This document explains how to create a Secure Access Connect realm. A Secure Access Connect realm establishes a connection between your Google Cloud project and an SSE service.
Before you begin
Before you begin, do the following:
Set up one of the following SSE partner services:
Required roles
To get the permissions that
you need to create realms,
ask your administrator to grant you the
Compute Network Admin (roles/compute.networkAdmin)
IAM role on the project.
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Create a Secure Access Connect realm
Create a Secure Access Connect realm by following the instructions that correspond with your SSE provider.
Palo Alto Networks Prisma Access
Create a realm by doing the following.
gcloud
Create a realm by running the
gcloud beta network-security secure-access-connect realms createcommand:gcloud beta network-security secure-access-connect realms create REALM_ID \ --security-service=prisma-accessReplace
REALM_IDwith a name for your realm.Identify the pairing key for the realm by running the
gcloud beta network-security secure-access-connect realms describecommand:gcloud beta network-security secure-access-connect realms describe REALM_ID \ --project=PROJECT_IDReplace the following:
REALM_ID: the name of your realmPROJECT_ID: your project ID
The output is similar to the following:
createTime: '...' name: ... pairingKey: expireTime: '...' key: 12345678-0000-4321-1234-abcdefghijkl securityService: PALO_ALTO_PRISMA_ACCESS state: UNATTACHED updateTime: '...'The
keyfield contains the pairing key.Use the pairing key to set up a Managed Cloud WAN in Prisma Access.
API
Use the projects.locations.sacRealms.create method.
POST https://networksecurity.googleapis.com/v1beta1/project/PROJECT_ID/locations/global/sacRealms
{
"name": "REALM_ID",
"securityService": "PALO_ALTO_PRISMA_ACCESS"
}
Replace the following:
PROJECT_ID: your project IDREALM_ID: the name of your realm
Symantec Cloud SWG
Create a realm by doing the following.
gcloud
If you haven't already done so, provide the Symantec API key to Secure Access Connect by doing the following:
In Symantec Cloud SWG, create an API key and set Access to Location Management.
Store the API key in Secret Manager by doing the following:
Create a secret in the same project that you want to create the realm in.
Add a secret version that contains the API key. There must not be any extra blank spaces in the contents of the secret. Use the following format:
USERNAME:PASSWORDReplace the following:
USERNAME: the username from the API keyPASSWORD: the password from the API key
Create a realm by running the
gcloud beta network-security secure-access-connect realms createcommand:gcloud beta network-security secure-access-connect realms create REALM_ID \ --security-service=symantec-cloud-swg \ --project=PROJECT_ID \ --symantec-secret=SECRET_IDReplace the following:
REALM_ID: a name for your realmPROJECT_ID: your project IDSECRET_ID: the ID of the secret that contains the API key
Grant the network security service account access to the API key by running the
gcloud secrets add-iam-policy-bindingcommand:gcloud secrets add-iam-policy-binding SECRET_ID \ --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-networksecurity.iam.gserviceaccount.com \ --role roles/secretmanager.secretAccessorReplace the following:
SECRET_ID: the ID of the secret that contains the API keyPROJECT_NUMBER: your project number
API
Use the projects.locations.sacRealms.create method.
POST https://networksecurity.googleapis.com/v1beta1/projects/PROJECT_ID/locations/global/sacRealms
{
"name": "REALM_ID",
"securityService": "SYMANTEC_CLOUD_SWG",
"symantecOptions": {
"secretPath": "SECRET_ID"
}
}
Replace the following:
PROJECT_ID: your project IDREALM_ID: a name for your realmSECRET_ID: the ID of the secret that contains the API key