For Unified Access Gateway deployment to Google Cloud Platform, a Google Cloud project must be used and this project must be configured with VPC networks, the corresponding subnet networks, and firewall rules.

Prerequisites

  • Ensure that you are aware of the Google Cloud Platform concepts.
  • Ensure that you have the necessary permissions to create or modify resources such as images, VPC network, subnet, firewall rules, and so on, in the Google Cloud project.
  • Compute Engine API must be enabled.

Procedure

  1. Use a Google Cloud project.
    Option Action
    New project
    1. In the Google Cloud Console, navigate to the Project Selector page.
    2. Create a Google Cloud project.
    Existing project If a project is already available and active, you can use the existing project.
  2. Create a Virtual Private Cloud (VPC) network for each NIC.

    Each NIC on the Unified Access Gateway uses a unique VPC network and a subnet within that network.

    If you choose not to create a VPC network, only a single NIC Unified Access Gateway can be deployed. The Unified Access Gateway appliance when deployed in the Compute Engine uses the default VPC network available in the Google Cloud Platform.

    For example, in the following image, two VPC networks, uag-front-vpc and uag-back-vpc, are created in the Google Cloud Console. These VPC networks have uag-front-network and uag-back-network as subnets respectively. A Unified Access Gateway two NIC appliance can be deployed to use these two subnets for front-end Internet facing and a separate subnet network for back-end connections.

    Two VPC networks, uag-back-vpc and uag-front-vpc, are created in the Google Cloud Console. These VPC networks have uag-back-network and uag-front-network as subnets respectively.
    Note: You can also configure Unified Access Gateway with shared VPC networks. In such case, Unified Access Gateway instances deployed on the service project are attached to the shared VPC networks created and managed on the host project. Each network interface (NIC) on Unified Access Gateway can be configured independently to use either shared VPC network or local VPC network. For more information, see Configuring Shared VPC on Google Cloud documentation.
  3. Make a note of the subnet name created.
    The subnet name within a VPC network is used in the .ini file while deploying Unified Access Gateway by using PowerShell.
  4. To allow TCP and UDP port access to Unified Access Gateway appliances in the Internet accessible VPC, create the required number of firewall entries.
    Important: SSH remote access to Unified Access Gateway on TCP port 22 from the Internet must be carefully restricted on the firewall. If SSH access is needed, the firewall rule must allow this access from a specific source IP address only or from a jump box virtual machine in the cloud from which access can be controlled.
    For example, in the following Google Cloud Console image, a firewall rule named uag-horizon-protocols is created in the internet facing VPC network uag-front-vpc. This firewall rule applies to all the instances connected to uag-front-vpc network and allows inbound TCP and UDP traffic on specified ports from the public internet.

    Google Cloud Console shows a firewall entry for Horizon Edge Service, where TCP and UDP ports are configured.