Create attachments

This document explains how to create Secure Access Connect attachments. A Secure Access Connect attachment enables NCC Gateway to process traffic with an SSE product.

Before you begin

Before you begin, do the following:

Required roles

To get the permissions that you need to create attachments, ask your administrator to grant you the Compute Network Admin (roles/compute.networkAdmin) IAM role on the project. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Create a Secure Access Connect attachment

Create a realm by following the instructions that correspond with your SSE provider.

Palo Alto Networks Prisma Access

Create an attachment by running the gcloud beta network-security secure-access-connect attachments create command:

  gcloud beta network-security secure-access-connect attachments create ATTACHMENT_ID \
      --project=PROJECT_ID \
      --location=REGION \
      --realm=REALM_ID \
      --gateway=NCC_GATEWAY_SPOKE_ID

Replace the following:

  • ATTACHMENT_ID: the name for the attachment
  • PROJECT_ID: your project ID
  • REALM_ID: the ID of your realm
  • NCC_GATEWAY_SPOKE_ID: the ID of your NCC Gateway spoke

Symantec Cloud SWG

Create an attachment by doing the following:

  1. Identify the Symantec site that you want to connect your attachment to by running the gcloud beta network-security secure-access-connect realms describe command:

      gcloud beta network-security secure-access-connect realms describe REALM_ID \
          --project=PROJECT_ID
    

    Replace the following:

    • REALM_ID: the name of your realm
    • PROJECT_ID: your project ID

    The output is similar to the following:

    name: projects/project-id/locations/global/sacRealms/realm-id
    createTime: '...'
    updateTime: '...'
    securityService: SYMANTEC_CLOUD_SWG
    state: PARTNER_ATTACHED
    symantecOptions:
      availableSymantecSites:
                   SYMANTEC_SITE_1
                   SYMANTEC_SITE_2
      secretPath:SECRET_PATH
      symantecConnectionState: SUCCEEDED
    

    The availableSymantecSites field contains the Symantec Cloud SWG sites that are available for you to connect to.

  2. Create an attachment by running the gcloud beta network-security secure-access-connect attachments create command:

      gcloud beta network-security secure-access-connect attachments create ATTACHMENT_ID \
          --project=PROJECT_ID \
          --location=REGION \
          --realm=REALM_ID \
          --gateway=NCC_GATEWAY_SPOKE_ID \
          --symantec-site=SYMANTEC_SITE \
          --symantec-location-name=SYMANTEC_LOCATION_NAME
          --country=COUNTRY \
          --timezone=TIMEZONE
    

    Replace the following:

    • ATTACHMENT_ID: the name for the attachment
    • PROJECT_ID: your project ID
    • REALM_ID: the ID of your realm
    • NCC_GATEWAY_SPOKE_ID: the ID of your NCC Gateway spoke
    • SYMANTEC_SITE: the Symantec site that you want to connect the attachment to

      Must be one of the availableSymantecSites from the previous step.

    • SYMANTEC_LOCATION_NAME: the name to give to the Symantec location

      For more information about naming requirements, see the Location schema in the Symantec Location Management API documentation.

    • COUNTRY: an optional country code in the ISO 3166 alpha-2 country code format

    • TIMEZONE: an optional timezone in the IANA timezone format

What's next