment
ATTACHMENT_ID: the name for the attachment
REALM_ID: the ID of your realm
NCC_GATEWAY_SPOKE_ID: the ID of your NCC Gateway spoke
COUNTRY: an optional country code in the ISO 3166 alpha-2 country code format
TIMEZONE: an optional timezone in the IANA timezone format
SYMANTEC_SITE: the Symantec site that you want to connect the attachment to

Must be one of the availableSymantecSites from the previous step.
SYMANTEC_LOCATION_NAME: the name to give to the Symantec location

For more information about naming requirements, see the Location schema in the Symantec Location Management API documentation.

What's next

Add hybrid connections to NCC Gateway

Create attachments Stay organized with collections Save and categorize content based on your preferences.

Before you begin

Required roles

Create a Secure Access Connect attachment

Palo Alto Networks Prisma Access

gcloud

API

Symantec Cloud SWG

gcloud

API

What's next

Create attachments