This document explains how to create Secure Access Connect attachments. A Secure Access Connect attachment enables NCC Gateway to process traffic with an SSE product.
Before you begin
Before you begin, do the following:
Required roles
To get the permissions that
you need to create attachments,
ask your administrator to grant you the
Compute Network Admin (roles/compute.networkAdmin
)
IAM role on the project.
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Create a Secure Access Connect attachment
Create a realm by following the instructions that correspond with your SSE provider.
Palo Alto Networks Prisma Access
Create an attachment by running the
gcloud beta network-security secure-access-connect attachments create
command:
gcloud beta network-security secure-access-connect attachments create ATTACHMENT_ID \
--project=PROJECT_ID \
--location=REGION \
--realm=REALM_ID \
--gateway=NCC_GATEWAY_SPOKE_ID
Replace the following:
ATTACHMENT_ID
: the name for the attachmentPROJECT_ID
: your project IDREALM_ID
: the ID of your realmNCC_GATEWAY_SPOKE_ID
: the ID of your NCC Gateway spoke
Symantec Cloud SWG
Create an attachment by doing the following:
Identify the Symantec site that you want to connect your attachment to by running the
gcloud beta network-security secure-access-connect realms describe
command:gcloud beta network-security secure-access-connect realms describe REALM_ID \ --project=PROJECT_ID
Replace the following:
REALM_ID
: the name of your realmPROJECT_ID
: your project ID
The output is similar to the following:
name: projects/project-id/locations/global/sacRealms/realm-id createTime: '...' updateTime: '...' securityService: SYMANTEC_CLOUD_SWG state: PARTNER_ATTACHED symantecOptions: availableSymantecSites: SYMANTEC_SITE_1 SYMANTEC_SITE_2 secretPath:SECRET_PATH symantecConnectionState: SUCCEEDED
The
availableSymantecSites
field contains the Symantec Cloud SWG sites that are available for you to connect to.Create an attachment by running the
gcloud beta network-security secure-access-connect attachments create
command:gcloud beta network-security secure-access-connect attachments create ATTACHMENT_ID \ --project=PROJECT_ID \ --location=REGION \ --realm=REALM_ID \ --gateway=NCC_GATEWAY_SPOKE_ID \ --symantec-site=SYMANTEC_SITE \ --symantec-location-name=SYMANTEC_LOCATION_NAME --country=COUNTRY \ --timezone=TIMEZONE
Replace the following:
ATTACHMENT_ID
: the name for the attachmentPROJECT_ID
: your project IDREALM_ID
: the ID of your realmNCC_GATEWAY_SPOKE_ID
: the ID of your NCC Gateway spokeSYMANTEC_SITE
: the Symantec site that you want to connect the attachment toMust be one of the
availableSymantecSites
from the previous step.SYMANTEC_LOCATION_NAME
: the name to give to the Symantec locationFor more information about naming requirements, see the
Location schema
in the Symantec Location Management API documentation.COUNTRY
: an optional country code in the ISO 3166 alpha-2 country code formatTIMEZONE
: an optional timezone in the IANA timezone format